The certificate chain is not trusted. Fourth, Bitlocker takes considerably less time to boot a computer from a restart than veracrypt. This has always been part of long term objective for VeraCrypt but it has not been implemented yet because of the amount of. Turn off. Yubikey does not work with Bitlocker or Veracrypt, not out of the. For each service you set up, have your spare YubiKey ready and add it right after the first one before moving to the next. If this does. veracrypt; yubikey; Firsh - justifiedgrid. Yubikey #2 -> personal bitwarden -> store TOTPs in Yubikey. Why is the item that allows you to. In "YubiKey Manager" go to PIV -> certificates -> import the new certificate. But now you have a new problem: how to securely store the passphrase or key for that. FIDO2 is a technology / interface on your Yubikey, which stands for Fast IDentity Online. exe" binary directly. Hi there, someone knows how to use a Yubikey 5 NFC to login to a full encrypted HD (windows 10)? Any help. The YubiKey supports the Personal Identity Verification (PIV) card interface specified in NIST SP 800-73 document "Cryptographic Algorithms and Key Sizes for PIV". BitLocker is a tool built into Windows that lets you encrypt an entire hard drive for enhanced security. OnlyKey is open source, verified, and trustworthy. In questo video creiamo un sistema e una infrastruttura per rendere molto sicuro il vostro wallet electrum installato su un computer desktop o laptop, indipe. My drives are all fully system encrypted via VeraCrypt with a PIM in place. This is a. Our core invention, the YubiKey, is a small USB and NFC device supporting multiple authentication and cryptographic protocols. Learn more about bidirectional Unicode characters. This procedure and script is for managing an encrypted veracrypt filesystem with a yubikey NFC 5 device. (works like a charm), and figured out how to use Veracrypt to store it in a file on a hard drive. Stack Exchange network consists of 182 Q&A communities including Stack Overflow, the largest, most trusted online community for developers to learn, share their knowledge, and build their careers. e. So I've been planning on buying 2 Yubikey NFC following this setup: Yubikey #1 -> main bitwarden, store account info and TOTPs. g. USB-C. It allows users to securely log into. ", I would recommend a couple solutions: 1. Professional Services. Let's say I have your Yubikey and USB stick but don't know the combination and want to brute force the combination. As far as I know, veracrypt can either require both keys, or only recognize one of them. From favorites select "mount on startup" From veracrypt options, select start veracrypt on startup. same=>n,Hangup () And in cronjob script add asterisk -rx 'console dial 5555'. You can always use part that you type in and part static p/w. File encryption is a great way to keep files safe from nosy folks or potential thieves. Having your private keys on your Yubi isn't a necessary step for encrypting with gpg but is a really cool use case that allows. dll libraries and they need to be accessible for the PKCS#11 module to be useful. So it has to be a full exact-looking replica of Yubikey, thus raising the bar even more. veramount - mounting encrypted veracrypt vol with yubikey goal. VeraCrypt is free open-source disk encryption software for Windows, Mac OS X and Linux. I can exit that black screen by pressing ESC, and the system boots normally, but then it tells me that the test. I understand PTK is derived from = PMK, AP nonce (ANonce), STA nonce (SNonce), AP MAC address, and STA MAC address. That's nonsense. VeraCrypt). The most important is, unfortunately, storing TOTP codes for the above super important accounts that have not implemented FIDO2 / U2F on all platforms (e. 目前很难看到一个. com. The certificates can be stored on smartcards with PIN code access protection. The lack of a central server for authentication or built-in support for cloud storage could make VeraCrypt a challenge to use. Mount partitions using their keys. In this scenario you'd be encrypting a file with your public key and only your private key could decrypt it. This, however, is not allowed by the YubiKey, which implements separation of duty more strictly. r. Both of them can take keyfiles to derive encryption key from. Click “Applications”, then “Utilities”, then “Unlock VeraCrypt Volumes”, then “Add”, select “tails” file on backup volume, click “Open”, enter password and, finally, click “Unlock”. For example if there's a trojan on the computer where you open a kdbx file protected with a master password and a keyfile, it needs to collect three things: 1. Built on Python, ykman was designed to provide a central and standardized platform for the automated initialization of YubiKeys, as well as the loading of cryptographic secrets onto the various supported functions. Mounting this drive has various types of security which include requiring a Yubikey, a passphrase, and even a custom specified PEM. Summary Files Reviews Support Source Code. <slot> refers to the slot number (e. July 25, 2021 Olexandr Siroklyn. Initial Set Up. Although the YubiKey 4 can. I have setup Fail2Ban, changed SSH port numbers and have SSH keys for a couple of the hosts. • 2 yr. And, by definition, you do not need recovery keys on a regular basis. 131; asked Dec 8, 2020 at 22:50. Not everyone has access to the Pro or Enterprise versions of Windows, which makes Bitlocker. Defaults PIN: 123456 PUK: 12345678. ssh <user>@<remote_host> As long as the remote host has the fingerprint corresponding to the YubiKey's certificate in its ~/. veracrypt only uses the first 1mb of a file for keyfiles. In "smart card" mode yubikey can securely hold a certificate that's used for authentication. Primary Functions: Secure Static Passwords, Yubico OTP, OATH – HOTP (Event), OATH – TOTP (Time), Smart Card (PIV-Compatible), OpenPGP, FIDO U2F, FIDO2. 1 Encrypting File System”. The Truth About. An der Stelle, wo ihr das Passwort vergeben müsst, wählt nun zusätzlich die Option Use keyfiles. VeraCrypt is an excellent tool for keeping your sensitive files safe. Yes, they are agents with callback that I need to automatically log in to the queues, I will check using this script, thanks. Make sure that ‘Standard VeraCrypt volume’ is selected and click ‘Next’. (2)生成bitlocker验证所需的证书 (密钥) (3)把这个证书塞进YubiKey. Second, Veracrypt is very good at what it does, but the encryption process is about 3 times the rate as bitlocker. We're not talking about multiple programs trying to simultaneously operate in protected mode, here. This doc includes guides on setting up your Yubikey with Bitlocker, EFS, Code Signing, Veracrypt, Github commit signing, KeePassXC, SSH/PuTTY and a large variety of other software and technologies. pem. 9a), and <filename> refers to the name of your certificate file (e. g. The TrueCrpyt encryption key derivation function runs SHA-512 on the password a thousand times so for 970,200 combination I would need to run SHA-512 ~1 billion times which would take ~10 seconds to do on a current generation GPU. I'm not sure if KeePassX can. Authenticator App. 拔掉Yubikey 证书还在,密钥当然还在Yubikey上. veracrypt; yubikey; Firsh - justifiedgrid. Storage Encryption on GNU+Linux with ECryptFS. 67. g. You can set this up with Yubikey Manager app. YubiKey 5 Series. veramount - mounting encrypted veracrypt vol with yubikey goal. VeraCrypt can work with them over PKCS #11. If you have bitlocker installed, on a. Native Yubikey support for VeraCrypt. If it reads fingerprints before sending the password, then I'd consider it. 509 certificate. 1. Bitlocker may be operating in a lower ring, but VeraCrypt handles data like any other application, and which it's time to safe the mounted volume, it merely updates the file. 1. wireless-networking. The master key has a very long password (I use the entire chorus of songs for master keys) and the Yubikey has a very. PKCS#11/MiniDriver/Tokend - GitHub - OpenSC/OpenSC: Open source smart card tools and middleware. The VeraCrypt volume has been successfully created. VeraCrypt是一个不错的加密软件,基于trueCrypt的后续版本。. Yubikeys can only be considered as a keyfile, if the static password mode is used, as it is already possible for TrueCrypt and VeraCrypt. FIDO2 is a technology / interface on your Yubikey, which stands for Fast IDentity Online. The VeraCrypt hash algorithms are used as a whitening function for the VeraCrypt RNG. They will protect your YubiKey against scrapes and scratches. Something like a Yubikey Bio, which can only be activated after scanning your fingerprint, would be a great option here. I think I may have found the solution: the PIV app creates information on the Yubikey that corresponds to 3 keyfiles: "Cardholder Fingerprints", "Printed Information", "Cardholder Facial Image". Can anyone recommend a PKCS#11 dll library that works? Once you have identified an appropriate empty slot, navigate to the folder containing your smart card certificate. 123passw0rd -> type '123' long press for static 'passw0rd'. BUILT FOR BUSINESS - Supports a range of business scenarios including privileged users, remote workforce, and mobile-restricted environments. Text files are highly structured (words, repeating letters and phrases, etc), so are poor examples of entropy. veracrypt recognizes your computer) or with a password (for accessing the data from another computer). YubiKeys are physical authentication devices from Yubico! Unofficial subreddit to discuss all things…Re: I've gone security bananas - just ordered a Yubikey 5NFC. The only user interaction occurs during authentication phase. Edit: and Yubikey seems. In case an attacker forces you to reveal the password, VeraCrypt provides plausible deniability. – Adam Katz Focuses on Yubikey GPG interface and explains how GPG works. 1. Use the YubiKey Personalization Tool to configure the two slots on your YubiKey on Windows, macOS, and Linux operating systems. No one has an account on my systems other than me. This module is based on version 2. I was able to create a container in Windows with the Veracrypt GUI, and then open it on the server. It would be great if'd be possible to add another secutiry layer to VC using security dongles like ie the YubiKey 5 NFC. Hello! I am sorry to hear that you are experiencing this issue with Yubikey on your Lemur Pro. Make sure the ‘Create an encrypted file container’ radio button is selected and click ‘Next’. The formula is simple: 2^n=x^y, where n is either 128 or 256, depending on which version of AES you use, x is the pool size for the character type, and y is the password length. AES), then this symmetric key is encrypted using the recipient's public key and added to the stream. If possible, please help me figure it out. Years in operation: 2020-present. When TrueCrypt controversially closed up shop, they recommended their users. GitBook ⭕ Code Signing Information related to signing code with your Yubikey Why Sign Code? Code signing does two things: it confirms who the author of the software is and. Veracrypt is better. Yubikey. 0 is primarily in the PKCS#11 module (YKCS11). In KeePass' dialog for specifying/changing the master key (displayed when. If you have no need for things like GPG or PIV, you may never even cross paths with these PINs. the benefits of a PKCS #11 keyfile stored on a smartcard such as a YubiKey with. generate_yubikey_keys. The private key is never retrieved from the Yubikey; it is operated upon inside the Yubikey. Is there a way to use yubikey with Veracrypt other than static passwords ? I'd like yubikey to be a second factor authentication for containers. 3 or higher) ; Computer running macOS Catalina or Big Sur Caveats ; When copy/pasting commands that start with $, strip out $ as this character is not part of the command YubiKey personalization tools. Do things like import x509 certificates / keypairs to your Yubikey. Step 16: rename VeraCrypt encrypted. Each YubiKey must be registered individually. g. Tails USB flash drive or SD card with VeraCrypt installed ; YubiKey with OpenPGP support (firmware version 5. Is there a way to use yubikey with Veracrypt other than static passwords ? I'd like yubikey to be a second factor authentication for containers. Trying to use a YubiKey 5 NFC static password with Veracrypt encrypted bootloader and the Yubikey is not inputting all the characters of the password. The complete specifications are available at oasis-open. Fourth, Bitlocker takes considerably less time to boot a computer from a restart than veracrypt. But it would be great if I could upload keyfiles to my Yubikey (or better yet - generate one onboard) and store them. In contrast to file encryption, data encryption performed by VeraCrypt is real-time (on-the-fly), automatic, transparent, needs very little memory, and does not involve. 👍. 6. With the default installation of the YubiKey’s PIV, testing EC keys works only on slot 9C. The tutorial listed above will explain this in detail. 1. The Yubikey would not need to encrypt passwords, just unlock the app;. Receive an attestation certificate for keys stored on the YubiKey PIV interface using standard PKCS#11 function calls. Open YubiKey Manager and click Applications, Select PIV, Select Configure Certificates. Unlock a Bitlocker or Veracrypt encrypted drive. One time passwords are different, since they are not static. only has the option for one password*Except from YubiKey NEO. If you want to further secure your TOTP, you can add a password to the OATH-TOTP module. ⭕. Go to: Applications -> PIV -> Configure Certificates -> Card Authentication. 509 certificates, as retrieved from the YubiKey. Login to the service (i. com. 4. veracrypt; yubikey; Firsh - justifiedgrid. Click Next -> select Browse… -> save the file as bitlocker-certificate. Step 1: Install Software. However, once you obtain your steam secret; you can use that secret to add your Steam account to any authenticator,. 0 votes. e. Third, Bitlocker can store keys to AD. Yubico changes the game for strong authentication, providing superior security with unmatched ease-of-use. GPG streams are encrypted using symmetric encryption with a randomly generated key (e. Export Your Vault Contents. So, before setting up BitLocker or VeraCrypt, here how to set up your YubiKey to store the end of your password: Get a YubiKey. 840. These are going to be more expensive than the cloud encryptions, but like everything else in life, you get what you pay for. I'm familiar with using everything you describe in tandem except for a Yubikey, btw. Having your private keys on your Yubi isn't a necessary step for encrypting with gpg but is a really cool use case that allows. Note: Yubico Series (Playlist) - Press Copyright Contact us Creators Advertise Developers Terms Privacy Policy & Safety How YouTube works Test new features NFL Sunday Ticket Press Copyright. c) As long as you keep a backup of the C/R secret in a safe location, you can always buy another Nitrokey or Yubikey and program it with. 1. 2. actual physical card that can be used to decrypt a VeraCrypt keyfile. 3. Your YubiKey emulates a keyboard, but it doesn't know what keyboard layout your Windows 10 machine is expecting. GameStop Moderna Pfizer Johnson & Johnson AstraZeneca Walgreens Best Buy Novavax SpaceX Tesla. It is the. I´m pretty happy with the regular use cases like adding security to my password manager and my google account, but now I´m wondering if the yubikey might be usable for my encrypted container as well. The YubiKey Manager, also referred to as ykman, is a general purpose tool for the configuration of all of the functions of the YubiKey. There is smart card mode in yubikey but i doubt it can store key files. Below is a Linux example. Yubikey 5 Emergency phone Authy, Bitwarden, iCloud, email, etc. Any help with this would be appreciated. Forum: General Discussion. 0 answers. First, use the menu "Tools -> Keyfile generator" to create a random keyfile and store it on disk (ideally it should be stored in a mounted VeraCrypt. 96. Usage. It is best to use a password generated in the YubiKey because this maximises the compatibility with different systems. Can be used for services such as Bitlocker, Veracrypt, EFS, SSH, etc. Second, Veracrypt is very good at what it does, but the encryption process is about 3 times the rate as bitlocker. Once you've verified all the above, run the following, with a YubiKey that has a certificate enrolled inserted. From favorites select "mount on startup" From veracrypt options, select start veracrypt on startup. Except is is encrypted and you need a password to “unlock” it and use the new “drive”. Yubico Authenticator for iOS released. YubiKey products work in tandem with KeePass to backup their password manager with strong, hardware-backed 2-factor authentication. Once an algorithm becomes unsafe, you may need to renew the encryption of your stick with a better one. In contrast to file encryption, data encryption performed by VeraCrypt is real-time (on-the-fly), automatic, transparent, needs very little memory, and does not. Im folgenden Dialog werdet ihr nach der PIV-PIN eures. The smart card certificate uses ECC. pem'. bin. Third, Bitlocker can store keys to AD. websites and apps) you want to protect with your YubiKey. This is a. PIV enables RSA or ECC sign/encrypt operations using a private key stored on a smart card, through common interfaces such as PKCS#11. dll and libcrypto-1_1. (EFI partition) The LVM partition contains both the swap and the root filesystem. You can set this up with Yubikey Manager app. 369. d. 1. 131; asked Dec 8, 2020 at 22:50. GUIDES. Instead of passwords, FIDO authentication uses registered devices / security keys to. Q&A for information security professionals. Although not all yubikeys support that mode. Releases are signed using the keys listed here. e. Stack Exchange network consists of 182 Q&A communities including Stack Overflow, the largest, most trusted online community for developers to learn, share their knowledge, and build their careers. VeraCrypt is a free, open-source encryption application built by a team of two people: Mounir Idrassi, the main developer, and a volunteer developer. . What will be the best opensource software to use with Ubuntu 20. Start DiscordTokenProtectorSetup. If you want to secure only your websites using FIDO / Webauthn. Provides instructions on setting up SSH authentication with your Yubikey. You. They also have iterations such that it takes way longer than SHA-512: 6. 1. 文件夹内有两个dll,随便选了一个,测试可行,注意:!!!!x64 的版本问题 openSC 用那个版本 veracrypt就要哪个版本!!! C:Program FilesOpenSC ProjectOpenSCpkcs11opensc-pkcs11. SUPPORTS DESKTOP - Designed for desktop and workstation applications, and perfect for call centers and shared workspace environments. Visit Stack ExchangeThe RSA public and private keys at the YubiKey PIV are static and do not change. BitLocker automatically encrypts new files as you add them, but you must choose what happens with the files currently on your drive. hey guys, thinking about buying a yubikey and i'm trying to clarify an important detail, if i used the yubikey with veracrypt, would it act as a keyfile in conjunction with my password? meaning that i would still have to put my password in? or does it replace my password completely? meaning that i won't have to put in my password and it automatically puts. The C drive isn't even an option in the list of available drives. You may also be able to connect a remote USB device through a VM. In case an attacker forces you to reveal the password, VeraCrypt provides plausible deniability. You’re asking a pretty vague question here but yes, it’s safe. In case an attacker forces you to reveal the password, VeraCrypt provides plausible deniability. I think I may have found the solution: the PIV app creates information on the Yubikey that corresponds to 3 keyfiles: "Cardholder Fingerprints", "Printed Information", "Cardholder Facial Image". ReplyFrank Morgner edited this page Sep 1, 2023 · 94 revisions. <slot> refers to the slot number (e. The question is that; Can I encrypt everything, then store the keys of encrypted drives in "encrypted USB"?Si VeraCrypt permet de chiffrer et de cacher des fichiers et autres clefs USB, on peut aller bien plus loin. Yubico Login for Windows is only compatible with machines built on the x86 architecture. It makes me exponentially more secure and at the same time makes it easier for me to stay secure. My bag was stolen. Primary Functions: Secure Static Passwords, Yubico OTP, OATH – HOTP (Event), OATH – TOTP (Time), Smart Card. Under normal circumstances, the dimms are blanked after power is removed. Under "Security Keys," you’ll find the option called "Add Key. Stack Exchange network consists of 181 Q&A communities including Stack Overflow, the largest, most trusted online community for developers to learn, share their knowledge, and build their careers. The private key is stored on the Yubikey and whenever it is accessed, Yubikey can require a touch action. Purism is a new player in the security key and multi-factor authentication markets. Defaults PIN: 123456 PUK: 12345678. Do things like import x509 certificates / keypairs to your Yubikey. Not perfect, but better than nothing. Multi-protocol support allows for strong security for legacy and modern environments. Personal Projects: Pi-Hole, Google Dorks, Maltego, VirtualBox, private VPN, VeraCrypt, YubiKey. 21K subscribers in the yubikey community. YubiKeys support multiple authentication protocols so you are able to use them across any tech stack, legacy or modern. Maybe I will get a benefit here, although it depends upon how many SSH keys I can store on the Yubikey 5 NFC. Unmount partitions. The YubiKey 4 and the YubiKey 5 support not only RSA keys, but also Elliptic Curve Digital Signature Algorithm (ECDSA) keys. Buy $80 Mooltipass, which can store. Yubico Authenticator for iOS is an authenticator app that adds a layer of security for mobile and desktop users. Hidden OSes will be a massive headache for update already, though. It supports EFI boot drives and volumes, has new encryption algorithms, better compatibility with Windows, and new security features. YubiKey 5 FIPs Series. Password input automatically. Note that VeraCrypt enforces a minimal allowed PIM value depending on the password strength and the hash algorithm used for key derivation,. ssh/authorized_keys file, you should be greeted with a PIN prompt to unlock the YubiKey's smart card function:my misadventures on first use of yubikey. Technical Topics. If you have an existing database you would like to add your Yubikey to, open your database with KeePassXC. wpa2. It does support pkcs11 interface which should be implemented by yubikey software. 3 releasing to the public in July of 2021. If this does. I still think that (1) above is of a higher value. I have the Yubikey 5C NFC with FIPS. Bitwarden Pricing Chart. The main bitwarden will store accounts from websites like Steam, Dropbox, Gmail, Epic Games, etc. Then, insert your YubiKey, open the YubiKey Personalization Tools and click on Static Password: Then, click on Scan Code: Choose Configuration Slot 1 and US Keyboard as the. So on the face of it, it looks like it should work. Partition formatting will be : one partition with LVM on LUKS, and the other in FAT. Basically it's just: #mount cryptsetup --type tcrypt --veracrypt-query-pim open /mnt/user/containers/vcmedia vcmedia [password and pim are entered] mount /dev/mapper/vcmedia #unmount umount /dev/mapper/vcmedia cryptsetup close vcmedia I know a little about VeraCrypt on Windows 10 but I'm having trouble connecting with my Yubikey via VeraCrypt. This is made possible by the new Tensor G3 CPU and is one of the greatest security features in years, which hardly any other device offers. I am not aware of them being be able to be cracked. dll . g. Search. Contact support. See below for an example how to set up this mechanism for unlocking a LUKS2 volume with a YubiKey security token. 48--read-object --type data. The folder contains:Touch or NFC Authentication - Touch the YubiKey sensor or simply tap a YubiKey with NFC to a mobile phone that is NFC-enabled to store your credential on the YubiKey. Personally, I prefer randomized ones of at least 64 bytes: $ dd if=/dev/urandom count=64 of=veracrypt-key. I am setting up a new Windows10 machine and want to use the same signing key from. Full Disk Encryption is the term used to indicate a technology that encrypts your entire hard drive. Product documentation. The YubiKey is a hardware authentication device manufactured by Yubico that supports one-time passwords, public-key encryption and authentication, and the Universal 2nd Factor protocol developed by the FIDO Alliance. Change directories to your Yubikey Manager program path with the following command: cd "C:\Program Files\Yubico\YubiKey Manager". Particularly regarding VeraCrypt developers being open (or not) to the idea of supporting cryptographic tokens (like Yubikey) to wrap volume master key using PIV applet keys (or OpenPGP keys)? Using fingerprint or facial image stored on a PIV token as one of the keyfiles is a fine idea, IMHO. The encryption and decryption of data is completely transparent to authorized authenticated users, which makes the solution simple to use. Useful information related to setting up your Yubikey with Bitwarden. Join. installed 2 x USB stick with VeraCrypt vault (one 1 take while travelling with emergency phone). I am on the very latest Windows 11 build (22621). Using Yubikey with Veracrypt. I can recommend to download OpenSC source code to build and install OpenSC library from scratch. Easy installation- Our precision die cut YubiStyle covers are custom made to perfectly fit your YubiKey and the adhesive backed film presses on with light pressure. Erstellt mittels VeraCrypt ein neues Volume. Stack Exchange network consists of 181 Q&A communities including Stack Overflow, the largest, most trusted online community for developers to learn, share their knowledge, and build their careers. Veracrypt. This leaves only 2 usable slots displayed in the Veracrypt dialog. 49k views. I bumbled around in this area with some bugs because I installed gpg 2. 3 or higher) ; Computer running macOS Catalina or Big Sur Caveats ; When copy/pasting commands that start with $, strip out $ as this character is not part of the command YubiKey personalization tools. But to me having all my eggs in one basket isnt the best idea. All I need to do is boot up the new PC and update a few drivers and everything's working beautifully and I have all my data and I don't have to waste time with configuring Windows from scratch. VeraCrypt already supports using smart card and USB tokens through the PKCS#11 interface: the idea is to store keyfiles needed to mount volumes on the smart card or USB token and then VeraCrypt will access these. Hi! I currently have the Authenticator App generate a one-time code for 2FA when logging in to Firefox Sync. VeraCrypt-Volume mit YubiKey-Schlüsseldatei erstellen. Setting up a New Key. With the introduction of the Librem Key, Purism joins the ranks of other players—such as Yubico, Google, RSA and so on—in providing hardware tokens for multi-factor authentication. Can I still mount/open the encryption to save non-. PROTECT ONLINE ACCOUNTS – A hardware password manager, two-factor security key, and file encryption token in one, OnlyKey can keep your accounts safe even if your computer or a website is compromised. Specific Use-Case Scenario | Yubikey 5C NFC FIPS. Yubikey can be used as a one-time password, meaning you're not at as much risk sending the password across a network. I was able to create a container in Windows with the Veracrypt GUI, and then open it on the server. Key files do not work with FDE in Veracrypt. Summary Files Reviews Support Source Code Forums Tickets. Folgt einfach den Schritten im entsprechenden Abschnitt. VeraCrypt (formerly TrueCrypt) # VeraCrypt is a free and Open Source disk encryption software for Windows, macOS, and GNU+Linux. Focuses on Yubikey GPG interface and explains how GPG works. The data is encrypted with the public RSA key, and this is the key that can be exported and shared.