PGP Process

Install GPG Keychain and import PGP Keypair

On a Mac, download and install the GPG Keychain application. Download the keypair file from the Support vault. It’s attached to the ‘security@gitlab.com PGP Keypair’ item. Open the GPG Keychain application and import the keypair file. It will ask for a password. Use the password saved on the vault item.

Now you will be able to encrypt, decrypt, and share the public key with others.

Share the Public Key

Right-click on the key in the GPG Keychain application and click ‘Export’. Ensure the dialog box does not have ‘Include secret key in exported file’ checked. Save the exported file and send it to the requestor.

GPG Keychain Export

Researchers that wish to report a possible security issue should refer to our Responsible Disclosure Policy. Disclosure via email will receive an automated response configured in Zendesk, and be automatically closed.

Decrypt Text and Files

If the encrypted data comes to the security email as text, decrypting is very easy. Copy the entire block of encrypted text, right-click, go to ‘Services’, then ‘OpenPGP: Decrypt Selection to New Window’. After a few seconds a new window will appear with the decrypted text.

Decrypt text

If the encrypted data comes as an attachment, start by downloading the file to your workstation. Navigate to the file in your Finder. Right-click the file, go to ‘Services’, and choose ‘OpenPGP: Decrypt File’. The decrypted file will be placed in the same directory as the encrypted file. It may have a different name, though.

Decrypt file