We Keep Coding

Can GPG change the contents of an encrypted file?

Our company has a vendor which sends a csv that contains commas that are part of the text. This causes columns drift to the right. They claim that they are enclosing those fields in quotation marks (which would resolve the issue) but when we decrypt them using gpg, the quotation marks are being lost.
Is this claim nonsense?
The file is delivered encrypted as a .pgp.
This is the template for the batch file we use to invoke gpg to perform the decryption.
gpg --batch --yes --passphrase {PASSPHRASE} --pinentry-mode loopback -d -o "{OUTPUT}" "{TARGET}"

They claim that they are enclosing those fields in quotation marks (which would resolve the issue) but when we decrypt them using gpg, the quotation marks are being lost.
Is this claim nonsense?
Yes because files before encryption and after decryption are identical.
If you want assurance the files are unchanged, have the vendor create a hash (ie, sha256) of the file before encryption and include this hash when he sends you the file.
For example, something like sha256sum FILE > SHA256SUM.txt && gpg -r USER -e FILE would produce a SHA256SUM.txt file containing the sha256 hash of FILE and also encrypt FILE with USER's key. The vendor can then send you the SHA256SUM.txt file along with the encrypted file so you can compare it to the hash of the decrypted file.

GC and FK command in Thales HSM

what is the difference between the output of command GC and FK command in Thales HSM. since they both generate the same (clear and encrypted components).

Assuming you are referring to console commands not host commands.
'GC' command is used to generate completely new random keys and output on console clear and encrypted under LMK.
'FK' command is used to XOR multiple keys generated by 'GC' command and output final key encrypted by LMK.

Can I store JSON in a Azure Key Vault

I have some JSON that I want to store in Azure Key Vault.
The data is not hierarchical just like this:
{
"type": "XXXXXX",
"project_id": "XXXXXX",
"private_key_id": "XXXXXXXX"
}
But I have 4 sets of JSON Data and there are about secrets in each one, so I am hoping that I do not have to break these out into separate keys, but if I must I will do this.

Consider this to be a valid statement to add a secret to an Azure Key Vault using the Azure CLI:
az keyvault secret set --vault-name "<YourKeyVaultName>" --name "AppSecret" --value "MySecret", taken from Tutorial: Use Azure Key Vault with an Azure web app in .NET
Building on this, I do not see any reason the value MySecret couldn't be a JSON string.
Investigating a bit further, have a look at About keys, secrets, and certificates - Key Vault secrets:
From a developer's perspective, Key Vault APIs accept and return secret values as strings. Internally, Key Vault stores and manages secrets as sequences of octets (8-bit bytes), with a maximum size of 25k bytes each.
So as long as your JSON is under the 25k limit, you should be good to go.

The trick is to properly escape the quotes (\`" = backslash, backtick & double quote) on the PowerShell command line in such a way as to satisfy both JSON and PowerShell formats for escaping quotes. Here is an example of how you would add your JSON string as the secret's value. Note the text in the --value has a \`" escape sequence for every quote that needs escaping. PowerShell needs the backtick to escape the double quote on the command line. A JSON string needs the backslash to escape a double quote. So, you get the backtick placed in-between the backslash and double quote (\`") thus satisfying both PowerShell and JSON:
az keyvault secret set `
--vault-name "<YourKeyVaultName>" `
--name "AppSecret" `
--description "An optional description" `
--disabled false `
--value "{\`"type\`":\`"XXXXXX\`",\`"project_id\`":\`"XXXXXX\`",\`"private_key_id\`":\`"XXXXXXXX\`"}"

I solved this (as I was already getting the config from file) by using the --file argument instead. It saves the JSON exactly as it is in the file.
az keyvault secret set --name "<SecretKeyName>" --vault-name "<KeyVaultName>" --file "<RelativeFilePath>"

Created key from wrong file, how could I modify it / work around the issue?

I created a key from the wrong file by mistake:
gcloud kms encrypt --plaintext-file=keys/staging-access-chris \
--ciphertext-file=id_rsa.enc \
--location=global --keyring="$keyRing" --key=bitbucket
How can I update / edit this entry? Do I need to change the file name and all references to it or is there a solution that requires less work?

The 'encrypt' function takes a plaintext (raw data) as input and produces a ciphertext (encrypted data) as output. It does not create a key.
If you meant to encrypt a different file, the fix is to simply delete the ciphertext you don't want, correct the command, and repeat.

How to encrypt webm file using Clear Key to play with Google's Shaka Player?

I'm developing a small system which will be used to streaming protected content over the web with MSE/EME API.
This is some tools I'm using:
FFMPEG
Google's Shaka-Packager
webm_crypt
I can create .webm file and package them using shaka-packager into mpd file in order to feed to shaka-player. But following by the Clear Key section in the Shaka docs I have to encrypt webm file require pair of KeyId and Key.
By using webm_crypt, I can created encrypted content by follow this document on 2.2.7 but I have no idea how to get the key pairs for the shaka-player DRM system.

If you are using Clear Key, you configure the player with a list of key servers. The player makes a JSON request to a key server (the request is in this format) and the key server provides a "license" -- JSON response containing the Base64-encoded symmetric key and keyId. That symmetric key is then used to decrypt the content.
Update
To associate a key ID with an unprotected content key to debug with ClearKey, provide a JSON element for drm.clearKeys with the keyId(s) in hex encoding as the "key" of a map and the "value" is the hex-encoded content encryption key.
player.configure({
drm: {
clearKeys: {
'deadbeefdeadbeefdeadbeefdeadbeef': '18675309186753091867530918675309',
'02030507011013017019023029031037': '03050701302303204201080425098033'
}
}
});
Associate the same keyId with the media file when encrypting it or in the manifest file that accompanies it.
Encrypting media file with mp4split:
#!/bin/bash
KID=10000000100010001000100000000001
CEK=3a2a1b68dd2bd9b2eeb25e84c4776668
LAURL="http://playready.directtaps.net/pr/svc/rightsmanager.asmx?PlayRight=1&UseSimpleNonPersistentLicense=1"
PSSH=YOUR_PSSH
mp4split --package_mpd -o audio.mp4 \
--iss.key=${KID}:${CEK} --iss.license_server_url=${LAURL} \
--widevine.key=${KID}:${CEK} --widevine.drm_specific_data=${PSSH} \
oceans-64k.mp4
mp4split --package_mpd -o video-1.mp4 \
--iss.key=${KID}:${CEK} --iss.license_server_url=${LAURL} \
--widevine.key=${KID}:${CEK} --widevine.drm_specific_data=${PSSH} \
oceans-250k.mp4
mp4split --package_mpd -o video-2.mp4 \
--iss.key=${KID}:${CEK} --iss.license_server_url=${LAURL} \
--widevine.key=${KID}:${CEK} --widevine.drm_specific_data=${PSSH} \
oceans-380k.mp4
For webm_crypt, the documentation is very sketchy, but I believe it's done with the content_id=0123456789ABCDEF command-line flag in -video_options:
foo#bar-linux:~/chromium_code/webm_crypt/webm_crypt$ ./webm_crypt
-i mediafiles/Chrome_44_5sec-chunks_video_only.webm -video true -audio false
-video_options base_file=bear.key,content_id=0123456789012345
-o /home/foo/www/no_crawl/eme/media/Chrome_44_5sec-chunks_video‌​_only-enc_v_01234567‌​89012345.webm