Perhaps inspired by upcoming events, I decided to get things in place to facilitate secure communications with my compatriots. After spending years considering various options, I’ve settled on The GNU Privacy Guard (GPG), an open-source implementation of the OpenPGP standard .
Many systems offer secure communications but most rely on services or software which belong to, or run on, third-party systems. Most of these systems are in turn owned by private corporations. Regardless of how thick your tinfoil hat is, even under the best of circumstances these companies can be bought, sold or simply fail, which leaves your ability to communicate (and the privacy of your previous communications) in a dubious position. OpenPGP -based privacy is a bit more effort, but all you need to use it is a personal computer and the GPG software, which runs on almost any working computer you can find.
First, some nomenclature:
OpenPGP is a standard that defines the way data is encrypted and decrypted, and how the associated keys, identities, etc.
GPG is an implementation of the OpenPGP standard, a piece of software that can be used to encrypt and decrypt messages.
A public key is something you can share openly with people you want to communicate securely with
A private key is something you use to decrypt encrypted data sent to you, and you must keep it secret
Besides GPG, there are other implementations of the OpenPGP standard. Any piece of software that implements the standard can decrypt data encrypted by another, so long as the proper keys are in place. So, if your friend uses a commercial encrypted email package that uses OpenPGP-compliant encryption, you can read their messages using GPG and vice-versa.
There’s a wide-range of tools designed to make using GPG easier, but I recommend starting with the basic command-line tools so that you have a more complete understanding of what’s going on. One of the key problems with creating secure communications is the ability to loose track of what’s happening to the information you want to secure. Once the cat is out of the bag, you can’t put it back in.
I won’t go into great detail about setting up GPG, plenty of other people who know a lot more about have done so already (I’ll provide some links below). What I will describe are the steps involved in sharing an encrypted document with a college so you can get a feel for what’s involved.
A very common situation where you need to encrypt information is when you want to share account information with someone else*. How this is often done is by writing down the information and sharing it in person, or sending the user name and password via separate means. In both these cases, the credentials are potentially stored somewhere along the way, which makes them vulnerable. On the other hand, if you use OpenPGP, you can encrypt a file containing the account information and share it via any means you like with no fear of it revealing the secret information.
So for example, let’s say I want to share my Netflix account with a trusted friend; here’s how I would do it:
First I create a file containing the user name & password for my account:
Second, I encrypt this file specifically for my friend:
gpg –output netflix.txt.gpg –encrypt –recipient email@example.com netflix.txt
Finally, I email the encrypted file.
When my friend receives the email, he downloads the attached file, and decrypts it
gpg –output netflix.txt netflix.txt.gpg
Then he can watch some shows, change my credit card information or sell the account to the Russians**
At this point you might be asking “How come Jason’s friend can decrypt the file but random Internet people can’t?” . This is where the “trusted friend” part comes into play.
Before you can share an encrypted file with someone, you will need their public key. Once you have someone’s public key, you can add it to your GPG keychain and create encrypted files which can only be decrypted by the intended recipient. This is what is meant by a “trusted friend”.
It’s worth pointing out that it’s not necessary for both parties to share keys in order to send a message. Since there is no harm in sharing public keys, many people include their public keys in email and other communication, or post them on their websites, etc. If, for example, you wanted to send a secure message to a reporter and they share their public key on their blog, you can add that key to your keychain, encrypt a message for only that person and safely send it over the Internet. If the reporter decides to reply to you, they may request your public key in order to encrypt the response so that only you can read it, but this isn’t a prerequisite for you to send the initial message.
It’s worth pointing out again that you need to protect your private key. If anyone were to get a hold of it, they can decrypt any data that you ever encrypted with the key. There are numerous ways to avoid this, or to minimize the damage if it happens, but the important thing is that you are aware of how critical it is to keep your private key private.
Conversely you need to keep track of the private key as well, because if you loose it, you can no longer decrypt any data that was encrypted with the key. Arguably this is better than someone else getting access to your private key, but not much better.
Used correctly, OpenPGP is extremely effective at keeping secrets. Possibly more important than the encryption itself is the fact that communicating securely using OpenPGP relies only on the two trusted parties involved in the conversation. It does require some premeditation in order to establish trust, and that’s not necessarily a bad thing, but that means it’s a good idea to get things setup before you need them.
There is a common misconception that encryption is only needed by criminals or perhaps the press or the government, but as you can see from the example above, there are everyday situations where having the ability to send private information between trusted individuals is handy and necessary. We tend to delegate responsibility for our privacy to others and expect them to provide secure means of communication, but with OpenPGP we can guarantee privacy ourselves to a degree far beyond what is possible by depending on an outside entity, company, etc.
If you’d like to get started using GPG here’s a few links to more detailed information. If you’d like to send me an encrypted message to test your setup, I’ve included my public key below.
A somewhat terse introduction directly from the source: https://gnupg.org/gph/en/manual.html
A slightly less terse introduction aimed at Windows users: http://www.glump.net/howto/cryptography/practical-introduction-to-gnu-privacy-guard-in-windows
A video aimed at reporters: https://www.youtube.com/watch?v=CU861f5szsQ
A high-level guide to setting up encrypted email (this relies on tools that avoid the command-line interface described above, I don’t recommend starting here but once you understand OpenPGP it’s a convenient workflow): https://emailselfdefense.fsf.org/en/
My public key, should you like to get in touch:
-—-BEGIN PGP PUBLIC KEY BLOCK—–
Version: GnuPG v1
-—-END PGP PUBLIC KEY BLOCK—–
- It goes without saying that sharing accounts is in general a bad idea, but there are times when it’s necessary.
**This raises an important point about using encryption. Even though the data is secure in transit, once it’s decrypted anyone can use it, so it’s important that the people you share with understand this and don’t store this decrypted information in vulnerable places.