PGP Encryption Introduction

From California Technology Feestival Wiki
Jump to: navigation, search

by Jack Aponte

Overview

  • pretty good privacy - original software called PGP
  • ensure that message can only be read by the person it's sent to
  • open pgp is open protocol for encryption, gpg is open source implementation of pgp
  • pgp, open pgp, and gpg are versions of the same thing
  • best resource: Email Self-Defense slideshow from FSF, look it up, will actually get you through the whole set up and get you using PGP
  • can run gpg on almost any device (mac, windows, linux; android phones; don't know about iphone). easiest thing to set up is thunderbird, via enigmail plugin, an implementation of pgp. it will walk you through process of creating your keys.
  • two keys, public and private. public given out to the world, private saved only on your device and password protected. share your public key with everyone you want to communicate with, even put fingerprint of it on your business card. can be stored and published online on a key server and easily looked up. public key is used by *others* to encrypt messages sent to you.
  • private key is not shared, only you have it, and you use it to decrypt messages sent to you that were encrypted with your public key.
  • be sure to encrypt attachments as well as message body. keep in mind meta information (sender, recipient, subject, other headers) is not encrypted and can still be read by an observer.
  • not just for encrypting messages: can also use for docs, images, etc. for instance, store a file with all your clients' passwords on your cloud drive, encrypted with keys of all the people who might need access to it. then any one of them can download and decrypt and read. or use for tax return, other financials, journal, etc. file encryption might need command line use, might not be a GUI - or might be built into windows under the file menu.

encryption 201:

  • key can have sub-keys. can have one for crypting and one for decrypting and one for signing. or one for each device if you read on multiple devices (which many say you shouldn't).
  • signing: separate process that uses public key signing to verify sender, not encrypting contents (you can do one or the other or both). email program will show you if signing is correct.

references:

https://emailselfdefense.fsf.org

Little Brother by cory doctorow. chapter 12 is great human explanation of how encryption works and why to use it.