A PGP beginners guide, for beginners who want to do it right


When I (@curtiswallen) was first learning how to use PGP encryption I followed a bunch of different guides online, but still felt so confused. They taught the bare minimum for generating a key, and then didn't give any real world advice on how to use it or how to actually encrypt anything. After learning a little more and gaining some experience, I also realized that those guides often don't focus on some of the most important aspects of encrypted communications. Namely, that encrypting email isn't enough on its own to provide security. In this guide I've tried to distill my best advice in a simple and concise format. Hopefully you will find it useful.

    Getting started/configuration
    Generating your key
    Generating your revocation certificate
    Sending messages
    Receiving messages/sharing your key
    One potential secure procedure

    Verifying downloads using PGP

What is PGP?

PGP ("Pretty Good Privacy") is a piece of software created by Phil Zimmermann in 1991 to encrypt digital information. In 1997, realizing an open standard for PGP encryption was needed to prevent the technology from being locked down by patents, Zimmermann and his team drafted the OpenPGP standard. In 1999, the Free Software Foundation released version 1 of the GNU Privacy Guard (GPG), an OpenPGP standards compliant encryption program. Most uses of PGP today are via GnuPGP (GPG).
What is PGP good for?

PGP is really good at encrypting data. If used correctly, there should be no way for anyone unintended to determine the content of information encrypted using PGP.

However, law enforcement can force a user to surrender her or his passwords/keys, or can use an array of different methods to discover the content they're looking for. Because the encryption itself is so strong, an adversary will rarely focus on breaking it. They will instead look to exploit weaker links in the chain: passwords, keys, plaintext drafts/copies on a target's computer, or the sender/recipient herself.

Or, in some cases, the content isn't even needed. Metadata analysis can often be enough to blow a journalist/whistleblower/etc.'s cover.
What does that mean?

PGP is an important and powerful tool, but it can't prevent you from fucking up in the thousand other ways your adversary is hoping you will. Communications security requires more than encryption. You need to be alert; you need to be smart.
With that in mind, let's get started

A quick note: many people use Mozilla's Thunderbird email client with the Enigmail plug-in to manage pgp encrypted email. I have experienced a few quirks in the past with this set-up that have led me to use a different procedure. It is a bit less convenient, but I believe it is ultimately safer. Of course, feel free to explore other options and do whatever you'd like. :-)

First install the necessary tools and configure everything properly.

OS X: https://gpgtools.org/
Windows: http://gpg4win.org/
GNU/Linux (Debian, Ubuntu, Mint, Fedora, etc): GNUPG comes with most Linux distros, but if you don't have it - https://www.gnupg.org/download/index.html



No comments: