In my previous post, I discussed the workings of PGP e-mail encryption, as well as the rationale behind it. To recap: unencrypted e-mail is like a postcard, viewable to anyone who intercepts it. Encrypted e-mail is in a metaphorical envelope, signed and sealed.  PGP encryption takes a little bit of extra effort, but if you want to keep your data private, it’s worth it.  This time, I’ll show you how it’s done.

1. If you’re using Windows, download GNU Privacy Guard for Windows (GnuPG).
   • If you’re a Mac or Linux user, you’ll have to figure out for yourself which program best suits your needs. This page is a good place to start.
   • Run the installer application, follow the instructions, etc.
2. Open the program called GPA and click Keys > New Key.
3. Put your real name in the “User ID” field and fill in your e-mail address of choice. The passphrase ought to be something long, but still easy for you to remember. Keep it secret and safe, just as you would any other password.
4. Finally, select an expiration date for your key. If you think you’ll be using the e-mail address you entered for the rest of your life, it’s okay to leave this field blank.  Otherwise, it’s easier to let your key expire and make a new one than to edit it and try to somehow distribute the new version to everyone you know.  Hit OK.  Congratulations, you have a key pair!
5. If any of your contacts also have public keys and have posted them to the Internet, you can import them into your keyring (basically an address book for your friends’ keys).  Save your contact’s key to your hard drive as a text file, then (still in the GPA program) click “Import,” find the file, and hit OK.

So, how to actually encrypt and decrypt e-mail?  Well, if you’re using the best web browser (Mozilla Firefox) and the best webmail service (Gmail, natch), then the FireGPG plugin makes it incredibly easy.  (Install it and hit “Compose Mail” in Gmail, and you’ll see what I mean.)  Most other popular e-mail programs will have plugins as well; here’s a fairly comprehensive list (scroll down to “Plugins”).

If you have any questions, please ask in the comments and I’ll do my best to help!

Tags: Uncategorized by Sarah Brand
1 Comment »

(It’s been a while, but I’m back. Thanks to the folks at Brazen Careerist for inviting me aboard; I’m honored to be a part of such an interesting community.)

E-mail is not private.

Every message you send travels as plain text over the Web, with no safeguards to prevent some malicious person from intercepting it. It’s more or less like sending a postcard. In terms of your privacy, it’s actually even worse - a postcard can be shredded, but even if the sender and recipient both delete any given e-mail, chances are a copy still exists on the Internet in some form.

The solution is public-key cryptography. With software like GnuPG, you can create a keypair consisting of a public key and a private key. Publish the public key as widely as you can… e-mail it to your friends, for instance, or post it on your Facebook. Guard the private key with your life.

When someone sends you an e-mail, they encrypt it with your public key. You, and only you, can decrypt the message with your private key (assuming you’ve kept it safe).

You can also use a variant of your private key to sign messages you send. The recipient can check the signature against your public key and confirm that the message is really from you.

You should encrypt your e-mail whenever possible. If you habitually encrypt even innocuous messages, then any truly private encrypted mail won’t stick out like a sore thumb.

My hope is that e-mail encryption will become commonplace. As Bruce Schneier put it recently, “Who controls our data, controls our lives.” And data, gentle readers, is a slippery thing. It gets away from us all too easily, and once it does, there’s no way to tell where it will wind up… with spammers? With our employers? With the government?

In my next post, I’ll explain exactly how to set up PGP encryption, but in the meantime, here are some links to get you started.

• GnuPG.org - project homepage for GNU Privacy Guard, encryption software built on the OpenPGP standard
• Public-key cryptography on Wikipedia
• Gpg4win - software package containing GnuPG (GNU Privacy Guard) and other handy software, including a plugin for Outlook 2003

Tags: Uncategorized by Sarah Brand
2 Comments »