back

PGP

Sometimes you may want to use a cloud storage provider or service operated by someone else instead of hosting them yourself but you do not want anyone other than your intended recipients to be able to read that data. Some programs are designed this way using things like E2EE but what are you supposed to do when you want to use a service that doesn’t do this for you or critically fails despite using ZTA? You do it yourself with PGP. A general guide I will be using for this post is email self-defense Tor.

Clients

There are many to choose from. I myself like KGpg. Here are some. You can find more available on the internet but make sure you can trust the client you use. You can also use a CLI to use PGP for all tasks if you want to. Look at GnuPG too.

Generating And Security

Launch whatever client you have decided to go with and choose to generate a keypair. You can set a few options like email, name and an expiration date. I suggest to go with RSA 4096 currently and use a strong passphrase for using your private key.

A keypair is made up of a public and private key pair (asymmetric cryptography). Both the public and private keys are long strings of randomly generated numbers and letters that are unique to you and linked together (paired together).

Your public key is public. You are supposed to share it with the world. You can upload it to keyservers like the MIT PGP public key server and share it in any other way you want. Make sure to share it in a way that the other person you are communicating with knows it is your key otherwise you will be walking into a man in the middle attack. When someone trusts that the key they saved is yours, they can set a trust level for the key in their client. If someone wants to communicate with you, they encrypt their message with your public key and send the message over. You do the same with their public key and send your message over.

You can then only decrypt the message with the private key associated with that public key. As you can therefore guess, your private key should be held very securely and never under any circumstances shared with anyone.

The place you store your keys and the area in which you run your clients should be secure. Using PGP is mostly pointless if the machine you use isn’t well secured.

Changing Keys

If you are nearing your keys expiry, you can sign a message saying what your new key is. If your key is stolen (your private key), you can use a revocation certificate. The process isn’t too difficult. If you kept your private key safe however, it shouldn’t come to this.

Signing

With PGP, you can sign messages. This means someone can verify that an encrypted message you sent them did in fact come from you. They can also know when the message was sent too if you attach a time. It can also help with warrant canaries.

Fingerprint

An example of a fingerprint is F1F8 701F A54B E0F0 6F99 2295 6D9C 4C96 B1B0 8908. A fingerprint is a small number of characters used to identify the public key. It is used to double-check that they have the correct public key when they download yours from somewhere.

Web Of Trust

The web of trust is something of a decentralised alternative to CAs for SSL for the web but instead for PGP. When signing keys, you are saying you are confident that key is actually for them.

Symmetric

Symmetric key algorithms are where this is only one key for decryption and encryption. In a lot of circumstances, this isn’t a good thing to go with and asymmetric is more suitable. You can see more about this here.

Email

No matter what email service you go with, email just isn’t very secure by default because the protocols behind it aren’t very secure. Some email service providers have been looking at solutions other than using user generated PGP keys but there isn’t a single agreed upon standard. A lot of people are able to snoop on your email so this is a very big place for PGP to shine.

You may also want to consider using an email client that you choose like thunderbird rather than the standard webmail interface you may have that can be limited in some ways (if your email provider supports this) such as with offline search and easier management to decrypt and encrypt PGP emails.

You should also know that just because you encrypted the message, it doesn’t mean other parts like the information in the subject line and metadata regarding the email like when it was sent, from who to who it was sent and other information can still be inspected.

Secure Cloud Storage With A Test

As stated in the introduction, this is a very useful place for PGP. You should be warned however that if the operator of a service cannot read your data in plaintext, they may delete it from their servers.

Search how to for your client. Here is a page doing it. As stated on the page, if you want to encrypt a folder, you will need to turn it into a file first. This can be done by archiving it into a .tar.gz or another format you prefer.

This is a test. I have this photo that I want to encrypt with asymmetric encryption. I run the command gpg -e -r diyarciftci jesus.jpg to encrypt it creating the file jesus.jpg.gpg. I upload this file to pomf.lain.la. The file is available here archive.org. I download the file u4n6xzd9.gpg. I decrypt it with gpg -d -o jesus-decrypted.jpg u4n6xzd9.gpg. I now have the decrypted file. The file server I uploaded this to didn’t know what was uploaded or downloaded. You could set a less descriptive file name when uploading, upload through a proxy, etc. to hide more information from the file server too.

Conclusion

PGP isn’t always the most convenient of options but it is a very good option. After you learn it, it is difficult to do something incorrectly with it.