PGP for Preppers- Part 2, by Groundhog Gravy

We should be especially careful when communicating electronically: it’s little more than trivial for a government, a corporation, or even a couple of well-equipped criminals to intercept phone calls, emails, or text messages. This article explains how to use simple, secure tools that do only encryption and do it right. These are based upon a tool that is significantly better than the name suggests, Pretty Good Privacy (PGP), and offers excellent communications security for preppers. Part 1 covered PGP and how it is used. Now, we are continuing.

Setting an Expiration Date

Now that you have created a key, there are a couple things you may want to do with it. First, you might want to set an expiration date, so that if you happen to lose your private key, you don’t have a zombie public key floating around valid literally forever. I’d set a date about a year in the future; you can easily extend the expiration date if need be. To do this:

  • Open the Key Manager window by choosing Keyring Manager from the Windows menu of GPA,
  • Select your new key from the list,
  • From the Keys menu, select Edit private key,
  • Choose a new date and click “OK”, and
  • Enter your passphrase.

Sending the Key to a Keyserver

Finally, you can send your public key to a keyserver. The keyserver lets other people look up your key easily by searching, so they can send you encrypted messages, to improve your privacy and theirs. You should either do this, send your public key by email to the people you want to have it, or put it in a public place (like your website, if you have one) so people can find it. It’s called your “public key” for a reason. To send it to a keyserver, select the key from the list in the Key Manager and choose Send Keys from the Server menu. (GPA will, of course, not send your private key to the server!)

Importing Public Keys

You can’t encrypt a message until you have the recipient’s public key. There are two ways to import one: from a file, and from a keyserver. If you find someone’s key on their website or if they email it to you, copy it and paste it into a file. Then, use the first method.

From a File

If you are importing a public key from a file:

  • Open the Key Manager window by choosing Keyring Manager from the Windows menu of GPA,
  • Click Import on the toolbar, and
  • Choose the file with the key or keys you want to import.

GPA will import any keys it finds in the file and display a summary of what it found and did.

From a Keyserver

Many people upload their public keys to a keyserver from which anyone can retrieve them. To get a key from the keyserver:

  • Open the Key Manager window by choosing Keyring Manager from the Windows menu of GPA,
  • From the Server menu, choose Retrieve keys, and
  • Enter a name, email address, or key fingerprint.

If fewer than five matching keys are found, GPA will import them all. If it finds too many, you will have to narrow your search.

Encrypting

You can begin your encryption message either from text or from a file. I will go over each procedure below.

From Text

When you open GPA, it may open to a window titled Clipboard. If it does not, you can open it by going to the Windows menu and selecting Clipboard. You can type or paste any text you like into the clipboard, and then press the Encrypt button.

When you do, a window will pop up where you can select what recipients should be able to decrypt the message (hold Ctrl to select more than one). It also has a checkbox labeled Sign; if you select it, you can sign the message with your private key so others can verify that it came from you (or someone else who has your key).

A Note About Copying and Pasting

After you paste your sensitive private message into the GPA Clipboard, that message is still on your system’s clipboard, ready to be pasted again. Sites you load with your web browser can read the text on your clipboard. That is a bad combination. If you’re going to paste something into GPA to be encrypted, remember to clear the clipboard by copying something innocuous. (You can also disable web sites’ access to clipboard information in most browsers’ settings, which is a good idea in general.)

From a File

You can also encrypt files using GPA. To encrypt from a file:

  • Open the File Manager window from the Windows menu,
  • Choose Open from the File menu or press the Open toolbar button,
  • Select the file you want to encrypt,
  • Click Encrypt,
  • Select public keys, and sign as described above.

This will create an encrypted file in the same folder as the unencrypted version.

A Note About Deleting Unencrypted Files

Don’t just delete the unencrypted file, if you don’t need it any more. Regular file deletion removes the record that there is a file there but doesn’t overwrite the file’s contents, leaving them recoverable. Instead delete the file using shred on Linux, rm -P from the Mac OS X command line, or sdelete on Windows. (At least on older systems, that will be effective; newer systems using journaled filesystems or SSDs work differently and should probably only be used with full-disk encryption.)

Decrypting

Decrypting messages and files is the same as encrypting them, except that you click Decrypt instead of Encrypt, and you won’t have to choose a decryption key. GPA will determine it from the message or file being decrypted and just prompt you for the passphrase, which you have of course memorized and/or stored securely.

A Few Problems

For although PGP is “pretty good,” it has flaws. A few problems affect when and how it should be used.

The Web of Trust

If there are multiple public keys for a person, it is hard to know for sure what key to use. Other people can create keys in any name they please and upload them to a keyserver. How should you know which, if any, are valid?

PGP has a mechanism to handle this problem, called the Web of Trust. It is possible to sign a person’s key, verifying that you know that key belongs to that person. In theory, if you follow the chain from the person whose key you want, through the people that have signed it, down through the people who have signed their keys, eventually you’ll reach someone whose public key you know and trust, and a key that produces that chain is valid.

However, it hasn’t worked out that way. People have not signed each others’ keys in general, for three reasons:

  • It’s a real pain.
  • They’re not that confident of most keys.
  • They don’t want their public keys to display everyone they associate with.

The web of trust approach to confirming ownership of a key is, in short, totally broken. The best way, the only way, really to have a trusted key is to get it from the person it belongs to by a private method you trust. Caveat encryptor.

Sending Methods are Insecure

No matter how good your encryption method is, your method of transmission leaks some data. The encrypted message sent by e-mail may be secure, but the subject line, the sender, the recipients, and the date and time it was sent are not. That metadata, which is often portrayed by officials as “harmless,” is also sensitive, especially when it is scooped up in bulk like krill by the government whale. When analyzed and collated, it can reveal who talked to whom about what and when, and it’s often easy and prosecutorially unnecessary to surmise what they might have said.

There’s not much defense against this, but encrypting the contents of our communications is much better than not. It’s helpful to put nothing revealing in a subject line, leave it blank, or put in an unrelated Bible verse. But this still presents a problem.

Forward Secrecy

It’s wise to assume that the government is vacuuming up every electronic communication you send or receive. It’s not certain that they’re doing that, but it looks pretty likely. So while it may not be possible for the NSA, or whoever, to read your PGP-encrypted email yet, they probably have it, and they have the capability to keep it for a century or so. If, in that time span, your private key is stolen or otherwise becomes public, or if the NSA develops the ability to break PGP encryption, your encrypted email can all be read.

There’s not so much you can do about this problem, honestly. Use a long key (we’ll get to that next) and change it now and then, destroying your old private key to avoid stupidly losing it. But in the end, it’s a race to decrypt your data before it’s no longer useful.

Keysize

The longer your key, the harder your encryption is to break. By default, GPA generates 2048-bit keys. At this point, 1024-bit keys can probably be broken; it takes months, and the hardware and power costs millions, but it can be done by a major actor. 2048-bit keys are probably safe for a long time yet, but GnuPG can generate 4096-bit keys, and you should probably use one sooner rather than later. Remember that forward-secrecy issue? Here’s how to generate one (it can only be done from the command line right now):

  • Open a terminal (for a Mac, that’s Terminal; for Windows, Command Shell; and for Linux, any of a number of options),
  • Enter the command, “gpg –full-generate-key” and answer the prompts:
    • Select RSA and RSA for the key type
    • Enter 4096 for the keysize
    • Enter your preference regarding expiration date
    • Confirm it
    • Enter the user information you prefer
  • If you’re satisfied, enter “O” for okay

You can now use that keypair in GPA as described above.

Susceptibility to New Technology

PGP has been able to keep up with the times, adapting its encryption algorithms, keysizes, and the like to account for cracks and rumors of cracks. Quantum computing, if it becomes practical for large-scale problems like RSA decryption, would make PGP encryption as efficient to break as to encrypt. There are new algorithms that should not be susceptible to quantum approaches, but they are not fully vetted, and GPG has not yet implemented them.

Again, there’s little users can do about this. Quantum computing may not prove to be practical for any large problems, let alone RSA decryption, and we understand it well enough to be able to begin developing resistant algorithms now. The best advice now is to keep informed and use the best available encryption as it’s perfected.

In Closing

Using PGP to encrypt your stuff is just that easy. Don’t listen to the people who say it’s hard. It’s not. Now go in peace and encrypt all the things!

See Also:

SurvivalBlog Writing Contest

This has been part one of a two part entry for Round 77 of the SurvivalBlog non-fiction writing contest. The nearly $11,000 worth of prizes for this round include:

First Prize:

  1. A $3000 gift certificate towards a Sol-Ark Solar Generator from Veteran owned Portable Solar LLC. The only EMP Hardened Solar Generator System available to the public.
  2. A Gunsite Academy Three Day Course Certificate. This can be used for any one, two, or three day course (a $1,095 value),
  3. A course certificate from onPoint Tactical for the prize winner’s choice of three-day civilian courses, excluding those restricted for military or government teams. Three day onPoint courses normally cost $795,
  4. DRD Tactical is providing a 5.56 NATO QD Billet upper. These have hammer forged, chrome-lined barrels and a hard case, to go with your own AR lower. It will allow any standard AR-type rifle to have a quick change barrel. This can be assembled in less than one minute without the use of any tools. It also provides a compact carry capability in a hard case or in 3-day pack (an $1,100 value),
  5. Two cases of Mountain House freeze-dried assorted entrees in #10 cans, courtesy of Ready Made Resources (a $350 value),
  6. A $250 gift certificate good for any product from Sunflower Ammo,
  7. Two cases of Meals, Ready to Eat (MREs), courtesy of CampingSurvival.com (a $180 value), and
  8. American Gunsmithing Institute (AGI) is providing a $300 certificate good towards any of their DVD training courses.

Second Prize:

  1. A Model 175 Series Solar Generator provided by Quantum Harvest LLC (a $439 value),
  2. A Glock form factor SIRT laser training pistol and a SIRT AR-15/M4 Laser Training Bolt, courtesy of Next Level Training, which have a combined retail value of $589,
  3. A gift certificate for any two or three-day class from Max Velocity Tactical (a $600 value),
  4. A transferable certificate for a two-day Ultimate Bug Out Course from Florida Firearms Training (a $400 value),
  5. A Three-Day Deluxe Emergency Kit from Emergency Essentials (a $190 value),
  6. A $200 gift certificate good towards any books published by PrepperPress.com,
  7. RepackBox is providing a $300 gift certificate to their site.

Third Prize:

  1. A Royal Berkey water filter, courtesy of Directive 21 (a $275 value),
  2. A large handmade clothes drying rack, a washboard, and a Homesteading for Beginners DVD, all courtesy of The Homestead Store, with a combined value of $206,
  3. Expanded sets of both washable feminine pads and liners, donated by Naturally Cozy (a $185 retail value),
  4. Two Super Survival Pack seed collections, a $150 value, courtesy of Seed for Security, LLC,
  5. Mayflower Trading is donating a $200 gift certificate for homesteading appliances, and
  6. Two 1,000-foot spools of full mil-spec U.S.-made 750 paracord (in-stock colors only) from www.TOUGHGRID.com (a $240 value).

Round 77 ends on July 31st, so get busy writing and e-mail us your entry. Remember that there is a 1,500-word minimum, and that articles on practical “how to” skills for survival have an advantage in the judging.




6 Comments

  1. To clarify “Forward Secrecy”, or “perfect forward secrecy” involves some more complex math – see Diffie Hellman Key Exchange for details – means that even if you LATER obtain the private key, you won’t be able to decrypt messages.
    PGP doesn’t offer this, but the encrypted web access – HTTPS has it as an option if both the server and your browser (almost all do) support it.

  2. Good article. It has been several years since I used PGP on windows. After seeing this, I was motivated to get it installed on my linux system. GPA certainly makes managing keys and working with files/clipboard much easier.

    Thanks for submitting!

  3. completely left out of these articles is the subject of Metadata

    the metadata cannot be encrypted… From: To: and Subject: etc., as well as the IP addresses used, the dates and times, as well as locations used to access any given email.

    Speaking in code over the telephone has the same issues.

    Hitler discovered, in the early days of widespread telephone use, that the subject matter discussed was unimportant. It was the metadata that was valuable. Who spoke to whom and when.

    And, yes, as JWR commented, having encrypted payloads in all your email, changes the potential “interest level” in your metadata.

    1. That is almost but not quite true; I did discuss the subject line. I did not discuss the other points because they fall under a different topic, anonymity, which is different from privacy. I hope to cover it in another article.

  4. Good article. The biggest problem I see is most communication is not coming from our home computers, but from our cell phones.

    Thus what we really need is an app that allows this method of communication.

    If its not easy most people won’t do it, or won’t keep doing it.

  5. Really enjoyed this information. I used PGP on a windows maching for several years and have since started more Mac and Linux machines for my day to day work. GPA certainly has a lot of advantages and makes managing keys and working with files/clipboard much easier as was mentioned. Really appreciate all the info you provide and I look forward to following the blog more closely.

    Submitted by: Marcus Drew – Bell Gardens

Comments are closed.