Political scandals have always been about leaked information. Don’t
you wonder why sensitive data has been passed around in clear text on
the leaked cables that Wikileaks has been making public, while your
latest SpongeBob Blu-ray or DVD disc is encrypted with DRM locks and
transactions like your book purchase at Amazon is secured and
encrypted by SSL certificates?
Encryption has been overlooked by general public all the time. You
only hear about it in “hacker” films or breaking news scandals. Although
encryption is commonly associated with hiding secrets, when in fact
it’s more about securing information. When you change the mindset
you’ll start considering encryption as something more relevant for
your everyday digital life.
For example, the cloud storage service Mega has encryption built in, after the
lessons learned on the data kidnapping of MegaUpload servers. This is
for the protection of both parties, the service providers and
yourself, the user. This way, only you can open the files and not even
Mega employees can know what is in your storage account. Dropbox,
Google Drive and other services don’t provide the same level of
security, so basically anyone that has access to those servers can see
your personal information.
There are many types of encryption methods. One of them is called GPG
(initially PGP but the free software version is known as GPG).
GPG is a two key system, where you hold a private key and a public
key. The way it works is that you encrypt a file with someone’s public
key and send it. On the receiving end, the other person has a private
key, and only with the private key the message can be deciphered.
Public keys can be obtained from the person directly through a file
transfer or email attachment prior to encrypted communication. Some
people, like me, publish their public keys on their personal web
page. The most common method to get a public key is to search it on
key servers. Most GPG GUI programs have the option to search, download
and upload public keys on key servers.
Encryption jargon
So to get started with protecting our data using encryption, you’ll
need to learn the basic concept words:
Encrypt
Encryption will protect the contents of the file, image, text or
whatever is being encrypted, so that only the owner of the private key
can view it.
If you want to protect a file only for your eyes, encrypt
it with your own public key.
Decrypt
This is the process of removing the encryption so that you can view
the contents of the protected file. This can only be done if the
contents were encrypted with the public key of the person who’s
supposed to see the information.
If someone sends you a file that was
encrypted with your public key, only you, who has the private key, can
decrypt the file.
Sign
Sometimes the only layer of protection you need, is to make sure the
contents of a file or email were not altered between the time you send
it and the time it is received by the other person.
It also works as a way to make sure that a message is coming from you,
since you need your private key to sign the file and only you have
access to it.
Signing a file or text is a mechanism to know that the contents are
intact. This does not hide the message itself, it only adds a
signature to the file to ensure that every bit is in place with no
modifications.
Verify
This is how you check a file or message’s signature for authenticity
and integrity. If the signature doesn’t match, it means that the file
has been altered or didn’t came from the right person.
You can sign or encrypt a message or file. Signing doesn’t hide the
information but it helps to certify that the information hasn’t been
modified by anyone else before reaching you. Encrypting will hide
the information so no one can see the message or file’s contents.
Setup
To setup GPG on your system, you’ll need to generate your public and
private keys. Any GNU based system is compatible with GPG (GNU Privacy
Guard). Most GNU/Linux distributions are already bundled with the gpg
command-line tool. If not, on a Debian-based distribution you can
install it with:
sudo aptitude install gpg
Generating your keys
After you installed gpg on your system, to create your keys for the
first time, all you need to do is open a terminal and type:
gpg --gen-key
This will start a step by step process with some simple
questions. When in doubt, use the default options by just pressing
Enter. Don’t fear the command line, it’s just text.
When asked for a passphrase, note that GPG is not asking for a pass
*word*, it’s asking for a pass *phrase* so make sure it is longer than
one word and an easy to remember sentence.
Once that is done, you can check your list of keys with
gpg --list-keys
Key search and import
If someone hands you their public key on a file, you’ll need to import it to your keyring to use it:
gpg --import key.asc
The key.asc is the file with the public key.
You can also search for someone’s public key on key servers
gpg --search-keys [email protected]
After the results, the GPG will ask which key you want to
import. Select the key from the results list by their number at the
beginning.
Basic usage
Encrypt
To encrypt a file, first you need to import the receiver’s public key,
then you can use it like this:
gpg --encrypt --recipient [email protected] my_message.txt
This will generate a file my_message.txt.gpg which is the encrypted
file you’ll want to send.
Decrpyt
To decrypt a file, the sender must have used your public key. You can
use whatever name you want for the output file, in this case
“my_message.txt”
gpg --output my_message.txt --decrypt my_message.txt.gpg
Sign
To sign a file you use this command:
gpg --armor --detach-sign myverifiedfile.zip
This will create an additional file called ‘myverifiedfile.zip.asc’
which is the signature to verify the file. Send both files to the
receiving end.
Verify
You receive two files: the data file and the signature file. You can
verify the signature with this command:
gpg --verify signature_file.asc myverifiedfile.zip
Frontend tools
If you’re on GNU/Linux and using KDE you can install the user interface KGPG
sudo aptitude install kgpg
On Gnome, you can use Seahorse
sudo aptitude install seahorse
For graphical user interface options on Mac OS X and Windows, you can
check the GPG website.
These GUI front ends will integrate well with your desktop
environments, so you can easily encrypt, decrypt, sign or verify files
from the file manger right-click menu options.
GPG and Email
The easiest way I can recommend to use encryption with email, is with
Enigmail, an extension for the Mozilla Thunderbird email client. It
integrates very well and makes it easy to sign, encrypt, verify and
decrypt email messages.
In case you haven’t generated any keys, Enigmail will help you
generate them with an easy step by step graphical Wizard.
I hope this guide helps you know more about encryption and how to use it. And remember: Encryption is not only about hiding secrets; It’s about protecting your personal information.