If you can't be bothered to read up on the basics of public key encryption but you still want to use PGP or GPG to send and receive digitally signed or encrypted mail, then this article should cover the bare minimum you need to get started.
First, once you have chosen an encryption client and a mailer (I recommend GPG with Thunderbird plus Enigmail), self-signed your key, and generated a public/private keypair, you must make your public key public. If anyone is to verify your signed emails, they must have your public key. If anyone is to send you encrypted emails, they must have your public key. Post your public key on the web or email it to your friends.
Second, you should download the public keys of your friends and add them to your encryption client. If your client has a concept of trust, you should edit the trust of your friends' public keys.
Third, get your friends to sign your key. Key signatures serve as proofs of identify. By signing your key, I am telling the whole world that I believe that you are who you say you are, so they don't have to take just your word for it. This is even more important when you start exchanging signed and encrypted email with people whom you haven't met.
Fourth, sign the keys of your friends.
Fifth, if you are using Enigmail and want to be standards-compliant, change your default settings to always use PGP/MIME.
If you want to experiment, my public key is located here:
http://jonathan.pearce.name/jdpearce_keys
I am always willing to exchange signed or encrypted email.
For more information, consult the help files of your software.
http://www.gnupg.org/gph/en/manual.html
Jonathan's Quick Guide to PGP
-
- Grand Pooh-Bah
- Posts: 6722
- Joined: Tue Sep 19, 2006 8:45 pm
- Location: Portland, OR
- Contact:
Re: Jonathan's Quick Guide to PGP
If you are still using PGP, you are probably doing it wrong.
http://arstechnica.com/security/2016/12 ... pgp/?amp=1
Guys, I need to replace my nonfunctional encryption with something that works. I have a hard nonnegotiable deadline of January 20.
http://arstechnica.com/security/2016/12 ... pgp/?amp=1
Guys, I need to replace my nonfunctional encryption with something that works. I have a hard nonnegotiable deadline of January 20.
-
- Tenth Dan Procrastinator
- Posts: 4891
- Joined: Fri Jul 18, 2003 3:09 am
- Location: San Jose, CA
Re: Jonathan's Quick Guide to PGP
Yeah, I gave up on FireGPG. Being able to search my mail is more useful than encrypting it in general. I could just keep unencrypted drafts of emails I receive and hope no one hacks Google or hacks my Google password + second factor.
So, whatsapp or signal?
Since I mentioned 2-factor authentication, anyone hear any updates on whether NIST is really going to remove SMS as a 2nd factor? Even Social Security moved towards requiring SMS 2-factor auth earlier this year (and then stepped back on the requirement, but not for security concerns, but access concerns).
https://www.schneier.com/blog/archives/ ... _long.html
So, whatsapp or signal?
Since I mentioned 2-factor authentication, anyone hear any updates on whether NIST is really going to remove SMS as a 2nd factor? Even Social Security moved towards requiring SMS 2-factor auth earlier this year (and then stepped back on the requirement, but not for security concerns, but access concerns).
https://www.schneier.com/blog/archives/ ... _long.html
-
- Tenth Dan Procrastinator
- Posts: 4891
- Joined: Fri Jul 18, 2003 3:09 am
- Location: San Jose, CA
Re: Jonathan's Quick Guide to PGP
Have you set up a web key directory @jonathan.pearce.name ?
Google is likely to never set up WKD since it's in their interest to keep mail in plain text so they can target advertisements to you based on the content of the mail. It would be nice if they did though. Really though, if two parties both use gmail, then the only person who can really spy on the mail are Google and anyone they cooperate with, which is essentially no one.
Google is likely to never set up WKD since it's in their interest to keep mail in plain text so they can target advertisements to you based on the content of the mail. It would be nice if they did though. Really though, if two parties both use gmail, then the only person who can really spy on the mail are Google and anyone they cooperate with, which is essentially no one.