Monday, August 06, 2007

PGP for muppets such as myself

As you may recall from on of my previous posts on the matter of encryption, I've suited up for system for PGP (Pretty Good Privacy) goodness, by installing GNU's implementation of PGP, which goes by the name of GPG (GNU Privacy Guard). Acronyms galore...
The basic gist of it all is that GPG offers you a "pretty good" way of signing, encrypting, validating and decrypting pretty much anything a computer can read and store (files, email, text, etc). You generate a key-pair: a private key, and a public key, alongside an associated pass-phrase. You then stash the private key somewhere safe (presumably on your computer, although a thumb-drive or other removable media is ideal if you're very paranoid), and disseminate your public key to the public (duh) via email, your website, a blog post and/or a public key server (most of which sync their data every few minutes).

Your public key allows anyone to encrypt any file bound for your eyes only, as only your private key (used with your secret pass-phrase, it's fairly useless on its own, even if someone got their hands on it) will be capable of decrypting it. On the other hand, your private key (used with your secret pass-phrase), allows you to sign any text, which will allow anyone possessing your public key (or simply the capacity to connect to a public key server, provided your public key is on one), to verify both the integrity and origin of the data. The public key will not allow anyone to decrypt any files intended for your eyes only, nor will it provide malicious users with a way of forging your digital signature. Because of the asymmetric nature of this key-pair system, PGP gives your friends and contacts and easy way of communicating with you in a secure manner, without giving middle-men a chance to intercept information. You can even send encrypted data in plain text (it will appear as a large block of garbled characters), it won't make a difference. And in the worst case scenario, where someone gets a hold of your private key, they still need your pass-phrase. If you've used a non-dictionary pass-phrase, and generated a 2048 or 4096-bit key, it'll probably take them a loooong while to guess.

The OS X implementation of GPG is pretty swish. There's a very good walk-through of the set-up process, and how to use it, as well as links to required (free) software here: Configuring GnuPG (Mac OS X). You may want to (and probably should, unless you have a good reason), skip the "Key Generation" step, and simply use the "GPG Keychain Access" program – discussed in the article – to generate one for you. The graphical step-by-step interface for doing so is quite friendly (especially compared to the terminal).

Once you're sorted out with a key-pair, and perhaps have uploaded your public key on a server (which is doable through the "GPG Keychain Access" app) or shared it with your friends, then you can simply start using the power of PGP. For files, there's a great little app called GPGFileTool which is – surprisingly – not discussed in the Zeitform article. It has a welcoming graphical user interface, and you need do little more than drag and drop the file you wish to encrypt/decrypt/sign/validate onto the program icon in your dock, and follow the instructions. Pretty easy, eh?
Email security is just a few steps away as well, with the GPG plugins available for, and other common mail clients. I use the one, and it's quite simple and straightforward. An extra menu bar appears above all mail messages, offering you – through the use of checkboxes – to encrypt and/or sign your outgoing messages. It will decrypt incoming messages on-the-fly, simply prompting your for your pass-phrase (which can be stored in the Mac OS X keychain, although I wouldn't risk it). Very simply stuff, and all the details you know are in the Zeitform article.

I hope this blog post has been of some use to someone out there. The use of this is quite evident on an every day basis: when sending sensitive information, bank details or simply contact info you wouldn't want someone other than the recipient of the message to stumble upon, PGP's the thing to use. And thankfully, the tools available for OS X make that possible without having to use the command-line-interface even once, making the whole enterprise approachable to the slightly-tech-illiterate amongst us (myself included).

No comments: