PGP: WHERE TO GET AND HOW TO USE PGP ENCRYPTION.

Off the cuff, this is a post about PGP (a.k.a., “pretty good privacy”) and encryption.

When I was in college in the 1990’s, encryption was the easiest thing to set up. We’d download some freeware, set up a few encryption keys, upload the keys to the MIT servers, and send around “how are you, aren’t we cool because we’re using encryption” e-mails to friends and family. Little did we know those keys would be permanently there years later, and most of us lost our keys over the years, and forgot to set expiration dates on our keys (so my old college keys are still available somewhere on the net).

After a phone call today, I realized that after so many years, I have not used PGP, and I did not have a PGP key handy to encrypt an e-mail and its contents. “No problem,” I thought, I’ll just go online, grab the free software from Symantec, and I’ll set up a key and forward the documents. NO GO.

Symantec purchased the rights to the PGP software from Phil Zimmerman, and they TOOK AWAY the ability for individuals to set up PGP encryption on their machines (unless they purchase an elaborate suite of programs for $$$$). And, even if I wanted to purchase the software, they have made it next to impossible to acquire it using a few clicks, a credit card, and a website checkout.

Honestly, I have nothing wrong with companies selling premium features on top of their free software, but ENCRYPTION SOFTWARE SHOULD BE FREE!!! In order to have a free society where individuals can speak and express themselves freely without need to censor themselves in fear of a snooping government, encryption is needed! Because Symantec took away the ability for individuals to use PGP, in my opinion, this in my book is considered unethical and “mean” business practice. Shame on you, Symantec.

[ON A SIDE NOTE: I want to point out that in college Phil Zimmerman was my hero. Now on his “Where to get PGP” website, he states that he doesn’t care that PGP is no longer free, as long as Symantec kept the source code available to the public. Phil Zimmerman, for the reason that you have made it so that companies can make it difficult for users to access and use encryption, now almost twenty years later, you are no longer my hero.]

Since PGP has become monetized and corporatized for corporate profit and control, for those of you who want (and should) set up encryption, there is still a way. GnuPG (part of the OpenPGP Alliance) has made encryption available to Windows PC users using their GPG4win software. Essentially, the software appears to have originally been written for the Linux operating systems, but it has been ported for those of us that are still shackled to a Windows PC operating system.

HOW TO OBTAIN AND SET UP PGP SOFTWARE IN ORDER TO ENCRYPT AND DECRYPT YOUR MESSAGES AND FILES:

STEP 1: DOWNLOAD THE SOFTWARE.

The link to download the latest version of GPG4win is here:
https://www.gpg4win.org/download.html

STEP 2: CREATE A SET OF KEYS.

– For those of you more techy, the keys they set up are 2,048 bit keys, which are the standard for today’s encryption. However, technology does advance quickly, and if you are anything like me, you’ll want to use the 4,096 bit keys (which is more encryption than you’ll ever need, but why skimp on privacy when such a key is available?)

So if you want this stronger key, when the software asks you if you want to create keys, say “no,” click “File, New Certificate,” and click on the advanced settings. There, you will be able to 1) choose the heightened security 4,096 keys, along with 2) the ability to SET AN EXPIRATION DATE FOR YOUR KEYS.

STEP 3: SET AN EXPIRATION DATE FOR YOUR KEYS!!!!!

NOTE: All of us have set up keys, and have lost them due to computer malfunction, hard drive crash, or just losing the secret key files. ***IF YOU DO NOT SET AN EXPIRATION DATE ON YOUR KEYS, THEY WILL BE ON THE MIT SERVER FOREVER!!!*** And, you will be unable to delete the keys later on. So please! Set an expiration date on your keys. I set mine for 12/31/2016 (at the end of next year), and next year, I’ll set up another set of keys.

STEP 4: CREATE A REVOCATION CERTIFICATE BEFORE YOU UPLOAD YOUR KEYS TO THE SERVERS!

For some reason, the Kleopatra Windows PC software does not have an option to set up a revocation certificate so that you’ll be able to revoke (or inactivate) keys on the MIT server that you no longer use.

For this reason, and this is easy to do, the superuser.com website has described a way to set up a PGP key revocation certificate using a command terminal (“CMD”) code.

In short, open a terminal in Windows (using “Run, CMD”), and type the following:

gpg –output revoke.asc –gen-revoke [MY KEY-ID]

(NOTE: The MY KEY-ID is the “Key-ID” for the key you created using the Kleopatra software.)

Then save it somewhere where you cannot lose it. Print it out and save it offline if you need to.

STEP 5: UPLOAD YOUR NEW KEY TO THE MIT SERVER SO THAT OTHER PEOPLE CAN FIND YOUR KEY.

This is the step that you should be most careful about. Once you upload the key, it’s on the server forever (viewable at https://pgp.mit.edu/). So just double-check your steps before you take this step.

HOW TO USE PGP:

Once you’re all set up, you’re set for the life of your encryption keys (remember, I set mine to expire at the end of next year.)

Below are the steps to use PGP:

STEP 1: OBTAIN THE KEY OF THE PERSON YOU ARE SENDING YOUR MESSAGE OR FILE(S) TO FROM THE MIT SERVER.

You can search for their key by either:

1) On the Kleopatra software, click “File, Look Up Certificates on Server,” and then you would type in either their name or e-mail address and select which key you want to use (best to use their most recent key if there are multiple keys).

2) Alternatively, you can accomplish the same result by entering their name or e-mail address on the MIT server (https://pgp.mit.edu/). For example, for mine, you would search for rzcashman@cashmanlawfirm.com, and my key would show up.

STEP 2: WRITE YOUR MESSAGE AND ENCRYPT IT TO THE KEY OF THE PERSON YOU ARE SENDING IT TO.

On the Kleopatra software, you would click on the “Clipboard” button on the toolbar and select “Encrypt.” A new screen will open, and you’ll write your message.

Once you have written your message, click on the “Add Recipient” button and select the key of the person you are sending the e-mail to. Remember, you did this in STEP 1.

STEP 3: COPY AND PASTE THE ENCRYPTED TEXT INTO AN E-MAIL.

This is the easy part. Once you have the message you wrote encrypted to the key of the person to whom you wrote the message, a string of letters will appear in your window. Copy and paste it (all of it) into an e-mail.

REMEMBER, encryption protects the CONTENTS of an e-mail not the META DATA, meaning, it only protects the contents of what you wrote. It does not protect who you wrote it to, or what server you were logged into when you sent the encrypted text. This was part of the issue with the NSA claiming that they were “only” pulling meta data, and not the contents of the e-mail themselves.

NOTE: If you also encrypted a file to attach to the e-mail [I did not describe how to do this yet], attach the .gpg file that your software created as an attachment to the e-mail. The person to whom you encrypted the e-mail will be able to decrypt the attachment as well as the contents of your e-mail.

STEP 4: THE RECIPIENT OF THE E-MAIL DECRYPTS YOUR E-MAIL AND ANY ATTACHMENTS

Since you encrypted your message with the intention that only the recipient sees it, when he receives your e-mail (and any encrypted attachments you also sent), he will be able to use his own software to decrypt what you have sent to him.

Why is this possible? Because you encrypted the contents of your message to his key, and thus only he can unencrypt and read your message. When he replies to you, he will write the text into his software, and he will encrypt the message (and any files he also wants to attach) using YOUR key that he pulled off of the server, and he’ll send it over to you.

ENCRYPTING FILES:

Encrypting one file at a time using the Kleopatra software can be done by clicking “File, Sign / Encrypt Files.” From there, another window will open up, where you can select which file to encrypt. When the software asks for whom you would like to encrypt the file, just use the key of the person to whom you want to send the file. The software will make an encrypted copy of the file in the same folder, just with the .gpg file type. Use that file when sending the encrypted file in an e-mail as an attachment.

If you want to encrypt the file using your own key file (meaning, only you can unlock it), you may (for example, if you are sending yourself a private file to be accessed somewhere else). But if you only want the encrypted file to remain on your computer, remember to manually delete the original file, or you’ll have both the original and encrypted files in the same directory.

ENCRYPTING MULTIPLE FILES, OR FOLDERS, OR ENTIRE HARD DRIVES:

The topic of encrypting entire files, folders, or entire hard drives is outside the scope of this article. Doing so requires software such as Truecrypt, and it is a different process than encrypting and decrypting e-mails and messages using PGP as we have described here.

ENJOY!

TERMINOLOGY: There are two PGP encryption keys that you create when you set up your “key pair” — a “public” key and a “private” key. The public key is the one that is uploaded to the server, and if you provide someone your encryption key for them to send you e-mails or files, it is ALWAYS the public key that you send to them. The “private” or “secret” key is the one that remains with you or on your computer, and it is used to decrypt messages and files that were encrypted to your public key. Never give out your private key to anyone.


CONTACT FORM: If you have a question or comment about what I have written, and you want to keep it *for my eyes only*, please feel free to use the form below. The information you post will be e-mailed to me, and I will be happy to respond.

NOTE: No attorney client relationship is established by sending this form, and while the attorney-client privilege (which keeps everything that you share confidential and private) attaches immediately when you contact me, I do not become your attorney until we sign a contract together.  That being said, please do not state anything “incriminating” about your case when using this form, or more practically, in any e-mail.