An Introduction to GNU Privacy Guard

An anonymous reader writes "This is a great article about GnuP . . . "In the first half of this article David Scribner discussed the various uses that GNU Privacy Guard could bring to your business or personal life in enhancing security of your digital documents and files, as well as the basics in getting started with GnuPG. As there is so much more to public-key security than command-line operations, in this second half I will continue with importing and exporting keys, building (and keeping) your 'web of trust' sound, and a few of the more popular GUI front ends available for GnuPG . . ."

The weakest link

[FreshMeat-BWG]

Ok, so I have n-bit keys protecting my super secret confidential data that is going to take x-million computers y-thousand years to crack and I feel pretty good knowing the CIA won't spend $z trillion dollars finding out my grandma's secret cookie recipe.

Now, how do I keep my passphrase a secret while the CIA is bashing my toes with a hammer?

I guess my point is that public/private key encryption is only as good as the passphrase which is often not good enough, and that the ecryption is way stronger than your personal torture threshold anyway.

Re:The weakest link

[tbmaddux]

I guess my point is that public/private key encryption is only as good as the passphrase which is often not good enough, and that the ecryption is way stronger than your personal torture threshold anyway.

That's true, which is why it was originally well-named as "Pretty Good Privacy." It solves the lowest-order problem, that your email is transmitted as plaintext across the Internet for anyone to read.

And of course, the CIA doesn't really need to bash your toes; they can just put a keyboard sniffer on your machine, or put a spy camera to capture your keystrokes while you type your password, or lots of other interesting things that only require a warrant and don't require torture.

GPG was easy to setup (on our Macs, even!) and now I don't have to worry about whether or not the script kiddie down the road can sniff the private messages I send to my wife. That's Pretty damn Good Privacy.

Re:What are you hiding?

[RatBastard]

Well, there's your collection of bestiality porn.

Why is it that people assume that anyone who wants to communicate in private has something to hide?

Great, but

[jukal]

the "original" handbook [gnupg.org] does the job much better.

Too much effort

[mikeboone]

I've been interested in GPG and encryption for a couple of years, but I can't convince any of my friends to be interested. So all my communications with them must be unencrypted.

I know you can get it as easy as typing in a password when an email gets sent, but that's too much effort for my parents and most of my friends. :(

Re:False sense of security?

[dacarr]

But on the other hand, the ability to get into a system and implement such cracks is, AFAICT, usually due to PEBKAC on the part of either the user or (in rare cases) the admin using an easily guessable password. I know users who I have told again and again to at least l33t their password to hinder a few searchbots. And then there are the people who are just plain too lazy to patch their machines.

Yes, there are the security holes inherent in any operating system, and thank God for Mandrake's patch system (in my case), not to mention the uncanny ability of the open source community to crank out patches within hours of discovering holes. So let's use them.

Excellent

[z-man]

I use gpg all the time, and I know a lot of other people that use it, it is a great program.

However, a problem is that people just aren't good enough at getting their public-keys out. I hope this article enlightens them on the lovely export option. Which I believe to be one of the most important parts. I receive email from a lot of lists everyday, LUGS, development lists and so on. A lot of this email is signed, but a lot of these people obviously don't get the points of signing completely since they haven't got their public key available in anyway (of course some may not believe in the keyservers and so on, and want to be contacted in other ways for key-exchange, but not all are that pre-cautious, some just don't understand), and thus I cannot verify their signature.

Advocating privacy

[tve]

I don't believe most people with 'nothing to hide' will be convinced by this argument for privacy. So, can anyone come up with a concise line of reasoning that will work?

Re:What are you hiding?

[Bizaff]

It's all about hiding, actually. Cause that's what cryptography does.. is.. uh.. hide stuff.

Like the example the writer gave, if your ISP tech knows you're out of town, you could come home to an empty house.

If you're just using cryptography for the sake of using cryptography, what's the point?

Re:The weakest link

[Wumpus]

Sort of. If I remember correctly, they claim to have a proof (using game theory) that the best an interrogator can do if you use their software, is keep beating you. They can't prove that you're holding anything back from them. This is valuable in some extreme situations (if you're guarding a secret important enough to die for), but doesn't really stop you from giving them what they want, hoping that they'd stop anyway. Pain is funny like that.

This has been said elsewhere, but it's worth repeating: Cryptography alone won't solve all your security problems. Especially if you live in a country where the use of cryptography is illegal, the secret police assumes that you're guilty until proven innocent, and they have the authority to try to extract secrets from you by any means they consider necessary.

Re:Really that useful yet?

[mcelrath]

I know new systems and apps create a bit of a chicken-and-egg situation.. but what about this:

...

Until the public learn more about security, how it works, and why it should be used, I think not.

So you state it's a chicken-and-egg problem and then go on to demonstrate it's a chicken-and-egg problem, adding nothing to the discussion. Then you say we all shouldn't use it, because it's a chicken-and-egg problem. Give me a break! Here are a few ways to crawl out of the chicken-and-egg situation:

Signing your e-mail makes GPG visible to those that don't know yet. Every once in a while someone will actually look at that attachment, follow the little link, and maybe learn something. For technically saavy users, this is simply tech evangelism. Someday we will all learn in high school how to manage our private keys, instead of teaching us how to fill in the blanks on a check. I have personally converted 4 or 5 friends (and my dad!) to using it.

I use GPG to store sensitive information. I keep a GPG-encrypted file with passwords (mostly for websites) in it. That way for each %@#(&@$ vendor that insists on storing my credit card info, I can generate a 20-character random password, put it in this file and forget about it.

As a system administrator, I have had many occasions where people want an account but I'm not physically nearby for them to type in a password. I usually point out GPG saying that if they used it, I could send them a password. Since they don't, they'll have to wait a few days until we can be in the same room. Again, it's evangelism.

I pointed out gpg to my bank [umbrellabank.com] for account-related communications (but they don't seem to get it yet...they're a bank). Everybody else ask your bank about it too. It's evangelism. The squeaky wheel gets the grease.

And most importantly, I encrypt love letters to my girlfriend. Don't want anyone reading that stuff. ;)

Making the public aware that this kind of technology exists is, in my mind, the single most important revolution happening today. It is the key to take back freedom from our oppressive government (and the even more oppressive governments out there). It is the key to the electronic money of the future. It is the key to the electronic contract of the future (this click-to-accept shit has got to go). I definitely don't want to "click" to buy a house. As long as we keep them ignorant and don't evangelize, we can guarantee we will never see the electronic future we read about in books.

-- Bob

Re:GnuPG is the way to go.

[lamp77]

Exactly who modded this up?

"the majority of large businesses are now using Linux as both a desktop and server OS "
where are you working? I almost think this might be satire.