GNU Privacy Guard: Lock, Stock and Barrel of Security
Cryptography can look like rocket science: unless you wish to sacrifice reliability and real security, it’s pure mathematics – well beyond whatever we all could study in school.
Luckily, there’s still a way out for those of us who aren’t really good with formulas. There’s a free, well-maintained and well-documented tool named GNU Privacy Guard, or GnuPG. When used wisely, it can literally become your lock, stock and barrel for all private security needs.
Note: cryptography and security are meaningful even if a person has nothing to hide. We live in an insecure world: a small precaution will prevent you from disclosing private data to those who are not supposed to see it.
One Key for All Needs
GnuPG supports the good old “one key for all needs” approach, so-called symmetric ciphers. Since the same key is used to both encrypt and decrypt data, using symmetric ciphers isn’t good if you have to pass it to someone else (thus you will endanger all the other files encrypted by the same key).
However, if no one else needs to decipher data, a symmetric key is a good option. Its actual key is derived from a passphrase (it’s like password, but with blanks allowed inside). Thus, the weakest link in this approach is storing the passphrase safely. We will talk about that later.
If you do not need to share data with others, symmetric ciphers are fine. Make sure you do not use exactly the same passphrase for all your documents. Otherwise, if the key is known to either one of them, it’s known to all. Trust me, you don’t want that.
Safety at Cost of Symmetry
GnuPG is mostly known for its public key encryption. In this approach, there are two keys: public and private, both needed to allow encryption and decryption of all data.
Public key can (and should, if you wish to allow others to encrypt messages for you) be passed to third parties. Alone, it can only be used to verify that a document has been encrypted by the same pair of keys (that is, to verify the owner’s identity).
Private key is required to decrypt data. It is assumed that one should keep the private key safe. However, you still have the power to notify those using your public key that the key pair has been compromised, in case that happens.
How can this be done? There are so-called key servers, and anyone can upload and download GnuPG public keys to and from them. It is also a good place to upload the so-called revocation certificate to notify that the keys should not be used anymore. Make sure the revocation certificate is also kept safe, in a different location than the one you keep your private key in!
Passphrases – the Weakest Link
It all boils down to passphrases. Regardless of using symmetric or asymmetric (such as the public key) approach, you need a passphrase. Separating private key gives additional amount of security, but passphrases should be strong and hard to deduct, if a malicious third party has access to your public data.
So, don’t use anything from the public domain such as birthdays, names of parents or children, and so on. Nothing that can be easily found.
If you do not wish to memorize passphrases (well, you would need to memorize one of them anyway) and use something like Lastpass or similar tool, PWGen is your friend. It allows generating strong and (surprise!) relatively easy to memorize passphrases. If they are long (say, 12 characters or longer), they make your GnuPG-based security very strong.
In case you wish to avoid storing passphrases anywhere, you will have to train your mind and memory to keep everything in your head.
A simple approach of creating rather string passphrase is using a proverb, sating or citing you remember very well, to serve as passphrase.
Of course, you won’t use it in its original form. Add “random” data in it: digits from the number you remember well, punctuation marks; change character cases in a pattern you can reliably restore. It’s a good idea to practice with that first: try creating several different keys and check daily that you still can re-build them.
Encryption Over Encryption
Yes, encrypting important documents several times with several keys can give an additional level of security. Make sure that you alone have access to all the keys required to decipher your private data.
However, keeping crucial parts such as passphrases, private keys, revocation certificates is not an easy task. One of the approaches is to use TCNext (formerly known as Truecrypt) to store your sensitive data, or Lastpass, mentioned above, for the same purpose. In either case, you need to know another passphrase, to access those safe-boxes of yours.
GnuPG is widely used to allow secure email communication. There are many tools to seamlessly incorporate GnuPG into email clients; for example, Enigmail when talking about Thunderbird. A simple search will give you actual names of tools to use with your email client of choice (unless it supports GnuPG out of box).
Using GnuPG to encrypt email is de facto standard way to ensure email security. Thus, knowing more about GnuPG will make you more aware about ways to keep all your private data safe.
Similarly to using GnuPG for file encryption, it can also be used to sign message, to ensure you are indeed the person who has sent it (actually, that only adds proof that the sender has the access to your private key).
I recommend visiting Email self-defense to get more information on why and how your email should be made safe with GnuPG.
I hope all the information above was enough to raise your interest in GnuPG. Start with their site; it contains very detailed documentation with many useful examples. If you are still interested in how to improve your personal information security past GnuPG, you will surely find some hints.
Also, I advise you to learn more about steganography (approach to hide information within information, such as hiding data chunks in images) and read about other approaches, such as OTR (Off-the-record) messaging. One of the most interesting features of it is making message impossible to decrypt if they become old enough.
May your data be safe and well guarded by GnuPG!