We all have a need for private communication. Whether it’s details of our preparations that we want to share with others in a group, discussing tactics, carrying on trade, or any of a hundred other matters, we should be concerned about keeping our communication private. We should be especially careful when communicating electronically: it’s little more than trivial for a government, a corporation, or even a couple of well-equipped criminals to intercept phone calls, emails, or text messages. We can use encryption, which transforms data into a form that can only be read with a secret key, to help preserve our privacy.
Providers That Purport To Keep Emails Private
There are plenty of e-mail providers that purport to keep your emails private, e.g. Hushmail, ProtonMail, and SCRYPTmail. There are also encrypted messaging providers, like Signal and Telegram. I don’t trust them, and neither should you. Take Hushmail, for example. They claim to store only encrypted e-mails, which not even their own employees can read. However, they have released decrypted e-mail data to authorities pursuant to a Canadian court order, and their revised terms of service suggest they will continue doing so. The others have similar problems, having servers in troubling jurisdictions or having weak or subpoena-vulnerable storage of encryption keys. You simply can’t know what’s happening to your data once it’s on someone else’s server.
Encryption Failures in the News
Even lately, encryption failures have been in the news. The EFail exploit, based on how many email clients implement PGP encryption, and a similar flaw was discovered in Signal and Telegram, both which reveal the clear text of what you meant to keep secret.
The Problem Was Not Encryption
The problem was not encryption in any of these cases. The problem was how it was implemented into other programs. This article will explain how to use simple, secure tools that do only encryption and do it right.
The Solution: PGP
The best solution to the encryption problem has been publicly available for almost three decades. It’s a cryptographic standard called PGP (or Pretty Good Privacy, which is an awful name since it’s far more than pretty good). PGP allows people to encrypt messages to one another that nobody but the recipient can access. It is battle-tested and proven, and there is considerable evidence that groups, such as the U.S. FBI, the British GCHQ, the Italian police, and U.S. Customs do not have the ability to break it.
Its creator was under criminal investigation for several years under laws prohibiting export of munitions for distributing PGP online, but that investigation has been closed and the underlying laws have been relaxed. PGP software is freely available and legal to possess and use, at least for now.
The main implementations are the current incarnation of the original PGP software, and a free implementation, GnuPG (usually called GPG), whose source code is freely available for review and auditing.
Usually, when we think about encryption, we imagine it like a fancy version of the decoder rings we had as kids from cereal boxes: if you and your friend have matching decoder rings, you can encode and decode messages to each other. Encryption where the same key both encrypts and decrypts is called symmetric encryption, and it’s sometimes useful. However, for many purposes, it has a serious flaw: for someone to send you a message, they need a key, and that key would allow them (or anyone that got access to it) to read any other message encrypted for you, no matter who wrote it. That’s more trust than we ought to have for anyone.
To avoid that problem, PGP makes use of a technique called asymmetric encryption, where you have two keys:
- Public key, which is freely distributed so others can use it to encrypt messages for you, and a
- Private key, which is kept secret and used to decrypt messages encrypted with the public key.
Think of Asymmetric Encryption as a Secure Shipping Box
You could think of asymmetric encryption as a secure shipping box. The more people with a key that can unlock the box, the greater chance there is of a mistake or malicious action that could expose the contents. So if I wanted to send you a secret in the box, you might give me a key that could lock the box but not unlock it (the public key), and you would keep the only key that could unlock it (the private key). As long as you never give anyone else the key that can unlock the box, you can be certain that nobody but you can get the secret.
To send the secure shipping box, you could use any “shipping service” that will carry it, whether UPS, FedEx, or the USPS; likewise, with the encrypted message, you can send it by e-mail, Facebook messages, handing a flash drive to each other, or whatever. When the message gets there, it’s still secure.
A Simple Example
Say you had a message for me. For example:
Your article on PGP encryption was dumb and you are ugly. I hope your livestock die of scours!
You could then look up my public key. It’s easily available, because I want everyone to have it. You encrypt your message. (We’ll go into how to do that in just a bit.) Here it is, if you want it:
-----BEGIN PGP PUBLIC KEY BLOCK----- mQGNBFrIO4IBDAChvTSXu0HobyP6ajD831gDjz49AvODlLWmNkIMbUclsxJPnL/k Q2TsmL9d283Xlto2kMA3bnJ0zAEA6xB1bWK+fFy0KpuFWl+G/5bSnKiqRG7q0+4D TtRCNNESVvxq32iD6cFTdE2JRg8+MlnNLu+qTdNxtODvQofE9YkSBl1Z3xUPT8wj vvzAYNYaXtzSuuZefOnigxSYxfQQyF3v1JM+Qf2TNxgshhafU37Fswx0cmiH36rm oqPJH6gSTCUCNY3RvhRfx5qekmflzpIrw8fmRA4tWHAsMUBnPLfrv9RbkTbdPg/C f52hbpbwc41XOdY6i/2jS6NmsfuU7dU7EotfIpGCj6+WhuijHbuZz9qDy06dTgF7 VIreEXSnJ84O30cUIOnk8H/M/rSS9XkYVFmHurvXffS3vbngVlo5ckPYHaV8L5DX 9ncXmo6BkLIQG/6i2IabCvQU4GhaU8WY2/FrEEm4OLVtW+W1ton6BEWdocN7mUzf mqIWvPehKUDbnL0AEQEAAbQqR3JvdW5kaG9nIEdyYXZ5IDxHcm91bmRob2dHcmF2 eUB5YWhvby5jb20+iQHUBBMBCgA+FiEEgZAWrMVQk4c4xtX+4cFe6Lbuk+sFAlrI O4ICGwMFCQPCZwAFCwkIBwIGFQoJCAsCBBYCAwECHgECF4AACgkQ4cFe6Lbuk+uc qwv9FuKGwagoqlsdjVf6rlNCr3l0vjePYA6leioGFvNIQ9/plEmfZz8+AF4rFmKA qg5PK3Ufed05HfzWqtTQFoHRvPTFqOx53sxkQJu3yb+p5hceR5oyJlB82uQ60z3o gl3USh2GDiUKwma8p20RMSCjMOW61jhAOLmxwPeWsZaaHB8yN3LCTUG1ReEuKFob kDCUTdAKhhIyE/nfNOymW+qcEHbH6oFcm6GkBzzmsC6vxxzu8wKA2y0J2d5R/lIo mFPB1ipQpjaF5psIwRFnj0OGcqoL/QGNJzMk91jBQ83noz+i+fSrYI1QXTJ73W2S Y50rngs7jcBbrVy0nLSFKpxPYy8Vtp6NIy0kc4i9BWccxErUZlANBibXSpuofgME TQTYPXwHL2FhljP10ghyJBEPmxrGskeyBWxpGIDwFmlK7uXRu/gRhXPRUZ5NTAv5 keMznZ08KCe8O1odXAc+bnreyqr+A4o87JoguPUBEshDMOEeXiPlKICKZhFhcjtN 0/WWuQGNBFrIO4IBDADZYt9N2th2v7PPkbsnh0Vtx+az8/JYmhcTJ7eIp7hhKd8Z WE/2Wy+7LklYIZRZMvBiqpjuAKusEUzWCOfbbVkXi2S/5Zt+HMJfCNluOvvcPhen HhVctJC8iq85Ms2fhrBew/bBSEmn9hh8vd43vYrwpO9gixwsbq+cSFefPceR563g 0YmCx+sYbSNNTEXmxcWujuNeP5hk5QijZYeKbGZmAKhXVQsxTgFeYd+1CMWsAEEE Dt/WZUE4ZT3cGnC2as/KoHlNR6YVyYsNPwV0cAhmf+DusdT3dch9rg+x42Ko/Hzn Dyr2+R0+s8qpphcM9MFAp6w15Tlln/YJHWAjUjlb9e+74vCBeAweSxVAELK3dg+5 83H2QF53K62bXpzt2d6BKujAesPizLfVJ5J+n8P5H5ILA+W80CAFYEis1WiRKq2z 9feIE8EfTbveu5X+aj8DysVu0t1ap2OlYASYLY9+nKAwsMRrec4CoiyRy2dOZj40 NVJlEMxhGXZo7UOSrakAEQEAAYkBvAQYAQoAJhYhBIGQFqzFUJOHOMbV/uHBXui2 7pPrBQJayDuCAhsMBQkDwmcAAAoJEOHBXui27pPrUDAL/jQEmYxynO25rIa7SS7N V3QyRqWYUU/VxnCbWUZp/X1mCQaHkFNBhY7r/qM9+FfoyMH6ZFajpCFThaDdss7W x/5rvOyVK+90k0Rsc5trAbxDZG/oMbSy2hW0MkyiIi6E4NCKXFcTE+p+UBudl+Tl v6iXAtO+NQBeD30uSBclgMHkFVvIq4fxikc3lstasYvRO9m1h2vJPEm868EFMLRH HLpdfzpPXnpL/5SekNyzG1fhIBFhVKaos5Um1pADAVixMkgCcciGHDZ24QUvKaUB ptkrQgQmnGl0qNDvBh7yVJxyPxMDQCGsEP4zlt7e1TQgeqZV1nau2LpXwWnjzkWG Xb8JLD2MhyEJwLEsd0uuY/mcjfPyX+LvcRRruCFVX0bwhypgTzJ0PJLtLqNd+5xQ pzEF0s8MRojifoE8cJ7OEVd9QO495Mag9ZAxjEjl1+/dYeLqpPKrM00DWl3gTR0n DH/AuP7iHJIYJin0gpkqKDj52el4mEMnA2k/V0tvp/10kw== =JS5X -----END PGP PUBLIC KEY BLOCK-----
With that key, you encrypt the message, and you get something like this:
-----BEGIN PGP MESSAGE----- hQGMA5fMFF+9dzmgAQwAy++Eofh5KB2h8YGPLnyyT5UNbtY767qaFFaVcBpWLDtr aISY0xxMyHm9SefXAV18FT32JxP0APxp9Cyxxu4cduMDUhf4mWd6gXnGPo7rTdKu I/M7mOuZPDQvgoeGjqlnKb7UsoR4/qJDo0wLlLAXlVxWhYrG8ueqkabEqpw1Eufa 2X4De0of635l4fiGsY0xaZOJwAQ1LCPEyyaZV0R2HfqrPXtOurUv8atiewXog0wQ MndTlD6kFItf2UBgJ+ERXazt04y7xGbYcgx0cZ0TF99gyC3QCnqlQJxM7d0dDAVu j/i9A5GJmsINJLCdsDA78wBJR9vUip8WcgYuDaBRcsYRpMSGOMbPM7NZhOrUGE+q MEQ90ywJQFXDFSQryx+Xpm0bOAiCwV7jgRSc26pBOob/H40UX83fuWi3DkTqg3JO EZGCtAqTo/mVgq8RF/29yqGRzQq1Ret7O60tIqZ/0KAkW98VCgwshFNRSOiQYqDo iqwEM6onUf74iRqoeUxO0pwBCW9/cTOX+8wwAl+Q+Z4OS1uR36K193ru4QxOUtPE V890xM9whE5VT5LzcxIzBjdLMgAl5hIhuQunPK8lZTRQwdgxJ8iCgwAQrgbAJ4Pk RZ64F31MxF2Zr9gf0nxA2n+BKPVAE4ojIIFJ8sVWG12eIUYo1CZSceoxlFgqhaS0 YnPXCnNMEXFzTn4T9P3RVk+/iaphp22fYM3Dd+o= =UaEX -----END PGP MESSAGE-----
You can’t decrypt that with my public key. Nobody can, including the NSA, FBI, CIA, DHS, or Campbell’s Alphabet Soup. Furthermore, even the combination of that encrypted message and the cleartext doesn’t give them the ability to decrypt future messages. But, if you send it to me, with my private key I can easily read it:
Your article on PGP encryption was dumb and you are ugly. I hope your livestock die of scours!
That was not a particularly nice message.
It’s good to be able to receive messages that only you can read, but we know that email is inherently insecure. What’s to stop some little tyrant-in-training from intercepting the email and replacing the message above with another? After all, your key is public; anyone, even your worst enemy, can send you an encrypted message. We need to have some way of indicating by whom the message was encrypted. Luckily, there is a way. You sign the message, giving it an encrypted pattern that can only be produced with your private key.
How To Use PGP
People say PGP is hard to use. They bring up the security researcher who has a couple of old public keys floating around for which he has lost the private key, and so receives mail neither he nor anyone else can read. Often they point to the security employee at Adobe who posted their private key on the Adobe Security Incident Response Team blog. They also mention the well-known and widely-used e-mail encryption plugin that has had bugs that saved drafts in clear text, and even sent emails unencrypted if there were only BCC recipients, if used with the wrong Thunderbird version, or if a user chooses a perfectly reasonable set of preferences that happen not to work.
These things really did happen, but they and similar problems can be easily avoided by following two simple rules:
- Keep your private key to yourself, and
- Don’t trust any encryption you can’t see.
Keep Your Private Key, and Keep It To Yourself
Put your private key on a flash drive. Print a paper copy of it. Wrap the flash drive in tin foil. Put them both in your EMP-protective safe.
Don’t Trust Any Encryption You Can’t See
Do the encryption yourself, with a tool that keeps you in control of your encryption. For example, if you’re sending an encrypted e-mail, the only text that should go into the email is what you have already encrypted. Don’t trust encryption you can’t see, and remember that clear text should never go in an insecure tool.
GPG and Gnu Privacy Assistant
The most commonly-used and trustworthy of the OpenPGP implementations is GnuPG, or GPG, from the Gnu Project– a software-freedom advocacy group. GPG has the following advantages:
- It’s free to obtain.
- The source code is freely available for review (open-source).
- It is widely-deployed and battle-tested.
- It is up-to-date, providing encryption that should remain unbreakable for the long term.
GPG by itself is an expert tool, used at the command line, without a friendly graphical user interface (GUI). It is not self-explanatory, and it takes practice and study to use correctly. Luckily, there are several GUI wrappers for GPG that are simple, self-explanatory, and user-friendly.
The simplest, most usable of these GUI wrappers for GPG is the Gnu Privacy Assistant (usually called GPA). I recommend it because it makes it easy to see what you’re doing and avoid mistakes. Otherwise, it has the same advantages as GPG.
Installing GPG and GPA
For Windows, download Gpg4Win and follow the installation instructions. For Mac OS X, do the same from GPGTools. In either case, there may be a place to tick a box to also install GPA. Make sure to do this.
On Linux, install GnuPG and GPA from your package manager. Almost any Linux distribution should have a recent version available.
Generating a Keypair
When you open GPA for the first time, it will prompt you to create a key. Click “Generate key now”. When you do, it will ask for:
- Real Name: Enter your real name or a pseudonym; if you want your people to be able to find your key, choose something they know to look for.
- Email: Again, real or fake; it’s probably best to enter a real one so people don’t give up and mail you unencrypted material.
- Create Backup Copy: Do this! Back it up to a USB drive and stick it in an EMP-protective safe. Print off a copy and secure that, too. If you lose this key, you won’t be able to decrypt messages.
- Passphrase: This should be long, easily remembered, and include something that’s not in the dictionary, like punctuation and numbers. If you are sure you can remember it, great. If not, write it down and put it in the safe. You need it to use your private key. (GPA will ask you for this a few times while creating your key.)
At this point, if you’ve followed the instructions, you have created a key. Tomorrow, in Part 2, I will cover some things you may want to do with it.
SurvivalBlog Writing Contest
This has been part one of a two part entry for Round 77 of the SurvivalBlog non-fiction writing contest. The nearly $11,000 worth of prizes for this round include:
- A $3000 gift certificate towards a Sol-Ark Solar Generator from Veteran owned Portable Solar LLC. The only EMP Hardened Solar Generator System available to the public.
- A Gunsite Academy Three Day Course Certificate. This can be used for any one, two, or three day course (a $1,095 value),
- A course certificate from onPoint Tactical for the prize winner’s choice of three-day civilian courses, excluding those restricted for military or government teams. Three day onPoint courses normally cost $795,
- DRD Tactical is providing a 5.56 NATO QD Billet upper. These have hammer forged, chrome-lined barrels and a hard case, to go with your own AR lower. It will allow any standard AR-type rifle to have a quick change barrel. This can be assembled in less than one minute without the use of any tools. It also provides a compact carry capability in a hard case or in 3-day pack (an $1,100 value),
- Two cases of Mountain House freeze-dried assorted entrees in #10 cans, courtesy of Ready Made Resources (a $350 value),
- A $250 gift certificate good for any product from Sunflower Ammo,
- Two cases of meals, Ready to Eat (MREs), courtesy of CampingSurvival.com (a $180 value), and
- American Gunsmithing Institute (AGI) is providing a $300 certificate good towards any of their DVD training courses.
- A Model 175 Series Solar Generator provided by Quantum Harvest LLC (a $439 value),
- A Glock form factor SIRT laser training pistol and a SIRT AR-15/M4 Laser Training Bolt, courtesy of Next Level Training, which have a combined retail value of $589,
- A gift certificate for any two or three-day class from Max Velocity Tactical (a $600 value),
- A transferable certificate for a two-day Ultimate Bug Out Course from Florida Firearms Training (a $400 value),
- A Three-Day Deluxe Emergency Kit from Emergency Essentials (a $190 value),
- A $200 gift certificate good towards any books published by PrepperPress.com,
- RepackBox is providing a $300 gift certificate to their site.
- A Royal Berkey water filter, courtesy of Directive 21 (a $275 value),
- A large handmade clothes drying rack, a washboard, and a Homesteading for Beginners DVD, all courtesy of The Homestead Store, with a combined value of $206,
- Expanded sets of both washable feminine pads and liners, donated by Naturally Cozy (a $185 retail value),
- Two Super Survival Pack seed collections, a $150 value, courtesy of Seed for Security, LLC,
- Mayflower Trading is donating a $200 gift certificate for homesteading appliances, and
- Two 1,000-foot spools of full mil-spec U.S.-made 750 paracord (in-stock colors only) from www.TOUGHGRID.com (a $240 value).
Round 77 ends on July 31st, so get busy writing and e-mail us your entry. Remember that there is a 1,500-word minimum, and that articles on practical “how to” skills for survival have an advantage in the judging.