PGP has been the best option for encryption since the 90s, and it has been employed by notable individuals such as Edward Snowden for the purposes of communicating with Glen Greenwald. You can follow the same guide that was given to Greenwald, this article covers a little bit of the circumstances around their exchange, and you can view a video on Youtube.
Let's start by creating a text file that we can encrypt. In your terminal:
echo "pewpewpew" > test.txt cat test.txt && echo # this prints out the file you just made.
Symmetric encryption using a shared key
You can use gpg's encryption capabilities in a simple way, by encrypting your text using a password. This is fine if you're not worried about a strong adversary. If you want to keep your little brother from reading your sexy messages to and from your significant other, it will do.
You will need to divulge the password to the individual in question ahead of time. The password can only provide security if:
- The medium you use to divulge the password is secure (at least from the party in question). If you are trying to keep your email provider or isp from reading your messages, and you transmit your password over their service, the result is only marginally more secure than simply sending the message in plain text. Any persistent and detailed scrutiny will allow them to decrypt your message.
- The person with whom you have shared the key is mindful enough not to leak it. If they write it down where it can be retrieved (cloud hosting?) then it loses any value.
- You have a means of sharing it ahead of time, or can somehow inform them of it in a cryptic way. If you are unsure whether you are speaking over a secure medium (you should just assume not), you may be able to reference some common knowledge which cannot be deduced by the third party in question. When I was growing up, my family had an "emergency password", which my Mother or Father could communicate to a messenger if they could not reach me, and needed me to know that I could trust the messenger.
As you can tell, much of the difficulty with this kind of encryption is that it becomes necessary for the other party to understand the limitations of the technology, and behave accordingly. Encryption rarely fails because of technical reasons, especially heavily scrutinized security technology like PGP.
Actually running the commands
gpg -a -o test.txt.gpg --symmetric test.txt # you'll be prompted for a password, enter something, then: cat test.txt.gpg # print your message to the command line # to decrypt your message gpg -d test.txt.gpg
Like I said, it's better than plaintext, but if you want street cred with the real crypto-nerds, you'd better familiarize yourself with PGP's stronger method:
Public Key Encryption
Public key encryption has been explained a million times by people more qualified to do so than I am. The information you really need to know is that:
- Public keys are exactly what they sound like, you want people to have these keys, because it is what will be used to encrypt messages such that only you can decrypt them. This information is not sensitive at all. Though, if you are sharing your public key through a medium vulnerable to a man in the middle attack (MitM) they could be tricked into encrypting sensitive information using the wrong key.
- Your Private Key must be unlocked with a password, which provides an additional measure of security, however, passwords can be guessed. If someone accesses your private key and password, they effectively become you. As such, it is critical that you protect this information. If it is on a compromised system, you should consider it compromised. You cannot store it in 'the cloud'.
- It may be the case that an adversary has compromised your key, they can use it to decrypt your messages without ever revealing the fact.
- You can revoke a key at any time, as long as you have the right signature.
- The person encrypting information can sign it for the recipient using their key, proving that they (or someone with access to their key and password) produced it.
The easy way
Given that the attack vectors with strong encryption tend to target the user, efforts have been made to make it easier on the user. In particular, the Enigmail Project has done an excellent job with their plugin for the Mozilla Thunderbird mail client.
The hard/hardcore way
If you want people to be able to message you securely, you will need to generate a public/private keypair. Run the code below, and you will be prompted with a number of questions:
- Use RSA as the encryption scheme
- More bits mean more protection
- Only list your name and email if you want that information to be accessible. If you want to be anonymous, spoof it.
gpg --gen-key # answer the prompts gpg -a --export yourEmail@domain.tld -o > yourname.gpg.txt # export your key to a file formatted in ascii characters. gpg --keyserver certserver.pgp.com --send-key email@example.com # upload your key to one of the public keyservers
import my public key :D
curl transitiontech.ca/md/key | gpg --import
gpg -a -o secretMessage.txt -se -r firstname.lastname@example.org test.txt # encrypt and sign your message using my public key
The idea is to make your public key available somehow. Anyone who wants to message you can use your public key to encrypt their message, which can then only be decrypted with your matching private key.
Then put this somewhere people can see it! If you want to encrypt something for someone else, and they have a public key:
Post it somewhere they can see it.
Try encrypting with your own public key, to verify that everything is working
Try it out with my public key