Chris MacNaughton bio photo

Chris MacNaughton

Chris MacNaughton currently works on the Ecosystem Engineering team at Canonical Ltd, focusing on storage technologies for OpenStack deployments.

Email Public Key Twitter Facebook Google+ LinkedIn Github Stackoverflow

A friend of mine posted this image on Facebook today and it got me to thinking, ‘What are some fairly easy things that people can use to keep their data private that I could share?’ After thinking about it for a bit, I’ve come up with a few simle things that you can do to keep personal data private!

Use GnuPG

Using GnuPG really doesn’t have to be hard, there are plugins for all of the major email clients that allow automatic signing (authenticating that a message did in fact come from you) and encrypting (making it impossible* for unauthorized people to read your email) automatically.

Windows

If you’re using Windows, you can grab a program like GPG4Win which has a key manager and plugin for Outlook 2003 and 2007. If you’re using Thunderbird instead of Outlook for your primary email client, you should install the plugin Enigmail to handle PGP signing and encrypting.

Mac

If you’re using Mac, GPGTools is a full installer to managing GPG keys through signing and does also include a plugin for Mail.app. Once again, if you’re using Thunderbird, Enigmail is a great plugin!

Linux

If you’re on Linux, GnuPG should be installed by default but you may need to use your package manager to install it (apt-get install gpg or yum install gpg) if it isn’t. My preferred key manager for Linux is Seahorse which is a Gnome package but can be installed in other environments, it only depends on a coupld of Gnome packages.

*impossible barring quantum computers, 100 years of Moore's law, or better algorithms.

If you want a more in depth article, check out Futureboy!

<h2>Signing</h2>

Message Signing

Signing a document is done by generating a compact, encrypted version of the content you want to sign. After a document is signed, it can be verified that it was signed by the signer’s private key with their public key and thusly verify that they did, in fact sign it.

As with everything depending on private keys, if your private key is compromised, your signatures nor your encryption can be trusted so make sure to keep that key private!

Key Signing

In addition to signing a message to validate that it did come from you, can you also sign somebody else’s public key, thereby telling the world that you believe that the signed key belongs to the person using it and that the person using it is not mis-representing themself!

Key signing is an integral part of GnuPG because it allow you to build a web of trust, you can trust other people which allows you to trust people that they trust without having to verify their identity yourself!

<h2>Encrypting</h2>

Encrypting a message is generally done in the same way that signing a message is done except that it uses your recipient’s public key to generate a binary blob that is entirely unreadable without using their private key to decrypt! GPG encrypted messages are also digitally signed so that you can verify that the sender did, in fact, send you the message.

As long as you have the public key of somebody, you can send them encrypted communication with GnuPG!

<h2>Key Manager</h2>

A key manager is a graphical program that provides an interface to manage and create your private and public keys. Some of my favorites are GPGTools Keychain Access (Mac), Kleopatra (Windows), and Seahorse (Linux). They all allow generating private keys, singing keys (marking the key to say that you have verified its owner), and validating other people’s keys.

To the left you can see a screenshot of my key library in GPGTools. The bold one is my personal key, it is bold in the client because I have the private key that corresponds to the key. All of the other keys are keys that I have downloaded from keyservers so that I can send email to them or because I wanted to validate their signatures.