OpenPGP Walkthrough

OpenPGP, what it is?

OpenPGP is an open standard for encrypting and signing messages and files. It uses a combination of public-key and symmetric-key cryptography to provide both confidentiality and integrity. It is typically implemented using software such as GnuPG, which is the reference implementation of the OpenPGP standard.

OpenPGP allows users to securely encrypt and sign messages, files and emails using a combination of public key and symmetric key encryption. It also allows users to generate their own key pair, exchange public keys, and to verify the identity of other users through digital signatures.

What would I want it to use it for?

Let’s say that you as a person who cares about privacy, wants to have a private and secure conversation over email with someone else. Some of the following questions could pop up on your head.

  • Is Email a secure way of communication by itself.
  • How can I ensure my conversations are not being read by someone else?
  • Should I trust my email provider?

Let’s answer them one by one.

Is Email a secure way of communication by itself.

The short answer, as expected, will be no. But why?

Email is not a secure and private way to communicate because it is typically sent over the internet in plain text, which means that it can be intercepted and read by anyone with the right tools. Additionally, email servers and client software may not have adequate security measures in place to protect against hacking or other malicious activities. Furthermore, email addresses can be easily compromised through phishing scams or other social engineering techniques, which can lead to unauthorized access to sensitive information.

How can I ensure my conversations are not being read by someone else?

If you are using a secure messaging app or service that uses end-to-end encryption, encrypting each individual message with PGP might be useless. But if you are communicating over email, as I mentioned before, anyone with the right tools can intercept and “read” your conversations. Encrypting your messages will be a good way for ensuring your information even if it gets intercepted, won’t be read by anyone else.

Should I trust my email provider?

This might depend on every case. If you have done a proper investigation over your provider, and you have chosen wisely, you should be fine. But if you are not a hundred percent sure how your provider is using your data and how much data is collecting from you, I would strongly recommend using some sort of encryption for protecting your communications.

⚠ Notice: Encrypting your email will not encrypt the metadata of the communication (email, time, location …).

Installation

Install GnuPG on your computer. On most Linux and UNIX systems, it can be installed via the package manager. For Windows and MacOS, you can download the installer from the official website.

Debian 
sudo apt-get install gnupg2
Fedora 
sudo dnf install gnupg2
Mac OS 
brew install gnupg
Windows

Download the installer and follow the steps. Once the installation is complete, you can verify it by running on the command prompt:

gpg --version

GnuPG usage

To use OpenPGP, you will need to create a public-private key pair. The public key can be shared with anyone, and is used to encrypt messages that can only be read by the holder of the corresponding private key. The private key should be kept secret and is used to decrypt messages and to create digital signatures.

  1. Generate a new key pair. This is typically done by running the command

gpg --gen-key

This command will start an interactive process that will guide you through the key generation process. You will be prompted to enter your name, email address, and a passphrase. The passphrase is used to protect your private key and should be a strong and unique password.

  1. Export your public key. This can be done by running the command 

gpg --export [email or key id]

  1. Share your public key with others, upload it to a keyserver or send it directly to the intended recipients. To save the key to your local storage, use the following command.
gpg --output publickey.asc --armor --export username@email.something

  1. To encrypt a message, use the recipient’s public key to encrypt the message. This can be done by running the command 

gpg --encrypt --recipient [email or key id] [message file]

  1. To decrypt a message, use your private key and the passphrase you set up during key generation to decrypt the message. This can be done by running the command 
gpg --decrypt [message file]

Signing messages

  • To sign a message, use your private key and the passphrase you set up during key generation to create a digital signature. This can be done by running the command:
gpg --sign [message file]

  1. To verify a signature, use the signer’s public key to verify the signature. This can be done by running the command 
gpg --verify [signature file] [message file]

Reference material