"Pretty Good Privacy"

I just stumbled upon software called PGP or "Pretty Good Privacy" (hah, also Professionals Gaming Poorly [clearly unrelated]) developed by Phil Zimmerman. Its function is to encrypt/decrypt emails so that anyone looking at them, that isn't supposed to be, as they travel through the internet cannot read them.

I am wondering, is anyone familiar with PGP and would care to discuss their experience(s) with it?

1 Like

God damn.

I've never gotten it working. Spent hundreds of hours on it.

If you want to use email encryption protocol use GPG its open source.The PGP is owend by Symantec

2 Likes

GPG is good, its used for a lot of things.

Its not only used to encrypt emails but files in general, but not only that its used to identify people and used to sign things. If you use linux, you've likely been using GPG without knowing it as GPG is commonly used to sign packages so you know you can trust them (maintainers sign the packages the maintain, the OS checks)

GPG can be used to create an encrypted password store, or important documents, email, or just to sign things and say "hey this is from me, you can conform this from my signature"

Very useful.

2 Likes

Here's the open source implementation of it:
https://gnupg.org/
Read the handbook. Switch to linux if you're interested in encryption and your privacy. GPG keys are commonly used in linux.

There's a plugin for Thunderbird to automatically sign/encrypt your email. It's called Enigmail. Useless if used from Windows because of Windows vulnerabilities, doubly so which Windows 10 which has a keylogger built-in.

There's also an open source plugin for android, it's called openkeychain, download it from the F-Droid repositories. They verify, compile and sign all their apk's at F-Droid, you don't want to download an encryption plugin that has a backdoor in it.

The problem with the encrypted e-mail is there is not many people who use encryption and maybe you will draw some attention if you want to avoid that.

Encrypted attention is better than unencrypted attention.

2 Likes

The thing is encryption is vital to safeguarding a lot of people, vulnerable people, people in dangerous jobs or areas of the world, people being spied on, among other things.

If we don't use encryption (like some politicians stupidly think is a good idea) then we potentially expose these people whos life's in some cases rely on encryption to people who would harm them. The more people who use encryption the more noise there is and the safer everyone (even you and I) will be in the long run.

Plus, everything really should be encrypted anyway. People dont open your post (that crap was abolished after the war), why are we letting people open out electronic post?

1 Like

PGP, OTR and ssh encryptions were among the few still not routinely cracked by the NSA according to a leaked document from 2012:

You should be reasonably safe if you use one of them (assuming no other vulnerabilities).

It is necessary to encrypt as much as possible. The more uninteresting, benign stuff is encrypted, the more likely it will be that the really interesting stuff is not detected (not being able to see the wood because of all the trees kinda thing).

You all used asymmetric encryption to get here. If you look into the URL field of your browser you should see that you are connected via https which needs a server-side certificate to be installed. Those certificate are signed by the private key of a certificate authority.

For further reading on all things security I recommend the security now podcast (Just google it, should be in iTunes too).

3 Likes

Very good stuff, great information!

Question: Does the recipient of the encrypted email need to have PGP (or GPG) installed or do they only need the private key?

When you send an encrypted e-mail you MUST give your public key to the person you send the e-mail to decrypt it.The recipient must have your public key and his/hers private key to decrypt the message.Without the private key no one can decrypt the mails.The public key is about 4096 bit or less if you choose it and the private key is the password you put

Right, right, so the recipient must also have PGP or GPG installed in order for them to have a private key? Or am I still confused?

A software to use GPG is (for windows) gpg4win check it.

Explained very simply here asymmetrical encryption

Encryption is one part of it but also it's important that you know who the message came from. GPG also helps you work that out as if you can unlock a message using Alice's "public key" then it means only her or someone with access to her "private key" could have sent it.

It's an old technology but never really picked up as people couldn't be bothered to set it up (I guess most people would be running Outlook) and exchange public keys. Shame really as it works well.

PGP is wonderful stuff for Linux techies to share info. For those of a less technical background, may I suggest ProtonMail. Encrypted end to end emails, provided you and your recipients are signed up. Being based in Switzerland, you have Swiss law on your side against snooping. By the the way, it's free!

If you're using Windows 10, don't bother. You've all ready agreed to be spied on.

Otherwise take a look: https://protonmail.ch/

You think you have nothing to hide? Glen Greenwald says different.

Watch this: https://www.youtube.com/watch?v=pcSlowAhvUk

1 Like

Alright, now I understand, thanks.

I am trying to install GPG as I write this, but I am having some trouble (both with trying to install it and trying to find help online). I have the core installed and the first configuration step (just ran ./configure to see what other files I need to install) is done. And I have downloaded the files needed for complete configuration: libgpg-error, libgcrypt, libassuan, libksba, libpth-dev (installed via apt-get), and zlib1g-dev (also installed via apt-get).

With the files I have downloaded, I have extracted them into their own directories (there is also one for the gpg core) located in my Documents directory. I'm not really sure how to phrase this: how do I get gnupg to locate the files and use them in the configuration process so that I am not getting "You need ________ to build this program" etc (after running on each file: ./configure -> make -> make install)?

Do I need to extract them right in the gnupg folder, somewhere else, or is there another command I can execute in order for gnupg to realize each of its uninstalled dependencies are installed?