Saturday, 23 April 2016
My GnuPG/PGP public key
For those who want to encrypt their e-mail correspondence with me, I've posted a GnuPG/PGP public key (fingerprint: 0B0B 8F74 CEA3 83AB 97B3 F6AF BB7E F636 165C 22F5) and linked to it from my contact page. Friends who use GnuPG or PGP are invited to contact me to arrange to sign each others' keys.
My own choice has been to live a fairly public life, but I try to respect other people's confidences and protect their secrets as best I can. I've been meaning to set up support for GnuPG and/or PGP encrypted e-mail for years, but haven't gotten around to it until now.
In generating my encryption keys and setting up my e-mail, I've consulted friends (thank you all!) with more expertise in encryption. But I've made my own choices of tools, techniques, and implementation, to the best of my own ability and on the basis of my own threat assessment. I'm not an expert, my adversaries may not be the same as yours, and I can offer no promise that even encrypted communications with me won't be compromised.
The Gnu Privacy Guard (GnuPG) is a free, open-source, implementation of the OpenPGP standard for Linux, Windows, and MacOS. It's supposed to be fully compatible with commercial PGP, and seems to be gradually displacing PGP. At least in my initial tests, I have found it surprisingly easy (although not simple) to generate and manage GnuPG keys and install and configure e-mail encryption on Linux in combination with Thunderbird Mail through the Enigmail add-on to Thunderbird. GnuPG, Thunderbird, and Enigmail are all also available for Windows and MacOS.
My preferred e-mail client has been and remains Pegasus Mail. Pegasus Mail is a native Windows application but the latest version runs perfectly on Linux under Wine, making it possible to use Pegasus Mail as a portable app that can run, e.g. from an (encrypted) flash drive or other portable device, on either Linux or Windows systems without any modification whatsoever. There is a Pegasus Mail add-on, QDGPG, for GnuPG integration, but I can't tell if it would work with Wine. If anyone has tried Pegasus Mail and QDGPG with GnuPG on Linux under Wine, please let me know in the comments or privately how it went. I'll update this article if I learn more or get the time to test this combination myself.
I do not use Signal, WhatsApp, or any other "secure" messaging app that depends on a cellphone and sends all the phone numbers stored on the phone to its central servers, or that relies on Google or Apple servers to route all messages or calls. I eagerly await a fork of Signal that doesn't require a phone, makes any sharing of contacts optional with a default of "no", and allows truly peer-to-peer communication initiated by IP address or through a user-operated server rather than a central server. I do use Skype, which uses Microsoft servers to initiate all calls, but it doesn't require a phone or access to its contact list, and doesn't pretend to be particularly secure.
General guides to information security, especially "cookbooks" that recommend specific strategies, almost inevitably incorporate assumptions -- often unstated or unquestioned-- about which adversaries and what types of threats you are concerned about. The same is true of friends you might ask for advice. I've found all of the references below to be useful, but I've taken none of them as gospel. Even those that haven't been updated in a few years are still useful food for thought, especially if they make you aware of threats you hadn't considered:
- Surveillance Self-Defense (Electronic Frontier Foundation)
- Information Security for Journalists (Centre for Investigative Journalism, UK)
- Digital Security (Freedom of the Press Foundation)
- Journalist Security Guide (Committee to Protect Journalists)
- Security-In-A-Box (Tactical Technology Collective)
- Tor (anonymous Web browsing)
- Tails (portable live operating system)
- gpg4usb (GUI for GnuPG designed as a portable app distributed with both Linux and Windows versions)
- VeraCrypt (Open-source successor to TrueCrypt for disk, device, and file encryption)