Encrypt Everything: OpenPGP

I firmly believe that all communications should be encrypted. Even if you have nothing to hide you can contribute to the greater good by encrypting your communications. How so? Simple, encrypted communications appear as garbage data to prying eyes that lack the keys necessary to decrypt them. The more encrypted communications flying across the wires the more garbage data prying eyes have to dig through. If all communications were encrypted spies in organizations such as the National Security Agency (NSA) would entirely ineffective.

Tools that enable users to encrypt e-mails have been around for ages but, sadly, few people take advantage of them. In the hopes of alleviating this problem I am going to provide guides to help people get this stuff encrypted. For the first entry in my Encrypt Everything series I'm going to discuss a tool that will allow you to communicate securely over e-mail, OpenPGP.

OpenPGP can be briefly summarized as a software package that allows users to generate public/private key pairs that can be used to securely communicate with other OpenPGP users.

The first question most people are likely to ask is, what the heck is a public/private key pair? Don't worry, it's not complicated. Public/private key pairs are used for asymmetric cryptography. Asymmetric cryptography is a fancy way of noting an encryption method that uses two keys, one public and one private. Data encrypted with the private key can only be decrypted with the public key and data encrypted with the public key can only be decrypted with the private key. After generating a public/private key pair you provide your public key to those who want to communicate securely with you. In turn they will provide you with their public key. When they want to send you a secure communication they will encrypt the message with your public key. That message can only be decrypted with your private key, which, as the name implies, is held by only yourself. When you want to reply to the secure communication you encrypt your response with their public key, which can only be decrypted by their private key.

OpenPGP allows you to generate a public/private key pair, encrypt messages with either your private key or another person's public key, and decrypt messages sent by people who have provided their public key.

An OpenPGP keys looks something like this (which is the public key to blog [at] christopherburg [dot] com):

-----BEGIN PGP PUBLIC KEY BLOCK----- Version: GnuPG/MacGPG2 v2.0.19 (Darwin) mQINBFGkG1IBEACa4FOajIwxUFdwC0C12c1DCg6+gmWcZBnQdfRtV6Z2d1yP9trM AxdT0ZCSJP5MkEI1t3pvc+r79oPbyK0f4QVe1rJerOVAjEglZhdrWqDyf3Rp5rIH Ukca7keZ+5Wf9dA+9B//LECzG4sj5qr6Kcssqb27PjK0XLq6O9963/6Lubkdomzj R/fKjmM2WMLs/tBF0HEZp6sSEeoot+28QtXgzDIE0um2l/ccK4tTLR08NC43+uVu dh7IJ6CX9bNoeCbmAEjOBONt0pKufvzTMsmGjMuFRc+cJnmXYeAjon9CitnUEXV9 Wmpw2K6XIKxo3PlDQcomKDV6inZySXnzXsOmomTR9XO1G4kaE9BYKdCaOdzCncPb Au0JeTNu6eqTwrUfQZXuVdKhfRQsqrhxEAEZgpa5ojbseVNt3oOJnYXOYgl3JCku naILz7hXMGKFQoGOojN6IpffJTjeWNiuj4KMDLTWuOKU1bX1yWJhz84U2HdhoI0L bWiWVZDLHSjLareSJvXjtdi0v4CgvgF6b+xpIH8pfP+wqBnqZUGT96B5jRUOKuaI MlHXHkfF070gOa4UbqJtjOHSwU9PcMUXcOxTqJen643+tAXAoqAEHLjIp2fNzmkc 6NB0T1h8JCmqHz+fv5rnKZM9lKkFO6eNPVYz2OoPb+4Zlu2pBvwsja0kBQARAQAB tCtDaHJpc3RvcGhlciBCdXJnIDxibG9nQGNocmlzdG9waGVyYnVyZy5jb20+iQI4 BBMBAgAiBQJRpBtSAhsvBgsJCAcDAgYVCAIJCgsEFgIDAQIeAQIXgAAKCRAXquxa uJ2eMegiEACWDIcNPQibNBNWQ5bBl/sCTxoeQvZrf0aFK4y5n1fLxqGhyZmTZdb2 IWyO5kSyEJ0Q3M3JwFIQOnl09aYT9g75omz3EAjtJCL3XKwc3DPYvKpPj/Zq9iiM Ou4ClXXuR9mqbvu4JOCYVq2r+NZuoQ+mOvEPjp5zA5ARoJ/9r7nO3/foQZ/22PZZ t7NMUfv+IYwlQ7vBun01gymC1u4ViBOgyl0DzlXKtUPmmPp8PB6E+I6OvnSmRLdt tfxFzXYGLPZWva6/hGQeptvofYhv0kAvMgOmPtkCpf4RpUz4ebT2mr9vHgVH+VYc BNFYJLXPdJmbqqD9KdesQ48YvAi50G/MaP8xxVaYI5YD004HO7h2lp9WX0CMWN/l jRW1yHP/AW+5aw06/LohcDdG/HQjYYkzjX6qUSYg/U/Tky7hmDile9WkMUP22eOk AkV7OBKly4c3uxqR5+fH5N9GcSbSk6avkbPU8w27t3E6m0PnKRkpUrn/2OFd7u7h TuQGvfy3LqsVliTruHCOfIY5pmi3qcGeKkaXu7LCnNbNg86VEYYYTEHyoMw1cC99 9IMXKuvGtKaJ7mjj03n0e+7VpcRd646gw3KuQNRd0GTV2xOAJ/vEgoA30Of7Gxoa PXRuyo67WATgU36kl9yVS5EfT3m1mMUihI5zeN1R1EJn6/tlMnyY/okCHAQTAQIA BgUCUaQbnwAKCRADj+sE5VF3XY+TD/9jt3hgGyjFKjhRza9KTRJwBV6gFFcQU3MT 8j5evFtbMjZ1oNc5oongwJ7OtLHFVmst4cQMmupems1X7z8mj5we6MQd24CFChKf xfJj5YwunIWXIpfilY1QznvZ1YlqNkSaQAFRFjdVY2ip4UxnRY4vf4LGT8+WO33j gG9CXJ8VLjFs+vbXFtvsCabfJk2aNWgbaKMXzrlzlyaQokb7/tXVECNtpdBn454L FkNMNK19pzgJcNyQMFl6ApxQJzXu8+vPTdZQCvPrEZOL28cNYU35IL3yZoz+CHR5 j123kJVdXOUyA3Z27S4qmJOC6RR9iAx+Us/W/LT03tyMrKyLZaPT90ZhCG9UDnIg DDlXoLfPYEaVmXU5MfitwsWgtv/gSHNWTIIvc/5JB6U7XEReZw66oyngQdZSP/s3 uV670Yvvl3PaH7UvMRFmfeazqUG/+r+PFxfoMzfOFSixi+uwbT7nbBa7Iyw3F9A0 5HDP9+28PqJvfUTdGgISbvvPAB50rC2FRFhBtvoMYMROaGn87ANH96caKn8a4ynW nJqwzCGj2l006BciJlWgvZ0jg4ndW2TJU/neuOHEoPkgdLmqaC6QeQNcWryIgX75 q0iZeqjvzWh8rhaQfPNGUS0yF2JxFU14muvvC55Ar0SKnF005Zs8Za8p9PKRfuTr DQfVVQiAELkCDQRRpBtSARAA1W5yOTe3JxOLwjBBZeUPJjWn20HPk979593iiq6N 6GBqXNHtI8Vboeyq27qAjZoY9FXnibrIXaIJ40mcNj6yXc7n5tImpLByLPy8Ztyx Jcpu+wC404Av879e8E8gqhbDhpQpMXHNtiuQHMwbN9kr/ohH0GgaKyJhRoJY4Rap ++CeO42v2nRYtAk9RhXehOCbXRF3szU1vdfqrL5LclqZ8rwksIqAjO6imFtvplwt xcSXvP0slFtpEHVnY5KwUzMbgGsNuz6Fs1biyRzg9qePd2bDmZ7+/cMvasUvP2Qq vUlxf9lyzx65i123ax4EgWDM14jWhiy+wLc+jjtXtmQ/EcDaNykoir9Gz+WPSYsp NO6YZg4vDhGT/Afxd4Q5LNoRZ/lGfjXhmgQOgriMaKOTPAe2SgB8Qc0eYDUWO2qu /bI3orUbeEsIMCZU3mNOhCNOhm/vhyAcdpXtnfMqQeKx4TkgZZO+lotzJa6KHhay vCGxkZxzR3o8LP72wUke0apZprEoDymU5HSAoHv3o4aFV0AVBdjVCxcsMeCS0fJ3 aLZP9WZ0DrRktrLO8sjAsFutodInD99Ki+pYCjdS5/jixN6+R9EJ4Ud44PT84PtH qwRVyzF+bC8Mc/QEY4PNl/698liscEe53WqPBelfR6UdvVEvKxI4jibqHwVjc6K8 e38AEQEAAYkEPgQYAQIACQUCUaQbUgIbLgIpCRAXquxauJ2eMcFdIAQZAQIABgUC UaQbUgAKCRBAXiyJxWbQ4Zk7D/90MW3mf4tCP4yhBqc01FnZEqJuaeBQxBbK6qDw fMPDYA1D0LRFfLoAxs40lExQQjAtwcxvuF59K0S1XoVQSPq1NyAcGyTUGwu/P7Lz VCYsDOcBZgwFRzMZFIhSvEpBSTgnX+uKREXecoaI+MzfZbSCChnPYULIKMK3ONqD pAfGxNIkHOYcIC93f7hB8ZFnszuyfRasgW7xyv26J4w9W0xPIRwH6dNFDpBXvQcx JMl5jVb55u6tATGhNy7rXWAqgm5w70UNyUJFAmHfSJftfZKHAhvPmRWamnuZ22rH cVoj9HeJgxO48BGt0tmRPu0XpCk6oSWzKU+STlSutw4DbpgCLwy+Y6Ll24ik2r+f YpNp1t2jh/SkypLUK9YVxNGCJXtxom/awqND5QMxsziukqSptd2ltrTP4/jCdShU FN1Srov/29ZXrM/VA7Jqf3HFOB31cHr1J+ftsqtdHsDFerw8emd9VJKSO0dHGh9f wsZtBAz7MPS1q4qwVn8lYgrVkoohbhiSft6tHircvSX8pX78kTjUNXBkojx4FL3L SKg9FoSYuC1nqaUobOyuy28hW5sA2FEoWVf/qb5g6lJSJ+u7zhJmis5b8aeuZ6qS lE3KtCH35bhj63oRlCEgQUjaqTGFoueIbRrdy+wFbh7zqQuKIgQpwDo0SbvJbjfN FEsXMemqD/947IjTloC0nFDjWJssLhNBaR1GIl0cQYktfrscCB8y+17jc7fymK3/ rnHYvjC1WpdLRHY4H30yyMutPawgnzjdViJW21sLmf/3HSDDP+0qvYRaq356FkpY 7SWj1wvS93B7UCs4A6VRvFnp5sHGPmIgSo5mqG4E36zrcnKQapPOdDfJ41Aj9l3i f0I1Q0w+PVe6EZBHtYEOyNrT2OqAR9mq/hbM6HeZM+UilG1g6TLk11JJyKfA1V9Q guzcjzockfePY+NQe7dy+Zc9l5TBIMBECX5YRa9A8OhZ5+q4SNMqM6itq7z1F66k NWoFGkI+kx2e75tO7o8b5izueJbD7VPNUeE7T+WCSB8Pf4wBfuwuVbu69QpXH0XQ WihGSJTHETqA1EoBRN6G6WKsq0affN3nO8GeSubwd3Ip/TPH4tfglxHAxegMqvLE YLX96XueqzeCxyZroH9xqsFmUhszZz3BtuCO8h705Cv2DNprSZJah3+OTLwgMuLZ GM2ogcvLzPTjZgib5h5j5Pp9tjBYrYnOE4/tctvQ26X2ipedV4/O1gBNTMY6ba+1 2HuLrhgrtbL698KhQahlSfTq9a0GO/GLHM+wtlrVlslSjnZt0eldQf4M+UFIEOxh w38h55tSuK1XbKSuTpmTE5MIjebksHy6ynAco4ZQo7MLWciGcFbTQQ== =3COR -----END PGP PUBLIC KEY BLOCK-----

OpenPGP users can use that gobbledygook to encrypt messages that can only be decrypted by me. Generally people also post their public keys to key servers such as the one provided by the Massachusettes Institute of Technology (MIT) or Canonical, the creators of Ubuntu Linux. If you go to either of those key servers and enter my e-mail address into the search box you will be provided with my published public key.

Many OpenPGP applications can be configured to automatically check key servers for public keys. Later in this series, when I cover specific implementations of OpenPGP, I will explain who an e-mail client can automatically search OpenPGP key servers for public keys associated with e-mail addresses that have send OpenPGP encrypted e-mails. Suffice it to say publishing your public key to a key server makes life easier for other OpenPGP users but there is no requirement to do so (OpenPGP is a decentralized system).

OpenPGP public keys can also be signed by other OpenPGP users. When you sign a public key you are verifying that the person who holds the corresponding private key is who he claims to be. This establishes, what is referred to as, a web of trust. What is a web of trust? A web of trust is a decentralized alternative to the chain of trust system most of us use every day.

When you access this site through its secure connection you receive a public key that has been signed by StartCom. StartCom is a certificate authority, which is an organization that signs Secure Socket Layer (SSL) certificates (certificates used to provide secure connections to websites). StartCom's public signing key is included in most major web browsers and operating systems so whenever you access a site secured by a certificate signed by StartCom your browser will trust it. By signing the certificate StartCom is verifying that your website is who it claims to be (in my case, blog.christopherburg.com). This system is highly centralized since it relies on a handful of certificate authorities.

Returning to the original question, what is a web of trust, the answer is that a web of trust is a system where individuals sign public keys instead of centralized authorities. If I sign your public key anybody who trusts my public key will see that I trust your public key. A person who trusts my judgement of character will then be more inclined to trust that your public key corresponds to a private key in your possession. This system becomes more effective as more people sign your public key, which is why key signing parties exist (yes, us geeks know how to party). When somebody sees your public key has been signed by several people they personally trust they can be reasonably sure that it is your key.

Now you have a general overview of OpenPGP. In the next installment of my Encrypt Everything series I am going to explain how to use GPGTools to encrypt your e-mails with OpenPGP on OS X (Why am I starting with OS X? Because that's the operating system I generally use for e-mail. Don't worry, I will cover other tools as the series progresses).