by Rob Locher
I have a libertarian streak politically, and I believe that people who aren't in prison have the right to communicate without their government listening in. (Or someone else's government. To people in other countries who aren't plotting terrorism, I'm sorry that the US government has been spying on you. I strongly disapprove.) In this era of electronic communication, the only way to guarantee this right for myself is to use encryption. Unfortunately the US government has, on several occasions, attempted to dilute encryption used by ordinary US citizens, by such techniques as attempting to pass laws requiring that encryption keys be kept in escrow, or weakening the encryption itself with a compromised pseudo-random number generator. The Snowden revelations have shown how much appetite the US government has for spying on its own citizens.
Fortunately there is a strong tool, which is completely legal, that the government apparently hasn't found a way to crack: an internet standard known as OpenPGP, defined by RFC 4880. There are two commonly- available programs that implement OpenPGP: PGP by Symantec, which costs money, and GPG, which is free. The community has rallied around GPG, and there are several programs and tools that support it and make it easier to use, such as Enigmail, an add-on for Thunderbird that lets people easily send encrypted email.
One of the things that I'm good at is learning a complicated technology and then explaining it to ordinary people. I figure out some exciting new technology, taking notes as I go, and then when I'm finished I look around and see all the ordinary people that should benefit from the new technology, but aren't because it hasn't been explained very well. Then for some reason I don't understand I decide to help. I go over my notes and improve them until I have an article or a white paper, which I publish here. In particular I try to fill the gap between the official documentation and actual daily practice, pointing out the tricky parts.
So when I started learning GPG, I thought oh no, here I go again, another complicated subject I'll feel compelled to break down and explain. But for once someone saved me the trouble:
Alan Eliasen's GPG Tutorial
Alan is way far ahead of me in understanding the ramifications of public-key encryption and GPG, and I've learned several new things from his page.
I encourage everyone to routinely encrypt their email with the OpenPGP standard, because if we don't use our rights, then government will take them away. You can send encrypted email to me of course; my public key is below. I've also published the key to a keyserver. Alan points out that it's trivial to publish a bogus public key to a keyserver, and I'll add that it's not so difficult to hack a web site either; if you want to know for certain whether the email came from me or not, then you'll want me to validate my fingerprint to you over the phone or in person.
I'd like to add one comment. Alan's page lists all sorts of caveats and warnings and things to be aware of when using OpenPGP. Most of those brow-furrowing details are for people who are trying to use OpenPGP to protect valuable secrets. If you just want to be a libertarian and metaphorically stick a thumb into the authoritarians' eye, then OpenPGP will prevent your email from being routinely scanned by your "free" webmail provider for advertising purposes, or by a government exceeding its authority. So please use OpenPGP routinely, and don't fret too much about the finer points, at least at first. But do be aware that simply using OpenPGP doesn't by itself make your secrets secure, because there are so many other ways to steal your secrets. For instance, if you paid for a purchase at Target with a credit card during a certain period of time in 2013, then your credit card data was stolen, even if you kept your credit card number in a GPG-encrypted file. OpenPGP is an excellent tool, but to achieve real security for valuable secrets requires a comprehensive strategy. On the other hand, OpenPGP is great for thwarting routine eavesdropping, even when used casually.
Below is the public key for Rob Locher <firstname.lastname@example.org>.
-----BEGIN PGP PUBLIC KEY BLOCK----- Version: GnuPG v1.4.14 (GNU/Linux) mQENBFLUN2wBCAC4flI9SKc/oHtszwrgyvDJzTJT2xJDXrgzL6npEgQY9xViPRhI bWuYrhH+Q0V/hMbvKHRY6cX82coCgD16ucyyBAV3RleCREU4Q4Ovs36qmogvSQwm HyJOpbhxCtpUraLOGnyuw1mRBajuTTZ2QHEN1td2qwW9u5PcppiPN9u7YLs0ANj3 TtuWX/hVXRVllD5tuBolj7fBcN4oUj9GUe8QWA1P5/NVHueddoIi3H+E2J+cOVUg qeqGdTusu8USkUkOW/ZKTzWSmiUKku9DjTRkZJtSkQOTXzE0q1YfM5cG5STRfwln APp+0lZV+pT5HBekRb/6+detr2qeO+65fAS1ABEBAAG0IlJvYiBMb2NoZXIgPG9w ZW5wZ3BAcm9ibG9jaGVyLmNvbT6JAT4EEwECACgFAlLUN2wCGyMFCQlmAYAGCwkI BwMCBhUIAgkKCwQWAgMBAh4BAheAAAoJEPASwQ5lI9tSifMH/00cuCt0GzbE9Aqf 3gdoAUoBd4TgDekGoa9Lt6QFDnsUNX4hhhpDq15GqcT0GIvwZ7aNuENnpFMiEH+z 61OfLdzvN642xWQKtr6qb+octVElEQJBhNxTF2rEkbchpyDxUvOcCh1h/Jt4hjoo V7YqRbD7ih50Jdgvr45EHtjTlOLnoybHsJdtOt9OuNPt7CZd2xhK4ZsJLx9tqDa3 zLmlmDOuy72z82HE9UeMIq8DFRUpXNBnkt6yNr0uu2C5+0D43ajw4w9nu/X67Vhk KSCEN5zzf6sLPAk9ePreDOFBgkOXkHVJjtgKRFkphLzcpPWD/ce4yxwccsEQOHoM LWePWnOJARwEEwECAAYFAlLUO4MACgkQpmdyC+HcLJ/wFgf/dxjSyhKimGKMIvmw /ubvK09ho2Nk7AxiKqaYj39mfwkQh0rAlmMUVzuauDs2w/9reVa/w9+jjjrPnhvF 63hbGR2c/TuzY+vPwx5Eua+DXjJO8isk3tHGb3TBPUk2nKFkDTSdJo75hbtC6jGu PlPDZsD3qQIRgWzyMuqcZVDcfbvKf6OEp94vbe4Ld4/kvK2bKQlcSzJDc22KcbNS RDLY408HDl6FufVhkC/dgKKf9oCUQPi8SQIDHT5vEq0TYd6hpeNgpxRvpS0MDfgH X+x4kOXRjvzG9dHKOXgrjLmthH7vt0LCYl8gYKynQBVHHfI/CpzcnnuvVsAR3yDl AYE3nrkBDQRS1DdsAQgA069eJa7CsXK8j3JllC2dN+SiOM4cg9E7lL4gXlpejSeY 15AZcg1cENr/o6kLdQPaJ++l/QXnqZgvLOSNyAxO4D+f8sBHv31mBn60rM4aU2Lz 5HopfWGaDbGqXuJXiN3aGVyKhsShGIlVreWjbkGo4R191O9dTrYuxW/Gidbv0Z27 DCkcsLHIz3p57yqG+hviE7DMh8d9zfzuEfeLjhBkhbFCOePQyRRh8ZhnyDp1IdvS hVfIAPrwhE2l7o5ekTQh7Dr8vxheC64vNvI1LxtxIDeTa1s/3LACl23kjDS55HHv dJnI6AW4OKTTRQz6aOjtW77fU64qc9qOpYNgXoD76QARAQABiQElBBgBAgAPBQJS 1DdsAhsMBQkJZgGAAAoJEPASwQ5lI9tSWawIAJpdw5J1rn6Z/G+bHH+yN1QTp1xS JIEft5kf37RhD54enisde8NtLzkLXj3zgsAX7/QkND8pnYw1rhN4LXR7CQ0KWfm8 x69VDnD5Cez1BFrLJQPVS4ZAJS/jFHyeGGekun8X+bFVZXTv4qIYpxbQIDyC8Xfq 3dXD2X3C3/e8P76LsqHhRfjSAJDYqGy+OjnohUpTScbidIKEgboAvz+GQz2rklhx BrMMtLDzwVf+yqAUicGsC4r9izpSQFswtVHSQiqvs3IEhQsJTskjd8URzJIdEtvy vgXoDdkaJ7NWr17pXsWwV/578vcbOjzR+rhzAAIfN6sB/owZEG+zdpM8tkw= =CsF9 -----END PGP PUBLIC KEY BLOCK-----