How to be Anonymous Online (4 page)

BOOK: How to be Anonymous Online
2.62Mb size Format: txt, pdf, ePub

It is common to find PGP related files with the wrong extensions. If you suspect this to be the case, open the file in your
gedit
program (right-click the file >
Open with
>
gedit
). The top line of the text will tell you if it is a public PGP key, private PGP key or signature file. Just rename the file as needed. If the entire text is pure chaos, including the first line, it is an encrypted file, which you can give a .pgp extension.

Create your PGP key
  1. Open the
    Passwords and Keys
    program (
    Applications
    >
    System Tools
    >
    Preferences
    >
    Passwords and Keys
    )
  2. In the Passwords and Keys window, click
    File
    >
    New
  3. Choose
    PGP key
    , and then
    continue
  4. Enter a full name and email address (these do not have to be real). Adding a Comment is optional
  5. Click 'Advanced key options'
  6. Choose RSA and set the Key Strength to “4096” bits. You do not need to set an Expiration Date
  7. Click
    Create
  8. Make a strong password and remember it (it is unrecoverable)
  9. Your brand new public PGP key is visible by selecting
    GnuPG keys
    from the left column
  10. By right-clicking your key and selecting
    Properties
    , you can view its details, as well as change its password
Export and share your public PGP key
  1. Open the
    Passwords and Keys
    program
    (
    Applications
    >
    System Tools
    >
    Preferences
    >
    Passwords and Keys
    )
  2. Select the
    GnuPG
    from the left column
  3. Click your key to highlight it
  4. Click
    File
    >
    Export
  5. Select
    Armored PGP keys
    from the
    PGP Keys
    drop-box (in the bottom right corner of the Seahorse Export window)
  6. Give your key any
    Name
    you wish, just make sure it has the .asc extension (
    keyname
    .asc)
  7. Choose a location, and then click
    Export
  8. This file is your public PGP key. As the name suggests, it is for the public
    .
    You can share it with anyone, post it on a website, and give it to your worst enemy. It is used to 'lock' a file so that only you can 'unlock' it
  9. An Extra Special Step
    – Go to the location that you saved your exported public PGP key and use
    gedit
    to open it (right-click the file, Open with >
    gedit Text Editor
    ). The text is your actual public PGP key. You can share this text instead of sharing the file. For example, instead of attaching a public PGP key file to an email, you can paste its text into an email. Likewise, you can post the key's text on a website as opposed to the file

Copy everything, Starting with “
-----
BEGIN PGP PUBLIC KEY BLOCK
-----

and ending with

-----
END PGP PUBLIC KEY BLOCK
-----

Import someone else's public PGP key
  1. Save their
    filename
    .asc or
    filename
    .pgp public
    PGP key (you can save it anywhere, this is temporary). If you only have the text of someone's public PGP key, copy the text into
    gedit
    and save it as
    filename
    .asc. The
    filename
    can be anyname you choose

Copy everything, Starting with “
-----
BEGIN PGP PUBLIC KEY BLOCK
-----

and ending with

-----
END PGP PUBLIC KEY BLOCK
-----

  1. Open the
    Passwords and Keys
    program  (
    Applications
    >
    System Tools
    >
    Preferences
    >
    Passwords and Keys
    )
  2. In the main window, click
    File
    >
    Import
  3. Find and open
    filename
    .asc
  4. You have imported the key and can
    see it
    by selecting
    GnuPG keys
    from the left column
  5. You can now delete the
    original
    filename
    .asc file that you used in Step 1
Import a public PGP key from a Keyserver

You can easily look up someone's public PGP key if they upload it to a keyserver.
Keyservers
are databases that anyone (even you) can use to share their public PGP key(s) with the world. To import someone's public PGP key from the keyservers:

  1. Make sure you are connected to the internet
  2. Open the
    Passwords and Keys
    program  (
    Applications
    >
    System Tools
    >
    Preferences
    >
    Passwords and Keys
    )
  3. Select
    Remote
    >
    Find Remote Keys
  4. Enter a search term, such as a Key ID or a Key name
  5. A list of public PGP keys containing the search term will appear. To Import a key, right-click it and select
    Import
    . Once imported, you can close the window
  6. The public PGP key is visible by selecting
    GnuPG keys
    from the left column
Encrypt a file with PGP

In the next steps, you are NOT using the Passwords and Encryption Keys program

  1. Before you choose a file to encrypt, you must have already imported the intended recipient's public PGP key. If you do not have anyone else's public PGP key, you can use your own key and send a file to yourself. Better yet, make a second public PGP key, and then use it
  2. Find the file that you want to encrypt (it can be on your desktop, in the persistent folder, or wherever) (if you need a file to test, just open
    gedit
    , write yourself a little note and save it)
  3. Right-click the file and select
    Encrypt
  4. The
    Choose Recipients
    window will open. The public PGP keys you have in your system are listed
  5. Select the recipient(s) for whom you are encrypting the file. Whether or not you sign the file is up to you. If you sign it, when the recipient decrypts the file they can see it is from you. It is kind of like putting your signature on a letter
  6. Click
    OK
  7. If you do not sign the file, you will be prompted to name the file. Any name will do (
    filename
    .pgp), and then click
    OK
  8. Only the chosen recipient(s) will be able to decrypt the file
  9. You can now send the encrypted file
Sign a file using your PGP key

You can put your signature on a file, so people know it is from you, not an impostor. You can sign both encrypted and non-encrypted files.

  1. Find the file that you want to sign (it can be on your desktop, in the persistent folder, or wherever) (if you need a file to test, just open
    gedit
    , write yourself a little note and save it)
  2. Right-click the file and select
    Sign
  3. Select your PGP key from the
    Sign message as
    window,
    and then click
    OK
  4. If prompted, enter your key password, and then click
    OK
  5. At the location of the original file a second file appears. It has the same name as the original, plus '.sig' added to the end (
    filename
    .txt.sig appears after signing
    filename
    .txt)
  6. The person verifying your signature needs three t
    hings, the original file you signed, the '.sig' file and your public PGP key
    (
    filename
    .txt
    ,
    filename
    .txt.sig
    and
    your_public_key
    .asc
    )
Where security gets tricky

Ideally, the person verifying your signature had previously received and verified your public PGP key.

This process works like bank signatures did in the old days.

  • When you opened a checking account, you would go the bank in person and sign a signature card. This way the bank had your authentic signature on file
  • When a check came into the bank, they would compare the signature on the check with the authentic signature on file
  • If the signatures matched, they would consider the check authenticated

Now, suppose the bank received a signature card and a signed check at the same time. Meanwhile, you were not present. Even though the signatures match, the bank cannot tell if they are authentic.

You face the same dilemma if you get a public PGP key online at the same time as a signed file. You need a way to authenticate the public PGP key before you can use it to authenticate a signed file.

Authenticating a public PGP key

There are a two ways to make sure you have someone's actual public PGP key, not a fake.

  • You can check the key with the
    Keyservers
  • You can check the key by its
    Fingerprint
Authenticate with the Keyservers:

If someone trusts that a public PGP key is authentic, they can sign it. When you import a particular key, you can see the keys of all the people that have chosen to publicly sign it, vouching for its authenticity. Using the
terminal
, you will view these signatures.

  1. Open the
    Passwords and Keys
    program (
    Applications
    >
    System Tools
    >
    Preferences
    >
    Passwords and Keys
    )
  2. Select the
    GnuPG
    from the left column
  3. Right-click an imported public PGP key, and then select
    Properties
    (as an example, select
    Tails Developers [email protected] 'offline long-term identity key'
    )
  4. Take note of the
    Key ID
    , because you will need it in a moment (in this case, 58ACD84F – as of August 1, 2015). You can leave this window open while you proceed to the next step
  5. Open the
    Terminal
    program (
    Applications
    >
    Accessories
    >
    Terminal
    )
  6. In the
    Terminal
    window, type “
    gpg --list-sigs
    Key_ID
    ”. In this example, you would type
    gpg --list-sigs 58ACD84F
  7. The terminal displays a list of signers

The more signatures that are from people you know and trust, the more trust you can have in the keys authenticity

This trust stuff is a big deal for software developers collaborating on projects and, in the case of my family, Christian missionaries spreading the word to hostile lands. For most other people, PGP is just a way of pretending to be Batman and Robin exchanging puppy memes without the Joker eavesdropping.

Authenticate with the key's Fingerprint
.

To check a key's Fingerprint:

  1. Open the
    Passwords and Keys
    program  (
    Applications
    >
    System Tools
    >
    Preferences
    >
    Passwords and Keys
    ), and then import the key in question
  2. Select the
    GnuPG
    from the left column
  3. Right-click the key, and then select
    Properties
  4. Under the
    Details
    tab is the key's
    Fingerprint
    (for example, the Tails developers fingerprint is A490 D0F4 D311 A415 3E2B B7CA DBB8 02B2 58AC D84F)
  5. Compare the Fingerprint to that of others who have the same key in their possession. The more corroborating sources, the more trust you can have in the keys authenticity. If it is a popular key, an online search may provide a number of comparisons
  6. If you believe the key is fake you can delete it (right-click the key, and then select
    Delete
    )

Other books

A Bride in Store by Melissa Jagears
Johnny's Girl by Toon, Paige
Stempenyu: A Jewish Romance by Sholem Aleichem, Hannah Berman
Sticky Fingers by Nancy Martin
A Pledge of Silence by Solomon, Flora J.
One Night: Denied by Jodi Ellen Malpas