I want to get people into the habit of using truly secure encryption for any sensitive conversations they might have, but I understand that there's a bit of a learning curve that many of you don't have the time or the patience to climb. Just using encryption to protect the contents of your conversations is just one step on the way to being safer, but it is a rather important one, so let's just start with that.

Just bear with me and follow these steps for about half an hour, and you'll be up and running with secure communication, regardless of who is handling your emails or instant messages.

GnuPG is a free version of PGP, this is the best encryption out there. How it works is that you make a set of "keys", one is called a public key, and you can hand that out to anyone. How is this safe?? This key can ONLY be used to ENCRYPT messages which can ONLY be read by you. How's that? You have the private key, or the secret key, which is the only thing that can decrypt messages encrypted with your public key. Think of it like two keys to your house, but one of them can only lock it, and the other one can only unlock it. Even someone who has encrypted a message to you can't decrypt it. This is as secure as it gets.

Now using this level of secure program used to be much more of a headache, but now there is a graphic user interface which makes it pretty simple. Here's all you have to do:

1. Download GnuPG (aka GPG) here:
ftp://ftp.gnupg.org/gcrypt/binary/gnupg-w32cli-1.4.8.exe
(If that link doesn't work, use this mirror (http://mirrors.rootmode.com/ftp.gnupg.org/binary/) (just hit escape when it asks for your username and password), and go to the bottom to download the file named gnupg-w32cli-1.4.8.exe

2. Install this in the default directory.

3. For making/managing keys easily, use the program Cryptophane:
http://www.cryptophane.org/cryptophane-0.7.0.exe

4. Use this program to generate your secret key, for now use the maximum key lengths this program allows: (1024 bit DSA, 2048 EIGamal).

While it is generating the key, move your mouse around and hit some keys, this further randomizes data, making it that much harder to beat.

5. Install an addon/extension to your Firefox browser called FireGPG
http://firegpg.tuxfamily.org/?page=install&lang=en

If it doesn't seem to let you install it, look at the top or bottom of your screen, there should be something which has shown up which lets you choose the option of allowing downloads from that site.

Install it and then restart Firefox.

Next send someone your public key and get him to send you his. You can send it as a file, or just cut and paste it. Where the hell is your key? To get your key, just right-click anywhere on the screen in Firefox. You'll see FireGPG near the bottom, select Export. Then select your key. A window will pop up, and that's your public key. Cut and paste that and send it to someone.

When he sends you the same thing back, just highlight it *all* (starting with -----BEGIN PGP PUBLIC KEY BLOCK----- and ending with -----END PGP PUBLIC KEY BLOCK-----) then open Notepad and paste it into there. Now save that to your desktop as Whoever.asc. Now open Cryptophane, click on File, then Import Keys, and go find and choose Whoever.asc.

Now you've got each other's public (locking, encrypting only) keys. To send him a message that ONLY he can unlock, go to FireGPG, then select Open the Editor. Type in your message. Then when you are done, click the Crypt button. Select the person who you want to read it. Only they will be able to open it once it's encrypted. Now select the entire text (control-A) and copy it (control-C) then paste it (control-V) in your normal email window or instant messenger window, whatever. Send it.

When you receive a message that is GPG encrypted, just copy and paste it into the FireGPG editor, then click Decrypt. Boom, you unlock it. If it was addressed to you, ONLY your private key can unlock it, so you can know that nobody else is seeing what's being said.

Yes, all of this might seem to be a hassle, but once you've done it a few times, it will be really easy and you'll wonder why everyone wasn't doing this before.

-------------------

Next up, I'll address a bunch of other weak points in our security, including (importantly) how to establish anonymity. Without that, even secure encryption is not enough -- but it's probably the most important first step. If anyone's interested, you can also have secure voice conversations over the internet.

I'm working on a whole package to streamline this for everyone, but until that is done, you all might as well get up to speed and at least start using GPG.

For those of you who use a Mac:

Here's GnuPG: http://www.versiontracker.com/dyn/moreinfo/macosx/10258

Here's GPG Keychain Access (which should be like Cryptophane that I posted)
http://prdownloads.sourceforge.net/macgpg/GPG_Keychain_Access.0.7.0.1.zip?download

And here's GPGDropThing – Quickly use GnuPG on text via GUI
(or just use FireGPG)
http://prdownloads.sourceforge.net/macgpg/GPGDropThing-0.4.3.dmg.gz?download

Here's an overall GPG on Mac page:
http://macgpg.sourceforge.net/

And this looks like a how-to:
http://www.wasuvi.com/?page_id=2368

OK, in my continuing quest, I am also going to teach you how to use a GPG enabled instant messenger. This works on the Jabber network, so it is something like a Tor-network, but don't think that we're going to just count on that.

I'm putting this out there right now for those who don't want to wait for the finished product that I'm putting together which will make this a lot easier. If you are chatting online, you should be using GPG, either cut-and-pasting each encrypted message manually, or with something more advanced like this.

http://psi-im.org/images/logo.png
Psi is a GPG enabled chat program which works on Windows, Mac, Linux, BSD, whatever. I'd like to push this as the chat application for the community. If you don't think that's a good idea, or you've got a better idea, let me know.

----------------------
Now that you've already got a GPG key, here's how you get this instant messenger program working:

1. Download the latest version of Psi from Here (http://sourceforge.net/project/downloading.php?groupname=psi&filename=psi-0.11-win-setup.exe&use_mirror=superb-west), or if that doesn't work, here's the latest nightly build (http://www.kismith.co.uk/files/psi/windows/nightlies/)

2. Unzip the file somewhere. That is where it will be "installed".
3. Go to where you unzipped the file, look in the folders and run Psi.exe

4. Now, register a new account.
Server
[ Select one which does not say invalid certificate, e.g. aszlig.net ]
Connection settings
--> Manually Specify Server Host/Port [ leave this alone for now, unchecked ]
Encrypt connection: [ Always ]
Probe legacy SSL port [ unchecked ]

5. For setting up an account use these options
Details
--> OpenPGP --> Select Key
Connection
Connection proxy: [ for now, leave this, we'll get to that some other time ]
[ check ] Compress traffic (if possible)
Encrypt connection: [ Always ]
[ unchecked ] Ignore SSL Warnings
Allow plaintext authentication: [ Never ]

6. Add your friends, and associate them with their GPG public key

7. Open a chat window, make sure it says encryption is enabled.

8. Chat, knowing that only you can read what he's saying, and only he can read what you're saying.

(I'll update these instructions if I learn that something is unclear or doesn't work for some people)

If it won't let you select a secret key, then you have to fix something to let it know where GPG is installed on your computer. I've attached a file to do that. Download it, then right click on it and select Merge. This will tell Psi where GPG is installed. (and you can double check to make sure I'm not sending you a virus or something, just open the file in notepad, and you'll see this:

Windows Registry Editor Version 5.00

[HKEY_CURRENT_USER\SOFTWARE\GNU\GnuPG]
"gpgProgram"="C:\\Program Files\\GNU\\GnuPG\\gpg.exe"

I was asked on another board why Psi is better than Gaim/Pidgin with encryption. I chose it because the encryption is stronger, open sourced, redundant, and the jabber network is distributed. Also it can run on Windows, Mac, Linux, BSD. The contents of your messages are encrypted with GPG, and the connection itself is SSL encrypted (depending on which server you choose to connect through).

As for the strength of the encryption, yes, an 8192 bit PGP key would be stronger, but you can generate that with GPG also, the trouble is that you have to make a slight modification to the source code and compile it yourself. I can't tell people to do that if I want to get them to start using it now. But I will implement this myself for the operating system version of all this.
http://lists.gnupg.org/pipermail/gnupg-users/2007-June/031309.html

I can also add in compatibility with PGP keys if that's something people want.

In fact, I should note that the instructions I gave only discuss generating a 2048 bit key, because that was the max that Cryptophane allowed. I didn't want to scare people off with the little bit of extra work required to make a 4096 bit key:
1. Hit the Windows Start button
2. Hit the Run button
3. Type: command.com Hit enter
4. Type: CD\progra~1\GNU\GnuPG Hit enter
5. Type: gpg --gen-key Hit enter
6. Now just follow the steps to generate a 4096 bit key
use defaults for anything you don't understand (1) DSA and Elgamal
and obviously use false info, don't even tie it to a real email address you use.
7. Now this key will be in your "keyring"

OK, that's nice, but why do you want a bigger key? The bigger the key, the harder it would be to ever crack it. Some day computers will crack these keys with ease, with a 2048 bit key, maybe that will be in ten years, with a 4096 bit key, maybe that will be 15 years, with an 8192 bit key, maybe it will be twenty years. Maybe it will be sooner. Better safe than sorry, which is the whole point of these instructionals and soon the operating system itself. Regardless what you are talking about, nobody should be able to just record everything you're saying just because they feel like it. Now if someone out there is into dark and horrible things, and they use this to facilitate that, well what can I say besides that I hope they get mauled by bears, genitalia first, but they'd have figured out encryption measures with or without my help.

To manually back up your keyring (or if you want to wipe it out from a given computer) you can find the file under the folder C:\Documents and Settings\[your username]\Application Data\gnupg\" and the files are pubring.gpg and secring.gpg as well as the corresponding .bak backup files.

For those who are the most security conscious, you should even use different usernames and different servers to talk to different people. I mean, it would be fine to have one username where people could reach you, but after that you should take the conversation to a different username and server. And insist that the other person do the same.

Some further instructionals on the agenda will be:
- Strong password generation and other means of authentication
- Full disk hard drive encryption (protects your data in case drive is taken)
- Volume based encryption for storing files when not in use (protects your data from hackers who get onto your system while you are logged in)
- Anonymization of your internet connection
- Securing the contents of your internet activity
- Safely sending and receiving email
- Secure VOIP (telephone calls)
etc.

Or just wait until I get the whole Secure Operating System done, and use that.

--------------------

For now this only encrypts your communications with people who are using each other's public keys to encrypt, and the corresponding private keys to decrypt.

It doesn't work for AIM, but Psi works like AIM, except that it is encrypted. The encryption AIM uses is trivial by comparison.

As far as encrypting everything you do on the web, like surfing, well, that's an impossibility. The goal there is to anonymize your connection, so they can't tell who is doing what they see being done (or rather, they can't prove it). If you are connected to a site by SSL (i.e. the webpage looks like https://___) then the information going back and forth is encrypted and secure (as long as the person on the other end doesn't share it). Beyond that, if you connect to, say, this board, everything you do is clear-text, someone watching could intercept your username and password, and go from there (which at that point would kind of diminish the value of an encrypted PM).

I forgot to mention, everyone should make their passwords like an argument with their "significant other", i.e. long and difficult :p But unlike your SO, you should change your passwords often, even twice a week depending how paranoid you are. If you aren't worried about it, just let me put this into perspective for you: I could Google up a hacker service and offer them $200 to get me into your email (or whatever), the cash payable for the password upon receipt of a screenshot of your inbox.

"So wise the **** up" - this has been a public service announcement.

** UPDATE / NOTICE **
Make sure that your computer or your network is not named "My Real Name"

Otherwise, when you are using Psi, at the top of your chat window it will look like:
[Nickname] <[Nickname@server.net]/[Your Real Name]>

This would not be prudent when you are trying to secure and anonymize your connection. On the other hand, you could always put in a fake name, and so this could prove useful.

So if at some point when you were setting up your computer you used your real name, check to make sure you aren't going to make this mistake. Set up two accounts, and try talking to yourself. See what it shows.

Here's a pictorial and text representation of the state of your communication without Psi:
http://www.pimpwiz.com/uploaded_images/slowpoke-713389.jpg
"Ahhmm, steeeeel hawwwwwwwngreeee"


With Psi:
http://www.familycourtchronicles.com/people/gonzalez/speedy-gonzalez-loves-cheese.jpg

If you can read English, you can install it. Period. If you want to understand it, you can, if computers give you a headache, that's OK, you don' need to understand it, just do it. It works.

Great post, thanks!

excellent post sir.

whats a hexidecimal password? also do u need firefox? as i currently dont have that on this computer

whats a hexidecimal password?I didn't say anything about that.

also do u need firefox? as i currently dont have that on this computerIf you want to use FireGPG in order to easily GPG encrypt and decrypt text in its editor, then yes. Firefox is also a much better and safer browser in general. If you insist on using Internet Explorer, you can still use GPG, but you'll have to find a different program to do your encryption and decryption in.

Awesome post and easy as pie to set up....mcuh thanks Strat!

Nice post, its actually a lot easier than I initially thought.

I just signed up for it, it's a little bit of a bitch but when its done its well worth it.

when i try to get my keys i get a blank box then when i close it it says unexpected error please help

when i try to get my keys i get a blank box then when i close it it says unexpected error please helpYou'll have to be more specific. When you try to get your keys in what? Cryptophane? FireGPG? Psi? Mac? Windows?

If it isn't letting you put in your key for Psi, you have to download and use that file I included above. That's the most common problem people have had, which is why I included it.

it's in FireGPG problem loading keys

You can just use Cryptophane for both exporting and importing keys, if FireGPG is causing problems.

thanks my brother;)

I just use Skype!

what are your thoughts on these 2 items bud?With dCipherMAIL, it sounds nice and fine, but the fundamental question is whether it is designed so that there is no way on earth that the designers of the product could retrieve the secret keys that they have stored in the mail system. The answer has to be no, so it cannot be considered safe. They can be compelled to do what they are capable of doing, namely, of compromising the security of their system. Same thing as with Hushmail.

SecExMail also looks nice, but they explain public key architecture and then say "SecExMail does all this for you." OK, fine, but can it be proven that they never have access to the private keys? From their website it doesn't seem so. If not, it is as vulnerable - which means as useless - as Hushmail. I'll have to check through it again, but they didn't seem to provide even any claim that the private keys are kept absolutely private. A single license of the normal version costs $40, but this version lacks some of the security features. The corporate version costs $50 and can only be bought for 20 users at a minimum ($1000).

Perhaps their Offshoremailroom.com is worth looking into. It is $6 per month, or $50 a year. Could they be compelled to hand over private keys? That's the question.

Thanks for the great info, as always, StrategOs!

This is surprisingly easy to install and use. Thanks Strat, this stuff rocks.

just experimenting with pgp now, looks interesting.

ok, so this psi program works like an encryted AIM?
If anyone is interested PGP Desktop Professional can encrypt AIM with PGP, i posted a torrent for it in the "don't use safemail" thread.

How do we add pgp to safemail?

How do we add pgp to safemail?

You print your message in the text editor, assign and encrypt it, then copy/paste into the body of your email. The only one who can then decrypt it is the one you assigned it to, because you used THEIR public key to encrypt it.

So what's the difference between the pgp desktop program, and the gnupg program listed in the first post?

The genuine PGP has a government-owned backdoor in the later versions.

That is why GnuPG is the *ONLY* way to go PKI.

Solid post. great tutorial. Effortless to install/configure.

thanks

.

this is an excellent way to secure your e-mails! benn using this for a while now and love it!

Bump. Figured it was worth a bump considering the fishy business happening with safemail.

.

i did this once before, now i dont know what the **** im doing..

PGP CANT EXPORT PUBLIC KEY (Unable to access the public bla bla bal)

so i tried what was suggested just using cryptophane...so i wne to file, expoert public key..then it save to file....no what the hell...send the file to recipient??

confused here....

phats

edit.. i unclicked the save box and it showed all the highlighted mumbo jumbo...is that it..
?

fack..cant even enrypt...

fack..cant even enrypt...



Im having this problem was there ever a solution ??

Im having this problem was there ever a solution ??

Something about the path of the executable for gnupg that needs to be put somewhere... I forget where exactly though... I think Strateg0s explained it somewhere before going scammer and vanishing. Guy knew his privacy stuff for sure, though.

EDIT: I think I found it.

Using regedit (registry editor) make sure you have this value right:
[HKEY_CURRENT_USER\SOFTWARE\GNU\GnuPG]
"gpgProgram"="C:\\Program Files\\GNU\\GnuPG\\gpg.exe"

Of course, if your gpg program isn't C:\Program Files\GNU\GnuPG\gpg.exe then you have to modify this registry key to point to the right program.

I think that's it... Not sure, coz it has always worked for me without needing to do any of that...

i did this once before, now i dont know what the **** im doing.. PGP CANT EXPORT PUBLIC KEY (Unable to access the public bla bla bal)
If you are unable to export your public key it's easier to just delete that one and generate a new keyset. If you haven't used GPG in a while you may want to reinstall WinPt and start new. Many or most of the public keys on your keyring are probably no longer valid anyway. If you want I can walk you through it via IM...just hit me up.