Saturday, June 7, 2008

PGP Signing and Encrypting Emails

In our company, we use PGP to sign or sometimes encrypt emails due to the agreement with customers who demand high security. However, as for my personal mails, I have never put PGP into the equation.

So I spent some time in the afternoon to set up PGP for my personal accounts (and got the chance to play around with revocation too). I got myself to set up Enigmail too, a Thunderbird extension to manage PGP keys and your mails with them. As a Linux user, I actually use GnuPG more (and it works, I'm not sure why uploading keys to MIT server failed a few times on my browser and Enigmail) and here are the commands to share, for GnuPG and support for OpenPGP:
gpg --gen-key
gpg --export yuenchi.lian@gmail.com > yuenchi.lian@gmail.com.public.gpg
gpg --export-secret-keys yuenchi.lian@gmail.com > yuenchi.lian@gmail.com.private.gpg
gpg --armor --export yuenchi.lian@gmail.com > yuenchi.lian@gmail.com.pub.pgp
gpg --armor --export-secret-keys yuenchi.lian@gmail.com > yuenchi.lian@gmail.com.sec.pgp
gpg --armor -a --export yuenchi.lian@gmail.com > yuenchi.lian@gmail.com.pub.pgp.asc
gpg --armor -a --export-secret-keys yuenchi.lian@gmail.com > yuenchi.lian@gmail.com.sec.pgp.asc

Remember to protect these files, e.g. chmod 700 *.

I will be digitally signing my emails from now on anyway and whenever necessary encrypt them. Here is my public key for yuenchi.lian@gmail.com, which you can also find in the MIT key server:
-----BEGIN PGP PUBLIC KEY BLOCK-----
Version: PGP Key Server 0.9.6
Comment: PGP public key for yuenchi.lian@gmail.com

mQGiBEhKUl0RBAChtf+UhgLMq+yzN8J5rNQkl1T2fHBYeP7xELhqEw71bJ1mGx4i
jQ2Ih524rlDgUsSPoAcArVTrN4Tvg7pG8W8XWGJqOh1L62UBYJhwKEmMOC3iQgKx
Uk4N5Ldfum85yhRVZ+78LQuHJUR8OV4Oeg+ny/6d6fIfzru6jO4gBp/A7wCg0PNk
yFyg/slc9Apq4klDhWvXs2UD/3ycSGQvZvd0u+hBgrg3nC40YJ5qUB/fkUYbPS8J
WEi/kMfR9e9PLs3GTYssHFt7of6IgVgVBmJWeSSwT2ADIgs0EDfzIrmqiSL5DcXZ
kBHZsaBRm8Q/qa/Rip1cXZwNuYFn5dfYK+GLbOCHDJO5JIfmYrTpXb+QE19Qcrg4
AXtxBAChoTIAtAvG4thP4miKY5ohRLsLk3GPT7/NtzpplpbnWrA5m+KOypTGS3Cz
UuRTekbB1cwyM6eS+3uXmW2JSI2LqXcHCIcU6fXzUFwSAUqHlNC2GI7TnYyNNqdT
tw9/Zg1gApAumuGs8BmpDVOcki/9XdHZuBCGmwAFsGpU2SMQv7QmWXVlbi1DaGkg
TGlhbiA8eXVlbmNoaS5saWFuQGdtYWlsLmNvbT6IYAQTEQIAIAUCSEpSXQIbAwYL
CQgHAwIEFQIIAwQWAgMBAh4BAheAAAoJEDonh/rtNGxvGeQAoMGSSIwcIt+wx2Oo
2wR63Lv/Ot2pAJ4l086fL64CqGVUz5AHwKfpbyHLCbkCDQRISlJhEAgAvTprlG2K
fSoiuRjLgS3wxXTxKcAm9sbMFAlsKd21lZyCSR6K8g1KYxqkBTIvygO8CSIt+mbU
uNLZh6GTlpLmCGKANPwmP6AwO1Q3LVvI17MvWF9UwJ5K6q2RY52PggM/50vYAGVp
Wold9Y9O6cfYWfpv47ShBh7J/FLvZ4u5yXkswnmDrjoS1XKJi06ExAySJ3aKFNF5
+xBjgyYb/iqVFSG8eJc3ESfzde95Yt7nDFHWEr97DGVYHSj6XFq3To0XpYNxYRQz
AxPmg49wnmkWIYSzxzcx4XjKj4DFalOm3EO4VAxqnfjUzhc5xdIjJ2SX6pAE2oiZ
UJM5Ly7X4DEG3wADBQgAl9GaoLhIaxJx8Mp3hxK4ZBLYzbYSXa+kQbi/stpBbfxJ
eaiRa0hS4rQ5BR2C9ADLNND6n1b0NEuaxu/MwjhBh1FPIh/WR8cJJVraaQulNaFt
lyvevQ3gj4Hfdjd+SLTZC4GPjsG4HN1ff8QGu6lPxck9VJJVV4fENxjQFTi4Hj1D
s+ATIGMy7jQ2/CsVpkfU3i/QICjegiiLzkTozHmzo6kNg3DDHscbyzDzgxMTRQtE
4GYffDRD8KeJjt3wcF8X5zXsOIcYbOqq19pi8XaP4fQXHIqVWbstfprTRqUiuDu4
RNVsg865jXIExBC9uo4zt2DS5/yflHNhLQyY+XH+f4hJBBgRAgAJBQJISlJhAhsM
AAoJEDonh/rtNGxvlhMAn05pvdyvCYA1bO3I8wzRBAo0WBmHAKCL9MWzFb+essGZ
zFm7O2D/hrNcnw==
=Ot82
-----END PGP PUBLIC KEY BLOCK-----

I have a question, where would be the best place to store my private keys? I actually had them packed in a protected zip and sent over the wire to somewhere. The sites returned by Google suggest to do paper or disk backup.

Now if every one in this world uses PGP and applications are built with its support, will people still be the victims of phishing?

- yc

No comments: