PGP

From Noisebridge
Jump to navigation Jump to search
Noisebridge | About | Visit | 272 | Manual | Contact | Guilds | Resources | Events | Projects | 5MoF | Meetings | Donate | (Edit)
Guilds | Meta | Code | Electronics | Fabrication | Games | Sewing | Music | AI | Neuro | Philosophy | Funding | Art | Security | Ham | Brew | (Edit)
Security | Bay Area Hackers' Association | OHSNAP | Crypto | SecureDrop | Locksport | Password manager | Aaron Swartz | Security Camera | Edit
Crypto | PGP | Tor | Key signing | Edit

PGP public-key encryption is an important tool for private communication and many Noisebridgers use it. Our list of Noisebrifgers who use PGP keys would be happy to do a signing with you if you find them in the space. Please add yourself to the list if you'd like to do this too. Key signings could happen after our Tuesday meetings.

PGP is an open standard for encrypted and authenticated communications using computers. You can use PGP to make sure your communications and data can't be decoded in-transit across the internet or on disk by anyone except the intended recipient. Another feature of PGP is that messages that you sign with your public key can be mathematically proven to have come from you (because only you possess your private key).

Some people believe that all communications (including email) should be encrypted with PGP, but if you want to send a message to someone with PGP you need their public key. People who use PGP want their public key to be widely known, so they post them online on keyservers. They include the "fingerprint" of their public key (like 1AEF90F4) on their business card and in emails, so you can confirm that the public key you have for them is the right one.

If someone sends a plaintext message to the world, they can paste an authentication signature at the end of the message. A person reading the plaintext message can compare the signature and the plaintext (together) with the public key of the person who claims to have sent the message. If the signature matches their public key then it is proof that only that person could possibly have made that message.

If you want to use PGP, you need software. A web application for this task would defeat the purpose, since you would be trusting a webpage with your private key, so this software has to run on your own computer. The following programs are recommended depending on your operating system:

  • Linux - GPG is The GNU Privacy Guard - [1]
  • MacOS OSX - GPG works on MacOS just like it does on Linux
  • Windows - Gpg4win (GNU Privacy Guard for Windows) is Free Software [2]

Before you can do anything you must create your key pair - a private key for you, and a public key that you share with everyone else. You can also tell people the "fingerprint" of your public key (like 1AEF90F4) on business cards and email so people can be sure they have the right public key for you.

Your private key will be protected by a long passphrase. If someone finds your passphrase, they can access your private key and decrypt messages sent to you, as well as pretend to be you. Thus you should be extremely careful to never copy or write down your passphrase. Also, if you forget your passphrase, you are completely out of luck and should just go cry.

After creating your key pair, you should generate a http://www.pgp.net/pgpnet/pgp-faq/pgp-faq-key-revocation.html key revocation certificate] so that you can declare your public key void if your private key is compromised. You should also backup your public and private keys.

For more info on PGP, see http://www.pgpi.org/doc/pgpintro/.

  • rubin110 - 1AEF90F4 - key
  • saizai - D6D408A9 - key
  • Michiexile/DrSyzygy - C07CCCCD - key
  • User:Glen Jarvis - 42CE11B6 - key (could someone help me test?)
  • Rachel - but I have to figure out again how all this shit works, I have a key Somewhere, blah blah
  • jof - 0x8F8CAD3D - Key is on my user page
  • Schoen - 9C7DD150 - key
  • Filip - Need to dig up and dust off, but interested in getting some networking going. Discuss infrastructure? Could we get a six-degrees/small-world thing going via other hackerspaces?
  • Danny - 0xA3FDE45E [3]
  • mrdomino - Need to find some more bits first
  • Tom - 80AF07D3 - Happy to sign keys any time, just catch me on email/IM or in the space.
  • Yan - FAC78CF7 key - Embarrassingly lost my old key when I was young and reckless, and this one has no signatures.
  • Ari - 5EE3ED34 - look here
  • redondos - gpg --keyserver pgp.mit.edu --search-keys CDB98F72
  • Patrick - 31FE4222 [4]