PGP (Pretty Good Privacy): Part 2

by by Dan Butler

Whether it's data on your hard drive or email you are sending, your data is important. I recommended PGP in my last article. If you haven't downloaded PGP yet I think you should download and start using it immediately. If you missed the first part of the PGP article you'll want to read it here:
http://www.TheNakedPC.com/t/418/tr.cgi?dan1

Why should you download and *use* PGP? To me the key to the whole encryption puzzle is to use the software in your daily activities. You'll remember your passphrases and learn the techniques. One of reasons I recommend PGP is its flexibility. You don't just use it on email, you encrypt your important financial files, notes you really don't want others to read, spreadsheets with important numbers in them, etc. Whatever you want to encrypt you have an easy way to do it. And you only need to remember one passphrase to get to any of your data.

Several questions came up frequently after my last article. Here are some of them with the answers.

Q: Does the recipient of your encrypted email need PGP to read it?
A: Yes. You won't be able to encrypt an email to someone without their public key. If you have that you can be sure they already have PGP installed. A way around this is to create a Self Decrypting Archive of the information you want to send. Simply save the information to a file then locate it in Windows Explorer. From the File menu choose PGP, Encrypt then click the Self Decrypting Archive box. Attach the resulting file to an email and let your recipient know the password over the phone.

Q: Is PGP really free?
A: Yes, for personal use. If you want to use it for business purposes you need to buy a copy. Buy it at Amazon:
http://www.TheNakedPC.com/t/418/tr.cgi?dan2

Q: What happens if I forget my passphrase?
A: If you forget your passphrase or lose your private key you will not be able to access your encrypted data. I'm serious. There is no way for you or anyone else to get into the encrypted files without both your passphrase and your private key. So make good backups of both. I keep a floppy with my private key in my safe deposit box.

Q: Aren't certificates easier to use?
A: I'm not sure if they are easier to use or not. A certificate functions much like a key. You get them from VeriSign (among others) and they have time limits. At various times you can get a certificate free for one year. While this sounds good what are you going to do when the year runs out? With an expired certificate you can't access your certificate-encrypted data anymore. Certificates only work seamlessly with a few mail programs (Outlook, Outlook Express, and Netscape for instance). Since both you and your recipient need to have mail programs that support certificates, this drastically cuts into their usefulness. Certificates don't offer you an easy way to secure other data on your system either. PGP gives you an easy way to encrypt any data you have.

Q: How do I send my public key to someone else?
A: Open PGPkeys, right click on the key you want to send, choose Copy. Go to your email program and paste the data in a message. Now send the key to anyone you want. They then copy what you sent and paste it into PGPkeys.

Q: Is GnuPG the same as PGP?
A: No. GnuPG, the Gnu Privacy Guard, is an OpenSource encryption technology designed to be compatible with PGP. It came about when NAI, the outfit that markets PGP, stopped releasing the full source code for PGP. That combined with Phil Zimmerman, PGP's author, leaving NAI have some people worried that there could be a "back door" programmed into PGP for law enforcement purposes. Phil Zimmerman says that as of version 7.0.3 there are no back doors. That is the final version he watched over before leaving. GnuPG still has full source code published, however, it is still command line operated. That should change in the future. If you aren't into hacking around on code I would leave GnuPG alone for now and stick with PGP. Find more info on GnuPG here:
http://www.TheNakedPC.com/t/418/tr.cgi?dan3

Q: What does an encrypted file look like?
A: You can see a PGP encrypted version of this article here:
http://www.TheNakedPC.com/t/418/tr.cgi?dan4

There were more but these get to the heart of the issue. If you use encryption, use something that works for all your applications and not just a few. By using your encryption program regularly you'll be familiar with the procedure and less likely to forget something important--like your passphrase!