The Hardyville Beginners
Guide to Encrypt**n
(Quick! Easy! Ticks off tyrants! Do it now!)
By Claire Wolfe
February 15, 2004
In a place where a hard drive means the road home was icy and RAM is a boy sheep, you wouldn't expect to find a lot of experts in e-mail encryption.
Well, you won't. Find experts, that is. In Hardyville.
What you will find is a lot of ordinary, privacy-minded folk who took an hour or so to download, install, and learn to use e-mail encryption programs. These folks are NOT supergeeks. Just ordinary working people who understand it's worthwhile to keep their e-mails from being casually ECHELONed or Carnivored by other-peoples'-business minders.
Merely by passing through your ISP or swooping around through the ether, your e-mail messages can be read by anybody with the technology to grab them. The FBI now requires ISPs to make their systems "snoop ready." If the feds are after some bad guy who uses your ISP, they'll simply scoop up everybody's mail. Every customer of that ISP becomes a target for investigation. That's Carnivore. ECHELON is worse than that because it scoops up just about every electronic communication, everywhere in the world and scans for "suspicious" keywords.
If you say the movie you saw last night was a "bomb," they may tag you. If you write that your boss has an "explosive" temper ... watch out. The snoopoids will catch you talking about your favorite firearms, the trade secrets of your business, your belief that some eejit politician "ought to be taken out and shot," and your romantic weekend plans. Somebody might even snag your secret recipe for chocolate coconut macaroons.
We all need to put a stop to this nonsense, geek and non-geek alike. And we can -- easily.
That's why The Hardy County Committee On Making Life Miserable for Tyrants has produced The Hardyville Beginners Guide to Encrypt**n. Because e-mail privacy isn't just for geeks. It's for anybody with good sense.
Have you got just one spare hour? Do yourself a favor. If you don't already encrypt e-mail, print out this column -- right now -- and install and start using PGP.
PGP stands for Pretty Good Privacy. It's the most common public-key encryption system. Don't be spooked by all the geek speak you may have read. The main thing to know is that PGP is not hard to use.
When you install PGP, you'll automatically create a secret key for your own use and a public key to share with others. The secret key lets you encrypt messages to friends and decrypt messages they send to you. You distribute your public key to others, so they can encrypt messages to you.
The First Thing You Need: A Friend
The first thing you need is another person to exchange encrypted messages with. If you don't already know someone who uses encryption, go to The Claire Files forums, where Debra the web mom has opened up a new PGP section especially for you to come in and ask encryption questions. Several people have already volunteered to be PGP coaches and exchange test messages with you.
Once you're ready to exchange messages in privacy, one of those volunteers, Chris, will even reveal the secret of his (or is it her?) tattoo.
The Second Thing You Need: A Free Copy Of PGP
These instructions are for Windows users (you guys with other operating systems are used to figuring things out for yourself).
1. Go to this site. (Go ahead; we'll wait.)
2. Choose Windows 95/98/NT. Select that option even if you have Windows XP!
3. Choose PGP version 6.5.8. (Yes, there's a reason you probably don't want later versions. See the note at the bottom of this article.)
4. Then click "Download PGP 6.5.8." (Don't choose the source code or the command line versions.). A page comes up that lets you download from a variety of sites. Most of them are in Europe. Don't worry about it. Just pick one. The download will take anywhere from one minute to 45 minutes, depending on the speed of your connection.
This will place a file called PGPFW658Win32.zip on your computer. Save that file in any temporary directory you wish.
If the Download Dialog box remained open after the download was completed, just click "Open" to unzip the file. If the Download Dialog box closed, no problem. Go to the directory where you stored the download and doubleclick on the file.
To do this you must have the WinZip utility. The free evaluation version of WinZip works fine and might have come pre-installed on your computer.
From the moment you click to unzip, Windows' wizard will guide you smoothly through the installation process. Just use all the default choices the wizard presents.
Creating Your Keys
During installation, you'll be asked to create your own public and secret encryption keys and choose a passphrase. The PGP progam itself will "wizard" you through the process of key creation. Again, just use the default choices. The only exception might be when the program asks what size key you want. If you have a typical, fast, modern computer, choose the biggest key.
Remember, the secret key and the passphrase are yours and yours alone. The public key you'll give to people to enable them to encrypt messages to you.
The one big trick -- and it's not difficult, just tricky -- is to create a passphrase that's nearly impossible for anyone else to guess, but easy for you to remember. You'll find some good ideas about password creation in this discussion thread. Don't get lazy and use your birth date or your dog's name. An unguessable passphrase is extremely important.
Never, ever share that passphrase with anybody. Memorize it. Don't even write it down.
Now, get a friend to e-mail you their public key. If you don't have a PGP-ready friend, remember those volunteers who're waiting to help.
Different mail programs -- Outlook, Outlook Express, and Eudora, for instance -- all handle PGP slightly differently. What we'll describe here is a mostly-universal method that works in Windows. Once you get going, you might find even easier ways of handling PGP through your mail reader.
1. Click on the Start menu, then Programs, then PGP. You'll see a menu of options. Choose PGP Keys. This will show you all the public keys that you currently have access to, plus your own private key. You need to import your friend's key into this list.
2A. If your friend sent you his key as an attachment (usually called "public_key.asc" or something similar), save that attachment as a file. You'll probably want to change the name to something like "Bills_key.asc" or "Jennifers_key.asc."
2B. If your friend pasted his key directly into an e-mail, you'll see a bunch of gobbledegook when you open that message. Copy all that gobbledegook, starting with
-----BEGIN PGP PUBLIC KEY BLOCK-----
and ending with
-----END PGP PUBLIC KEY BLOCK-----
and paste it into Notepad. Choose FILE - SAVE AS and save the key file to wherever it's convenient.
3. Now, go back to your PGP key list. Choose KEYS -- IMPORT -- and select the key file that you saved. Voila! It's imported. You can now encrypt email using for that key.
4. But wait! Your friend also needs your key before he can answer your message. Go back to your key list. Find your name. Right-click on it and choose Export. The file name will be your name followed by ".asc." (Make sure you don't select the checkmark that says "Include Private Key(s)" -- all they need is the default public key.) Click save. Now send your friend that key. He can import it into his key list.
5. Next time you open up Microsoft Outlook or Outlook Express, click on "Tools." You'll find PGP there and can choose your user options. (Most of the pre-selected options are good -- especially the one that asks if you want to encrypt all messages to yourself, as well as to the recipient; if you don't encrypt to yourself, you'll never even be able to read your own messages after they're encrypted!)
6. To compose an e-mail in PGP, create a new message as you normally would. You'll notice, though, that along your toolbar is a new icon for "Encrypt (PGP)." (This is in Outlook Express; other programs will have something similar.) Compose your message, click that icon, then click to send your message. Your key list will pop up. From the top box, you can select the name of the person(s) you want to encrypt the message for. PGP might already have selected the key for you, if it found a key with an e-mail address that matched the one you're sending to. Selected keys are moved into the bottom box.
7. Once you've chosen the recipients' keys, PGP will ask you for your passphrase. Give it, click ... and you're done!
More Good Stuff
You can do other things with PGP -- like electronically sign documents or encrypt your document files. There are some security refinements you should also look into at some point (for instance, ways of verifying that your friend's key really does belong to your friend). But that can wait. You're already started.
Some people end up like Miss Fitz, the Hardyville schoolmarm, who tried a non-PGP encryption method a while back and now blushes, "I didn't really figure out how to work it, and I didn't have anyone to send messages back and forth with...and then I misplaced the scrap of paper that I'd written my complicated random password on. I wouldn't make a good secret agent..."
But with an hour to begin and a little persistence, we can all be "secret agents" in our own little way. Or rather, counteragents, protecting our private data from snoops and spies.
Just exchange keys with more and more friends ... and help more newbies take the leap to PGP. And pretty soon ... it'll be a movement. The supersnoops of the world will be tearing their hair out because your cookie recipes -- and everything else you say -- is now enclosed in a nice, private envelope instead of being figuratively written on the back of a postcard for all the world to read.
NOTE ON LATER VERSIONS OF PGP: Version 6.5.8, which you installed here, is freeware. It should be fully functional on your computer with no license fees or registration required. Versions 8.0 and later are deliberately crippled. They'll encrypt files, but won't interface with Outlook, Outlook Express, or Eudora unless you pay a $50 licence fee. Although 8.0 is the first version specifically designed to work with Windows XP, my resident tech expert, Debra Ricketts, says 6.5.8. works fine with XP. She also warns that installing any 7.X version of PGP on Windows XP could result in major problems that might cause you to have to re-install your operating system. So beware.
Thanks once again to the members of The Claire Files forums for help and advice.
Please address comments regarding this page to editor[at]backwoodshome.com. Comments may appear in the "Letters" section of Backwoods Home Magazine. Although every email is read, busy schedules generally do not permit personal responses.