Good digital security inevitably requires some hassle, but the size of that
headache is really up to you. If you’re someone who wants to go all out with
64-character passwords, no Facebook account, and a second laptop that never
connects to the Internet, because it houses all your deep, dark secrets, well,
this guide is not for you.
This is a guide for practical folks. People who want a healthy amount of PC
security (perhaps motivated by ongoing revelations about the National
Security Agency and its surveillance activities), but with a minimum of
hassles such as dealing with key fobs for two-factor authentication, juggling
complicated passwords, and setting up email encryption. We can’t promise you a
completely pain-free experience, but we will show you how to get up and running
with a pretty good security setup that keeps your passwords, email, hard drive
and sensitive USB drives as secure as possible without going
overboard.
A strong password is the first, best line of defense
Good computer security and privacy begins with strong passwords. Sure, there
are serious criticisms about how online
services use passwords, and Apple may be trying to take biometrics
mainstream with TouchID
on the iPhone 5s, but for now passwords are still the best solution we have for keeping
third parties away from our data.
The problem with passwords is that they should really be random, unique, and
relatively long to be of any use. That’s where password managers come in: These
programs help you generate random passwords and store them securely, allowing
you to remember just a handful of gnarly 10-character random passphrases instead
of 15 or 20.
KeePass and
LastPass are both good, free password managers that are worth your time. KeePass
is popular because it’s open-source, and it has a few nice features, like
keylogging obfuscation and secure notes.
The problem with KeePass, however, is that it doesn’t have an online
component to sync passwords across devices. That means you’d have to create a
cloud sync setup yourself using Dropbox or another cloud storage service. You
can read more about how to do that with our look at the third-party utility Dropbox
Folder Sync, or by perusing the KeePass plugins library.
Another good alternative—and my personal favorite—is LastPass. Like KeePass,
LastPass offers password generation and encrypted notes, but it also syncs your
encrypted password database to the cloud so you can access it across multiple
devices.
LastPass is available as a free browser plug-in, and you can also use the
LastPass mobile app for $12 per year. Read all the technical details on the LastPass
website.
Password managers are a relatively personal choice and will depend largely on
your own needs and what level of trust you’re willing to put in a commercial
company like LastPass or newcomer Dashlane.
Encrypting Mail
Most of us prefer to use Web-based email apps like Gmail, because it’s faster
and much easier to open a Web page than to fire up a desktop app. But when you
need to keep your email private from prying eyes, an old-fashioned email desktop
client combined with OpenPGP public-private key encryption is the way to
go.
Email travels across the Internet as plain text by default, which means a
determined snooper could intercept and read your message. Encryption helps
combat this by making it nearly impossible for anyone but the recipient to
decode your message. OpenPGP is an excellent open-source encryption system you
can use to send encrypted email. Problem is, you can only encrypt email to
people who are also using an implementation of OpenPGP. So if you plan on
swapping ciphered mail with someone, make sure they are set up for this as
well.
Encryption is also only as secure as the people using it. If someone decrypts
your mail, copies it as plain text and forwards it on to someone else, the
effectiveness of your encryption is broken. Malware can also ruin encryption by
snatching data in a decrypted state. So remember that while encryption is
definitely more secure than plain old email, it isnot foolproof.
Finally, keep in mind that email
metadata is never encrypted. So you won’t be able to hide the subject line
or the email address of the person you’re corresponding with.
The first step is to download and install the Mozilla Thunderbird email
client for the account you want to use for encryption and email signing.
Thunderbird has a plug-in that makes it particularly easy to set up OpenPGP.
(PGP’s inventor also recommends HushMail.) Next, download and
install the OpenPGP key management software Gpg4win.
Creating your own key
pair
Start Thunderbird, click the menu icon in the far right corner, and
select Add-ons. In the next window that
opens, search for
Enigmail and
click Install. After Enigmail
installation is complete, shut down Thunderbird and then open the program
again.
Now you’ve got all the tools you’ll need to create your own key pair. Go back
to the menu icon in the far right corner and select OpenPGP > Key
Management.
When the Key Management window opens, select Generate > New Key Pair.
Now we’re just about to generate our first encryption key pair. Most of the
default settings in this window should be fine. However, I would highly
recommend creating a passphrase for your keys. If you don’t and one day
Thunderbird decides to ask you for a password even though you don’t have one (it
happened to me), you’ll be heading for a world of frustration.
When you’re ready to enter the fabulous world of OpenPGP email, click the Generate keybutton. After a few minutes,
your key pair will be ready.
Once your key pair is done, Enigmail will suggest you create a revocation
certificate. This is an extremely important step that I suggest you take: A
revocation certificate is a simple file with the .ASC extension that you can use
to invalidate your keys, should you forget your password or lose control of your
computer.
Best practices say you should save the certificate to a USB thumb drive and
then keep that thumb drive in a safe place.
Go public
Now that your key pair and revocation certificate are ready, you need to let
the world know you’re accepting encrypted email. The best way to do that is to
upload your public key to a keyserver where other users can find it—it’s sort of
like a phone book for security-minded people.
To do this, open the Key Management window again—if it isn’t already open—and
selectKeyserver > Upload Public
Keys.
By default, Enigmail will suggest you upload your key to
“pool.sks-keyservers.net.” That should be fine, since this isn’t actually a
keyserver at all, but a hub that pools its database with multiple keyservers.You
can change this by clicking on the drop-down menu. Another option, for example,
is to upload directly to MIT’s keyserver.
You could also publish your public key on a personal website, Tumblr, or
blog. To copy your public key, go back to the Key Management window, make sure
the Display All Keys by Default checkbox
is marked, and then highlight your email account once it appears. Next,
right-click and select Copy Public Keys to
Clipboard.
Testing, testing
So you’ve generated a new key pair and published your public key. Now it’s
time for a test run by sending a signed email to Adele, the friendly OpenPGP
email robot.
Hold down the shift button on your keyboard and then click on the Write button in the top left side of
Thunderbird. This will open a new message window without any HTML formatting.
Adele can only handle plain text, so bold headlines, italics, and embedded links
are out. In fact, for simplicity’s sake, it’s always easier to create encrypted
email as plain text.
Next, fill out Adele’s email address, which is adele-en@gnupp.de.
Create a subject line and message body with whatever you’d like to say. Then
click the OpenPGP menu option, and make
sure that only the “Sign Message” and “Attach My Public Key” options are
selected. Hit Send, enter your password,
and you’re done. In a few minutes, Adele should send you a reply to confirm
whether your signing was successful.
Once Adele gives you the okay, you are ready for the world of encrypted
email.
No comments:
Post a Comment