How Effective is GnuPG?

With the recent revelations of the ubiquity of NSA spying — after all, they even search your buddy list on AOL Instant Messenger — I thought it would be worthwhile to explore some alternatives for folks.

A few years ago, EAU issued a manual on the use of GnuPG (Gnu Privacy Guard) for EAU members. Though technological progress has rendered that particular manual obsolete, GnuPG has continued to progress and has become more accessible than ever.

On the Windows platform, you can use Cryptophane to manage keys and encryption/decryption so you never have to see a command line. GPG4Win makes it easy to encrypt files and email. Mac users can find similar functionality in GPGTools package, and GnuPG tools are installed by default on Linux.

Even more fun, GnuPG is now integrated into a number of instant messaging clients including PSI which works on most platforms, and Miranda, which is a client for AIM, YIM and more.

Nowadays, it is easier than ever to integrate heavy-duty encryption into email and chat.

But how effective is that encryption? More effective than you think, and as effective as you make it.The core functionality of GnuPG relies upon a public/private key pair. The public key is used to encrypt information that can only be decrypted using the private key.

So long as the private key is not compromised and strong encryption keys are used, it is effectively unbreakable. Using current technology, it would take dedicated nuclear power plants and all of the computers on earth longer than the age of the universe to decrypt Mom’s encrypted secret apple pie recipe. Used properly, GnuPG encryption is industrial strength and simply will not be broken by the voyeurs employed by our government to snoop on its own citizens.

There are, however, a couple of big holes that need to be understood.

The first is that if you keep your private key on your computer, especially if you keep it in a standard location, and your computer is compromised either physically (by a trojan horse or through seizure by unscrupulous people) then the key can become known. So it is a wise move to keep your private key and keyring on a thumb drive that can be easily hidden separately from your computer and store it elsewhere when not in use.

The second is that a private key is useless even if found unless the person who finds it also knows the pass phrase. People get lazy and use simple five character pass phrases. What I recommend is a couple of easily remembered sentences.

Of course, your passphrase is no more secure than your physical person. That is, you can be … detained … and your knees beaten with hammers until you divulge your passphrase. This is simple, inexpensive and effective. And if you believe this doesn’t happen, you are naive. However, our government has to be circumspect and judicious about this, otherwise it would lose its remaining tenuous grasp on legitimacy. So all you have to do to avoid this circumstance in general is to steer clear of the sorts of behaviors common among militant Islamic terrorists and other terrorists.

So, in essence, so long as you choose a good passphrase, keep your private key on a thumb drive and don’t give the goon squad a plausible reason to employ a hammer in persuasion, GnuPG is rock solid and will give the voyeurs fits. I recommend its ubiquitous employment.

2013-10-15