Monday, August 12, 2013

PGP Privacy 2 Go

So if your like me, seek help.

I mean seriously. These morbid delusional fantasies about the future of war and technology? Staying awake all night writing software to trade internet funny money (read: Bitcoin)? You get the picture. Your fit for a straight jacket.

Or you need a vacation. Which means it's time to hit the road without your trusty "security hardened" laptop. Your machine is security hardened right? You haven't been using those 'cloud based' services have you!? You host your own email, file sync, music streaming, calendar, and social network from a server under secure lock and key on a redundant internet connection to your condo right?! Not. The cloud is a convenient solution for all of this, unfortunately, it's also an extremely convenient solution for the government to spy on you.

Lets leave the politics of it out here. That's not the point of the post. You want to use Gmail. I get it. I use it. It's fast, reliable, it's servers are these crazy shipping container lego-blocks that can be shipped by train into Mexico in the event of nuclear war...making your email more safe from radiation poisoning than your sorry Starbucks sipping ass. Jordan searches frantically for his stash of iodine tablets but only discovers used Starbucks gift-carts. 

So the next best thing before you go-ahead and upload your email messages to the Utah Data Center for NSA perusal, is to use PGP, which if your reading this I'm relatively confident your already familiar with. If not, it's not hard to understand, but next to retarded difficult for your everyday operating system manufacturer, or email service provider to include with their services.

Once your email is encrypted with PGP, short of obtaining your private key from your physical machine (more on that later), it's extremely cost prohibitive, if not impossible, for anyone but it's intended recipient to read it while it sits for eternity on a hard-drive in central Utah.

The issue for most people whom have taken this precaution, is that the tools are inconvenient. For example, they, unlike your modern email client (Gmail) aren't as portable. Take for example, GPGMail, a reliable and improving tool for managing for managing PGP messaging with OS X Mail on top of OpenPGP. Great already hard enough. At least it grabs public keys attached to emails from your comrades, and stores them for future use.

You see what I'm saying, no wonder no one uses this stuff. Too fucking hard.

In that case... what happens once you've got some encrypted communication going on, and you want to read / send encrypted emails on the go with Gmail? Enter Mailvelope. A handy browser plugin, that allows you to PGP encrypt your webmail as your composing and reading on the go. With Chrome Browser Sync, once you login to your browser, this plugin should be made available to you where-ever you go. As inconvenient as it might be, the last little bit is to hang-on to your private key. I'll leave that part up to you.

Mailvelope Homepage
The issue I ran into was, I had already generated my PGP Pub/Priv key pair on my home machine, and wanted to use it while I was on the go.

Nothing abstract here.

Just a little demo of how to use the same private key to read your encrypted emails using Chrome.

Ok, so first we need to "export" our private key out of our PGP Keychain. Go ahead and open up the keychain in OS X (I usually type "Keychain" in the Spotlight search).

Go ahead and cmd-click, your key-pair, and choose "Export".

Make sure 'Allow secret key export' is checked. Once this is done, the text-file you create will be your "key to the kingdom" so to speak, as it will include a public and private key-pair. 

Doesn't look like much. But there is a lot of information here. Most importantly, your private key should only be placed and left on a browser on a machine you trust won't be compromised.

 Next, lets install the Mailvelope plugin on our Chrome Browser:

Once installed, go ahead and open the plugin (from it's setting's button on the top-right corner of the browser), and than choose the "Import Keys" menu.

This was kind of confusing for me, as I didn't realize you could also import private keys here. I gave it a shot, and it worked. So good on you Mailvelope. 

Paste the entire text of the Pub/Priv key-pair file you just exported into the text box.

Ok, now your good to go. 

Next, open up Gmail and start to compose a mail, and you'll notice a new little button, click it to open a PGP Mail composer from Mailvelope. Hit the "Lock" button.

And than choose your recipient (I'm sending this message to myself to demonstrate).

Your message is encrypted using the public-key of the recipient.

Now the message is placed in the composer as a PGP encrypted message, safe and secure, ready for upload to the government (:

Last step, receiving, and decrypting PGP encoded mail. I hit send, and the message appears in my inbox, as I was the intended recipient. The message is encrypted, but Mailvelope adds a button to my Gmail editor window to decrypt it. I click it, and am asked to unlock my private key (the private key passphrase is sort of a security of last resort to keep others from reading your messages)

And walla, your message is decrypted and has a "water-mark" behind it which has some significance, though I didn't read that far into the Mailvelope documentation.

PGP encrypting security tends to break down around "Physical breaches" of your private key. If you carry it around on an unencrypted USB-stick, or it's stored on your "secure machine" (read: laptop protected with your ex-girlfriends favorite nick-name for your penis as a password), there is a pretty good chance it can be compromised. 

There is more here, consider using a public-keyserver. These servers allows others to grab your key, and encrypt messages to you without you handing them your public key via a message. It also allows you to, in theory (I believe), issue a certificate with a key that allows you to "expire" the key-pair periodically, in-case of theft. Though that is beyond the scope of this blog post, I will be looking into that more in the future, but lets keep it simple for today.

As for physical security, I recommend a gas-powered AR-15 Platform rife, and a few hundred hours of close-quarters combat training. If you don't have this, maybe a mean dog, and a deadbolt. We're all susceptible one way or least now your a little less so to government intrusion into your email box.

No comments:

Post a Comment