If one were looking for an example of how one person was able to change the world for the better with technology, one need look no farther than Philip Zimmerman. Zimmerman earned his place in history in 1991, when he introduced public-key cryptography to the people with the invention and release of PGP (“Pretty Good Privacy”). He cemented his reputation with his long battle to remove legal obstacles to the use and distribution of PGP in the United States. See Zimmerman’s Senate testimony.
Virtues of PGP
To this day, PGP remains one of the most secure, effective, and versatile encryption options available to the public. It is not known to have been cracked. It can be used to sign and encrypt email. It can also be used to encrypt files. And it can be used to sign software in order to identify its origin and guarantee its integrity. In some cases, it is even used in password programs. Finally, PGP depends upon trust among individual users, so unlike S/MIME, there is no need for key verification by a central corporate or governmental authority.
Symantec Corporation continues to offer an comprehensive, and expensive, commercial implementation of PGP for Windows. The commercial version can be useful if one needs to deploy a comprehensive security solution over a network or if one needs compatibility with the very latest Windows software (e.g. Outlook 2010).
However, for most individual users, the Free Software Foundation’s implementation of PGP – GPG or “Gnu Privacy Guard” – is usually more than sufficient. Linux users will find GPG already tightly integrated into their systems; Mac and Windows users can download and install a copy from Gnupg.org (which links to Gpg4win.org and GPGTools.org).
One you install GPG, you will need to generate a public key and a private key. The public key may be shared with anyone who wishes to send you a message encoded in PGP. Your private key must be kept completely secret; otherwise you may compromise the secrecy of your messages. Once you have a public key, you can also list it on a public keyserver, which is a little bit like a telephone directory for PGP public keys: anyone who has your email will be able to look up your public key and encrypt an email to you. A well-known example is the MIT PGP Public Keyserver. And if you know other PGP users, you can electronically “sign” each other’s keys to ensure that you really know who is sending you encrypted mail.
Gpg4win has extensive documentation, and GPGTools has a slightly less user-friendly but quite extensive tutorial. Linux documentation may vary slightly from one distribution to another, but the Ubuntu documentation provides one example.
Thunderbird – a cross platform GPG client
The easiest way to get started with PGP for email encryption is to install Mozilla.org’s free, open source, cross-platform email client, Thunderbird, and the associated plugin, Enigmail, after you install GPG. (As an aside, Thunderbird is one the best graphical email clients available, and certainly the best cross-platform client available for free.)
PGP for Windows
Windows users who use Outlook 2003 or Outlook 2007 can install Gpg4win and use it “right out of the box.” It will show up as a toolbar item in Outlook. Unfortunately, Outlook 2010 is not (yet) supported.
GPG for Linux
Serious privacy advocates might want to take a look at Linux. There is a learning curve, and no operating system is invulnerable. However, newer distributions such as Ubuntu are relatively easy to install, and even allow you to share your computer with Windows. Learning to use Linux gives you a better sense of how your computer works, and it allows you to access tools on your own computer that you would otherwise need to get from the cloud or pay Microsoft, et al., a hefty price to obtain.
GPG is thoroughly integrated into Linux systems, both as a means of encryption and as a means of ensuring that software and software updates are genuine.