In today's world, you do not have to be an undercover agent working at a special government organization to use encryption tools. There is so much information being shared constantly, and almost any company out there is waiting eagerly to get their hands into the sweet stuff, that is your data here. This is something that you use on a daily basis, even if you do not realize it. Most of the time, your internet service provider, your email server host, that shady forum page you used to visit a decade ago or even your bank is encrypting same piece of valuable information that you have, so that in case it falls into wrong hands, no real harm can be made.
Don't get me wrong, this isn't necessarily a bad thing, but you ultimately rely on these big services to keep your information safe. Sometimes you don't have any other way, or sometimes you just do not know any better. It's fine, everybody starts somewhere. It becomes progressively easier as you dive deeper into it.
Encrypted Messaging 📮
Fundamentals
It is possible to use simpler encryption systems to have a secret way of communicating with your friends, sometimes it's a cool little side activity. Considering the sheer size of the internet today however, that will not get you anywhere. There is probably some tool out there, that supports the messaging format of your choice. The majority of them uses what is called an antisymmetric encryption.
Basically, you as the receiver of a message, make your public key available for anyone. Perhaps you could put it on your website, just like how I did it. The person that is going to send this message will use this public key to encrypt the message and send it to you. There is one little problem though. Let's say somebody sent you a message using your public key, claiming that they are me. Well... it is publicly available after all, who is stopping anyone from doing that? Many programs uses some sort of a fingerprinting mechanism to overcome this issue. For instance, here is the fingerprint tied to my public key.
The idea is simple. Anybody can send you messages using your public key, but once you decrypt that message, you would see a different fingerprint than what is shown above. Basically, before sending a message to someone you also put a little star on it using your private key. This is mostly called signing, just like how it is in real life. This ensures that the message is actually coming from the right person. As long as, you are sure that this value actually belong to the person you wish to talk to, you are all good.
For instance, if you legitimately received an e-mail from me, and you are using an e-mail client that supports user encryption (which we will talk about soon), this is more or less what you would see.
Majority of the tools available to an end user will use some combination these techniques, with slightly different algorithms on their back, AES, RSA, RFC, ECC (Elliptic Curve Cryptography) to name a couple.
Encrypted e-mails 📬
Whatever message you wish to send, it can probably handled with a couple paragraphs of plaintext e-mail. First of all, e-mails by default is not really a secure way of communication. The reason for that is, even if you take the necessary security measures to protect that message along the way, you should be interacting with a third party server that you have no control of. Encrypting your e-mail assures that even your e-mail service provider can not spy on your messages.
The popular software that makes this available to the end user is PGP, which stands for Pretty Good Privacy. It has been around since 90's. What you will probably using is the modern implementation of it called OpenPGP, which you may check out here. It has support for any operating system out there. Here is a list of programs to make it easier for you.
Linux: What you want is probably: GnuPG, which you can most probably install with your package manager as well.
Windows: What you want is probably: gpg4win, which is the windows implementation of GnuPG above.
MacOS: What you want is probably: completely stop using this godforsaken operating system. If you do a search online, you will mostly be recommended GPGTools, which is paid for AppleMail I should add. Apple, being the company it is, will always make it inconvenient for you to use encryption tools, this is not just for emails.
Webmail client Roundcube (which is also used by Boun) already has support for PGP.
I would also recommend using an e-mail client that is designed for these features in mind. You can add these functionality to something like Windows Mail or AppleMail, but it will always be an hassle and it will probably not be a smooth experience. OpenPGP site has some nice software recommendations.
Keep in mind that HTML emails don't really play nice with encryption. If you have no idea what that is, HTML is a markup language mainly designed for rendering text on the internet. The page that you are currently reading is HTML. They are mainly used for sending spam, and marketing emails. There is no need to use a complex tool just to send a paragraph of text to your buddy, trust me on this one. Plaintext/txt is just fine. You are highly encouraged to check this site, to learn more.
How to generate a key 🔑
In order to be able to do what we mentioned so far, you need a key. There isn't only one way to obtain this, you could use a graphical program, or a command line utility, whichever you prefer. Here, I will be demonstrating it using GnuPG, shortly gpg. The information provided here is a bare-minimum, for more information you may look at the manual for gpg.
You should have in your mind what is called a master password. This lets you use your key when you want to encrypt, decrypt or sign things. Choose something that is strong, that is easy to remember for you. To get an idea, this video can be helpful. You could also generate an even stronger password, with a password manager. These are not directly related to our topic at hand, but it is in general a good practice. Now, we are ready for some action.
$ gpg --full-gen-key
gpg (GnuPG) 2.2.27; Copyright (C) 2021 Free Software Foundation, Inc.
This is free software: you are free to change and redistribute it.
There is NO WARRANTY, to the extent permitted by law.
Please select what kind of key you want:
(1) RSA and RSA (default)
(2) DSA and Elgamal
(3) DSA (sign only)
(4) RSA (sign only)
(14) Existing key from card
Your selection? 1
The command shown above walks you through the process of creating a key. It will ask you for a keysize, which is represented in bits. Then, it will ask you for some kind of ID that you want to use, and your email address. Keep in mind that this is a local operation, you are not actually signing up to anything. You are simply creating a key on your own device, and it is completely under your control.
RSA keys may be between 1024 and 4096 bits long.
What keysize do you want? (3072) 4096
Requested keysize is 4096 bits
Please specify how long the key should be valid.
0 = key does not expire
= key expires in n days
w = key expires in n weeks
m = key expires in n months
y = key expires in n years
Key is valid for? (0) 0
Key does not expire at all
Is this correct? (y/N) y
GnuPG needs to construct a user ID to identify your key.
Real name: ExampleNickname
Email address: example@example.com
Comment: This is an example!
You selected this USER-ID:
"ExampleNickname (This is an example!) <example@example.com>"
Change (N)ame, (C)omment, (E)mail or (O)kay/(Q)uit? O
We need to generate a lot of random bytes. It is a good idea to perform
some other action (type on the keyboard, move the mouse, utilize the
disks) during the prime generation; this gives the random number
generator a better chance to gain enough entropy.
We need to generate a lot of random bytes. It is a good idea to perform
some other action (type on the keyboard, move the mouse, utilize the
disks) during the prime generation; this gives the random number
generator a better chance to gain enough entropy.
gpg: key 06F14AD19725323C marked as ultimately trusted
gpg: revocation certificate stored as '28251FE8EB0C84968EAC18F306F14AD19725323C.rev'
public and secret key created and signed.
pub rsa4096 2023-03-10 [SC]
28251FE8EB0C84968EAC18F306F14AD19725323C
uid ExampleNickname (This is an example!) <example@example.com>
sub rsa4096 2023-03-10 [E]
This command in fact went ahead and created a key and a subkey, one of them is for encrypting files and the other is for signing them. At this point, you should be familiar with these terms. If you are curious about how it actually looks like, I will put below the public and private key, in the name of science. Please do not ever use this key for anything. This is an example, normally you should never be sharing your private key, it is not so private otherwise is it ?
A key that you have can practically be used for anything. Any file in your computer is fundamentally a long sequence of binary numbers. Therefore, it can be encrypted using your key. Keep in mind that this works best with simpler file formats. File types like Microsoft Office Files sometimes have proprietary source code that is required to use the file. These types of structures can break, and become unusable after encryption. You really shouldn't be using these files to store data to begin with, but if you will, you have been warned.
// Encrypt a file for a recipent, in this case my public key is used
// to encrypt this file
$ gpg --encrypt testfile.txt --recipent berk@mathwizard.xyz
// Decrypt a file with this command, it require the master password and the
// private key of the intended recipent
// you can also specify an output name, by defult it adds a '.pgp' extention
$ gpg --decrypt testfile.txt.pgp --output decrypted.txt
// You can also use a symmetric cipher, using a passphrase
$ gpg --symmetric testfile.txt --output testfile
Finishing Notes
As a general rule of thumb, it is a good idea to backup these materials that you obtain, in a space that is away from the internet. A good old USB Drive would do the trick. Anything on the internet, no matter how secure you think it is, or no matter how big of a company is behind it, is and always will be a subject for data breaches. You made a step in the right direction to minimize the effect of this threat, at least for you.
From here on, possibilities are endless. As you dive deeper into this ecosystem, you will need to learn more about the programs you are using, and what the underlying structure is. Sometimes, you may need to ditch some old habits, and start using a new program for better security or privacy.
Before we wrap up, I would like to debunk a common myth in today's so called modern society. The fact that somebody has interest in encryption tools, and uses it on a daily basis does not mean that they are a criminal. The idea that one needs to have something to hide, if they are interested in privacy is very flawed and actually needs to die. There is nothing wrong about feeling discomfort as a response to someone or a corporate entity constantly having access to your belongings. I am not here to tell you that you should care about this, this may be completely fine for you. However, when somebody does care about this, it is not necessarily because they are an edgy looking kind of guy with a hoodie in your basement, operating an El Chapo business.
