How to be Anonymous Online (4 page)

It is common to find PGP related files with the wrong extensions. If you suspect this to be the case, open the file in your
gedit
program (right-click the file >
Open with
>
gedit
). The top line of the text will tell you if it is a public PGP key, private PGP key or signature file. Just rename the file as needed. If the entire text is pure chaos, including the first line, it is an encrypted file, which you can give a .pgp extension.

1. Open the
   Passwords and Keys
   program (
   Applications
   >
   System Tools
   >
   Preferences
   >
   Passwords and Keys
   )
   
2. In the Passwords and Keys window, click
   File
   >
   New
   
3. Choose
   PGP key
   , and then
   continue
   
4. Enter a full name and email address (these do not have to be real). Adding a Comment is optional
   
5. Click 'Advanced key options'
   
6. Choose RSA and set the Key Strength to “4096” bits. You do not need to set an Expiration Date
   
7. Click
   Create
   
8. Make a strong password and remember it (it is unrecoverable)
   
9. Your brand new public PGP key is visible by selecting
   GnuPG keys
   from the left column
   
10. By right-clicking your key and selecting
    Properties
    , you can view its details, as well as change its password
    

1. Open the
   Passwords and Keys
   program
   (
   Applications
   >
   System Tools
   >
   Preferences
   >
   Passwords and Keys
   )
   
2. Select the
   GnuPG
   from the left column
   
3. Click your key to highlight it
   
4. Click
   File
   >
   Export
   
5. Select
   Armored PGP keys
   from the
   PGP Keys
   drop-box (in the bottom right corner of the Seahorse Export window)
   
6. Give your key any
   Name
   you wish, just make sure it has the .asc extension (
   keyname
   .asc)
   
7. Choose a location, and then click
   Export
   
8. This file is your public PGP key. As the name suggests, it is for the public
   .
   You can share it with anyone, post it on a website, and give it to your worst enemy. It is used to 'lock' a file so that only you can 'unlock' it
   
9. An Extra Special Step
   – Go to the location that you saved your exported public PGP key and use
   gedit
   to open it (right-click the file, Open with >
   gedit Text Editor
   ). The text is your actual public PGP key. You can share this text instead of sharing the file. For example, instead of attaching a public PGP key file to an email, you can paste its text into an email. Likewise, you can post the key's text on a website as opposed to the file
   

Copy everything, Starting with “
-----
BEGIN PGP PUBLIC KEY BLOCK
-----
”
and ending with
“
-----
END PGP PUBLIC KEY BLOCK
-----
”

1. Save their
   filename
   .asc or
   filename
   .pgp public
   PGP key (you can save it anywhere, this is temporary). If you only have the text of someone's public PGP key, copy the text into
   gedit
   and save it as
   filename
   .asc. The
   filename
   can be anyname you choose
   

Copy everything, Starting with “
-----
BEGIN PGP PUBLIC KEY BLOCK
-----
”
and ending with
“
-----
END PGP PUBLIC KEY BLOCK
-----
”

1. Open the
   Passwords and Keys
   program  (
   Applications
   >
   System Tools
   >
   Preferences
   >
   Passwords and Keys
   )
   
2. In the main window, click
   File
   >
   Import
   
3. Find and open
   filename
   .asc
   
4. You have imported the key and can
   see it
   by selecting
   GnuPG keys
   from the left column
   
5. You can now delete the
   original
   filename
   .asc file that you used in Step 1
   

You can easily look up someone's public PGP key if they upload it to a keyserver.
Keyservers
are databases that anyone (even you) can use to share their public PGP key(s) with the world. To import someone's public PGP key from the keyservers:

1. Make sure you are connected to the internet
   
2. Open the
   Passwords and Keys
   program  (
   Applications
   >
   System Tools
   >
   Preferences
   >
   Passwords and Keys
   )
   
3. Select
   Remote
   >
   Find Remote Keys
   
4. Enter a search term, such as a Key ID or a Key name
   
5. A list of public PGP keys containing the search term will appear. To Import a key, right-click it and select
   Import
   . Once imported, you can close the window
   
6. The public PGP key is visible by selecting
   GnuPG keys
   from the left column
   

In the next steps, you are NOT using the Passwords and Encryption Keys program

1. Before you choose a file to encrypt, you must have already imported the intended recipient's public PGP key. If you do not have anyone else's public PGP key, you can use your own key and send a file to yourself. Better yet, make a second public PGP key, and then use it
   
2. Find the file that you want to encrypt (it can be on your desktop, in the persistent folder, or wherever) (if you need a file to test, just open
   gedit
   , write yourself a little note and save it)
   
3. Right-click the file and select
   Encrypt
   
4. The
   Choose Recipients
   window will open. The public PGP keys you have in your system are listed
   
5. Select the recipient(s) for whom you are encrypting the file. Whether or not you sign the file is up to you. If you sign it, when the recipient decrypts the file they can see it is from you. It is kind of like putting your signature on a letter
   
6. Click
   OK
   
7. If you do not sign the file, you will be prompted to name the file. Any name will do (
   filename
   .pgp), and then click
   OK
   
8. Only the chosen recipient(s) will be able to decrypt the file
   
9. You can now send the encrypted file
   

You can put your signature on a file, so people know it is from you, not an impostor. You can sign both encrypted and non-encrypted files.

1. Find the file that you want to sign (it can be on your desktop, in the persistent folder, or wherever) (if you need a file to test, just open
   gedit
   , write yourself a little note and save it)
   
2. Right-click the file and select
   Sign
   
3. Select your PGP key from the
   Sign message as
   window,
   and then click
   OK
   
4. If prompted, enter your key password, and then click
   OK
   
5. At the location of the original file a second file appears. It has the same name as the original, plus '.sig' added to the end (
   filename
   .txt.sig appears after signing
   filename
   .txt)
   
6. The person verifying your signature needs three t
   hings, the original file you signed, the '.sig' file and your public PGP key
   (
   filename
   .txt
   ,
   filename
   .txt.sig
   and
   your_public_key
   .asc
   )
   

Ideally, the person verifying your signature had previously received and verified your public PGP key.

This process works like bank signatures did in the old days.

• When you opened a checking account, you would go the bank in person and sign a signature card. This way the bank had your authentic signature on file
  
• When a check came into the bank, they would compare the signature on the check with the authentic signature on file
  
• If the signatures matched, they would consider the check authenticated
  

Now, suppose the bank received a signature card and a signed check at the same time. Meanwhile, you were not present. Even though the signatures match, the bank cannot tell if they are authentic.

You face the same dilemma if you get a public PGP key online at the same time as a signed file. You need a way to authenticate the public PGP key before you can use it to authenticate a signed file.

There are a two ways to make sure you have someone's actual public PGP key, not a fake.

• You can check the key with the
  Keyservers
  
• You can check the key by its
  Fingerprint
  

If someone trusts that a public PGP key is authentic, they can sign it. When you import a particular key, you can see the keys of all the people that have chosen to publicly sign it, vouching for its authenticity. Using the
terminal
, you will view these signatures.

1. Open the
   Passwords and Keys
   program (
   Applications
   >
   System Tools
   >
   Preferences
   >
   Passwords and Keys
   )
   
2. Select the
   GnuPG
   from the left column
   
3. Right-click an imported public PGP key, and then select
   Properties
   (as an example, select
   Tails Developers [email protected] 'offline long-term identity key'
   )
   
4. Take note of the
   Key ID
   , because you will need it in a moment (in this case, 58ACD84F – as of August 1, 2015). You can leave this window open while you proceed to the next step
   
5. Open the
   Terminal
   program (
   Applications
   >
   Accessories
   >
   Terminal
   )
   
6. In the
   Terminal
   window, type “
   gpg --list-sigs
   Key_ID
   ”. In this example, you would type
   gpg --list-sigs 58ACD84F
   
7. The terminal displays a list of signers
   

The more signatures that are from people you know and trust, the more trust you can have in the keys authenticity

This trust stuff is a big deal for software developers collaborating on projects and, in the case of my family, Christian missionaries spreading the word to hostile lands. For most other people, PGP is just a way of pretending to be Batman and Robin exchanging puppy memes without the Joker eavesdropping.

To check a key's Fingerprint:

1. Open the
   Passwords and Keys
   program  (
   Applications
   >
   System Tools
   >
   Preferences
   >
   Passwords and Keys
   ), and then import the key in question
   
2. Select the
   GnuPG
   from the left column
   
3. Right-click the key, and then select
   Properties
   
4. Under the
   Details
   tab is the key's
   Fingerprint
   (for example, the Tails developers fingerprint is A490 D0F4 D311 A415 3E2B B7CA DBB8 02B2 58AC D84F)
   
5. Compare the Fingerprint to that of others who have the same key in their possession. The more corroborating sources, the more trust you can have in the keys authenticity. If it is a popular key, an online search may provide a number of comparisons
   
6. If you believe the key is fake you can delete it (right-click the key, and then select
   Delete
   )