There really aren’t a whole lot of reasons why you shouldn’t learn how to use encryption, but let’s just eliminate some to get started. We’ll define encryption as the ability to secure information that you transmit using the internet so that only the intended recipient can understand it. First, there are free tools that make using encryption easy and also can manage the whole process. Second, you don’t need to understand PhD level calculus to grasp the basics of how encryption works. Next, chances are you regularly transmit private information over the internet that should be encrypted, and encryption is very effective at keeping private information private. Finally, in the 10 minutes it takes you to read this post, you’ll get a good overview about encryption in addition to links you can visit to learn how to get setup to use encryption like a pro.
First, we’re going to limit this post to talking about GnuPG encryption tools, which are open-source standards. It may seem a bit confusing how an open-source tool can keep data private. Being open-source means the algorithm that is used to generate encryption keys (more on those in a bit) is constantly being tested and hacked at by real experts in an attempt to find vulnerabilities. When weaknesses are found they are corrected quickly. Therefore, the “key” to “unlock” your private data is not publicly available, but the method to generate a key is public knowledge so that it’s constantly being evaluated to prove it is secure. For example, you may have heard of “HeartBleed” which was a weakness in how OpenSSL (an open-source encryption tool) was implemented. It was corrected within days of being discovered.
GnuPG is an open-source implementation of PGP, which stands for “Pretty Good Privacy”. By “pretty good”, it means that you are more likely to be struck by lightning, twice, than you are of having your encryption algorithm cracked. Even then, it would likely need to have been done by an organization like the NSA, with massive computing capacity, budget, time, and the requisite knowledge of understanding how to break encryption. You can take our word for it, search Google for additional sources, or read this chapter from a Cryptography textbook. The bottom line is GnuPG is good enough.
Here are a couple free tools you can use to make encrypting files and data as easy as copying and pasting in your favorite operating system. If you’re a Mac user, you’re going to want to get familiar with GPG Suite from gpgtools.org. If you are a PC person, you’ll be using gpg4Win, primarily working on a tool called Kleopatra. If you’re using Linux, then shame on you for having to read this article at all (just kidding, but really we haven’t found a GUI toolkit we like on Linux, we handle Linux encryption from the command line).
Each set of tools has the same basic set of capabilities, which is everything you need to manage encrypted communication and storage. First, you’ll need to be able to generate your own set of keys (we’ll get there soon). Next, you need to be able to import and manage the public keys of people that you want to send encrypted data to. The tools we’ve linked to provide a way to rate the trust level of the keys you store. Finally, the tools provide easy ways to encrypt and decrypt data. We have a detailed tutorial about how to install and use encryption tools if you want to get right to it, but for the rest of this post, we’ll just explain the basics of how it works.
In our humble opinion, “who are you encrypting the data for?” seems to be the most overlooked aspect of explaining why and how encryption works. The basic premise of keeping information private is that the information is only allowed to be seen by somebody specific, but you need to know who those specific somebodies are before encrypting the data. Even if you’re just storing encrypted data up in the cloud for your own use later, you are essentially encrypting it for yourself. When it comes to SSL on a website, the “https” means that your browser is encrypting the data before transmitting it over the internet to the web server – which is the only application that can decrypt it. Just remember that whenever we’re talking about using encryption, you need to know who you’re encrypting it for.
You can think of encryption as a set of two keys, where one key can only be used to lock, and the other can be used to lock and unlock. These are referred to as the public key and the private key. The public key is the one that is only used to lock, and the private key is the one that can do both. The reason they are referred to as “public” and “private” is so that people understand that you can (and should) share the “public” key so that other people can encrypt information for you, but you should keep the “private” key secret and secured, so that only you can unlock information that is encrypted for you.
In order to facilitate two-way private communication, two sets of keys are needed. The flow of a basic conversation is simple – for Michelle to send an encrypted message to John, she needs to encrypt the message with John’s public key. Then only John’s private key can be used to decrypt the message. For John to respond and send an encrypted message to Michelle, he would need to encrypt a message with Michelle’s public key, at which point only Michelle’s private key can be used to decrypt the message. Think about it like placing the message in an impenetrable envelope that can only be opened with the correct key.
Take a moment and re-read the paragraph above while looking at the flow diagram if you didn’t understand it the first time, because this is how encryption works at the most basic level. All you need to do to communicate in an encrypted manner is know the public key of the person being sent the encrypted information. This is the difficulty, however, because not everyone has a public key you can use to send them encrypted data.
The biggest part of using encryption is not really learning to use it yourself, but teaching others to use it when you want to communicate with them privately. This may sound difficult, but it’s easier than you think. Also, you can help to make encrypting private information a more common practice by requiring it when people want you to send them private information. For example, when our payroll company wanted us to send them the legally required tax forms so that they could pay our employees, we required them to be able to receive that information in a secure manner. We refused to send our employees’ private information – which included names, addresses, tax forms, social security numbers, and identification document numbers – over email in a non-encrypted format. In the end, we sent the payroll company a link to instructions on how to install gpg4win and generate a set of keys so that they could receive an encrypted file attachment from us containing the required forms. The best part is that once they know how to use encryption, they can teach others and often make using encryption standard practice.
People who don’t understand encryption have a tendency to look at people who do understand it as if they’re Ninjas. It’s like the people who understand encryption just see more, and can do more, and are secretive members of this hidden sub-culture. Nothing could be further from the truth, but if you know it you still get to be one of those cool people for a little while. Those of us who do understand encryption and see its benefits want everyone to understand the basics and use it as a regular practice. So, now that you know – get to it and install the tools and start sending encrypted communication.
Don’t have anyone to communicate with? One of our public keys is available for download here. Encrypt a message and send it to email@example.com (include your public key) and we’ll send you an encrypted response.