For The Love of Encryption You Need Pretty Good Privacy

Estimated Reading Time: 11 minutes, 46 seconds

The use of command line tools are frightening to many, and too often, the task of encrypting data has been forwarded to third-party platforms such as WhatsApp which claim to be end-to-end encrypted (E2EE).

When one needs to transfer data that is considered sensitive, trusted third parties are most certainly security holes. In these instances, encryption needs to be made as simple as possible.

Let us talk about OpenKeychain.

OpenKeychain is a mobile application available for download to Android users in either the Play Store or on F-droid. It is a simple, yet powerful tool for privacy and security, and we are going to break down the steps to get you  started with using the tools to encrypt your files and communication.

STEP 1 – KEY CREATION

When the application is downloaded and opened, you will be met with a screen offering you the chance to Create My Key.

Make that selection, and you will next be asked to provide information to associate with this particular PGP key. This is very important, as you will need to make a decision beforehand whether

1. this will be a key you will be associating with your identity or your pseudonym and will be shared across social media.
2. if this key is just for you to deal with highly personal or sensitive information and will need to be kept to yourself.

Make your decision, and input the information. The same goes for the next section, which asks for your email address to be associated with this key. Similarly, this email address will be tied to this key, and to the name you associate with the same key.

If publicly sharing for others to contact you in a more private and secure way, you may want to  include your personal email. If not, create a new email using protonmail, or tutanota and enter it into this section.

Once completed, you will be presented with an overview of the information you entered, and given the option to publish your key on keyservers, and the ability to finish and create your PGP key now. Not so fast!

Before completing the creation of your PGP key, let us take a look at the key configuration and decide on any changes that we would like to make.

STEP 2 – KEY CONFIGURATION

Select the menu by pressing the 3 dots in the top right corner. A popup will appear offering the ability to Change Key Configuration; click that button.

On the key configuration screen, you will see the name and email address you entered at the top. At the bottom you should see two default subkeys showing RSA,3072 bit as the description.

We are going to make that first subkey just a bit stronger; select it. This will open a menu providing several options for the functionality of the key, as well as a drop down menu toward the top which provides options for the type and strength of the encryption.

Select the drop down menu, and lets us buff up the encryption a little more from 3072 bit to the RSA 4096 option. Select RSA 4096

Generic descriptions of the timeframes these keys are expected to be considered secure are provided alongside each option.

RSA 1024 keys have been broken and insecure for some time, and we are of the opinion that we RSA 2048 keys will be broken within the next 5-10 years. Note, this is just our opinion and we could be completely wrong it may take 1 year, it may take another 20.  If you want to learn more about ECC keys, look into them here.

Next is the key functionality. This particular subkey will be used for signing messages. Select Sign from the menu options next, then select OK.

STEP 3 – COMPLETE KEY CREATION

You will be returned to the key configuration page, and should see your information as well as two subkeys, one marked with RSA, 4096 bit and one marked with RSA, 3072 bit. Select the second, the RSA, 3072 bit subkey and you will notice it disappears.

Do not worry, select Add Subkey and we will replace it with an even stronger one. Repeat the process done with the previous subkey by selecting RSA 4096 from the drop down menu. This time though, instead of signing, this key will be doing the encrypting of messages. Select Encrypt from the menu options, and then OK.

Once you have completed this process,

1. Ensure your name and email information appear correctly on the configuration page.
2. You should see two subkeys at the bottom just like when we began this process, only now they should both read RSA, 4096 bit in the description.
3. If all this is correct, select the Save button in the top right corner, and you will be returned to the key creation page.

To publish or not to publish, that is the question. We are back to deciding whether this key will be uploaded to keyservers. Now keyservers are essentially big, public rolodexes of public PGP keys uploaded by users for querying. This can be done using the fingerprint or other information on sites such as the Ubuntu Keyserver or various others.

Our general rule of thumb at this point is to default to not uploading your key at this time. The reason is quite simple: you can always go back and upload to keyservers at any time. You would not want to upload a key and then wish it were not public.

Leave that box unchecked and instead select Create Key in the bottom right hand corner.

STEP 4 – HOUSEKEEPING

It may take a few moments to generate the key, or it may not. It all depends on the device you are using. When finished, you will see your key listed then on the keys page.

If you select the shown key, it will reveal some details about the key you just made; there’s no need to go into that option right now. What you want to do is click on your key and look at the section dealing with the key “health”. There should be a box with a green check saying Healthy, that there are no key issues found. Click that box to expand it.

You will see now the functional ability of your key to confirm other keys, sign messages, and decrypt messages. It is all green and good to go from here. Congratulations! You have properly created a strong RSA 4096 PGP key and are ready to start encrypting!

How do I use it?

STEP 5 – IMPORT A PGP KEY

Let us say you have been interacting with us on social media, end-to-end encrypted communications platforms, etc., doing our courses or perusing the articles on our website. Wouldn’t it be great to have some extra verification that the entity you are engaging with is us?

Firstly you would require our public PGP key.

Long press on mobile then expand the highlighted area to cover the key completely. That means all the way to the beginning of -----BEGIN PGP PUBLIC KEY BLOCK, and all the way to the end of END PGP PUBLIC KEY BLOCK-----.

Once you have highlighted the entire key, copy the selected text and go to OpenKeychain on your mobile device.

In the Keys tab of the application, select the + fast action button on the bottom right of the screen, and then choose Import From File.

The next screen will have nothing to show. Click the 3 dots in the top right corner and you will be presented with a popup which says Read From Clipboard. Remember you have our key in your clipboard, so select that button and you should be presented with our key and the opportunity to import it into your keyring.

Select Import and there you have it! You now have our public key in your keyring, as well as your own private key. To be safe, you can select our key from the Keys tab in the app, and you should see a page detailing whether or not our key is also marked as “Healthy”.

Since everything looks good, we are good to move on to verifying messages that have been signed by us, cryptographically.

STEP 6 – VERIFICATION

For that, you need a message from us that we have cryptographically signed using the same key hosted at https://cvhodl.com/pgp. We have that right here.
Copy the entire message, again all the way from the first -----BEGIN PGP SIGNED MESSAGE to the last END PGP SIGNATURE-----. Once copied, return to OpenKeychain. From the Keys tab you will select the menu button in the top left corner and then select the Encrypt/Decrypt tab.

Inside that tab you will see different options available to encrypt or decrypt messages and files. For your use case, since you already have the PGP signed message copied to your clipboard, select Read From Clipboard from the choices.

The application will go through the process of using our public key you imported and the private key you created for yourself earlier to decrypt and verify the validity of the PGP signature. If it is a good signature, you should see the name associated with the key used to sign the message, in this case cvhodl, as well as the actual message.

Note that is says Signed By Unconfirmed Key. This has confused persons in the past into thinking that the signature is invalid, but it is not. It means you have not indicated to the OpenKeychain application that you have verified the fingerprint matches the key – essentially saying that you have verified that the owner of this key is actually CVHODL. Preferably this would be done in person, by scanning a QR code, but for your purposes it is not necessary.

We have verified that the entity that owns the public PGP key posted at https://cvhodl.com/pgp is the same entity in control of the CVHODL website, and the message is asserting ownership of the key as well.

STEP 7 – CONFIRM PGP FINGERPRINT

Traditionally the color orange signals a warning and green means good. Now that you have verified key ownership via a cryptographically signed message, since you cannot physically verify the keys by scanning, we will confirm using the fingerprint.

Click the three dots to the top right of the screen and then Confirm with fingerprint.

This will then bring you to the confirmation page. Before clicking Fingerprints Match, you need to compare them to the ones published somewhere (if they were published).

Visit our Keybase Profile and compare the last 4 groups of alphanumeric characters to the ones in OpenKeychain. If they match, click Fingerprints Match.

Once you are satisfied, click Confirm Key.

Congratulations! You have successfully verified our key ownership. Note – not everyone publishes their PGP key fingerprint on Keybase. Some publish them on their websites or social media. If you cannot scan there key QR code or verify their fingerprint in person, inquire if/where they have published them or have them send it to you via an encrypted message.

STEP 7 – ENCRYPTED COMMUNICATION

Now that your confidence has increased that you are are in fact engaging with the CVHODL, it is time to create an encrypted message that only you and us will be able to decrypt and read.

Only we will have the proper cryptographic key combination to do so, and because of this, it enables us to communicate more sensitive information privately over distance using digital communication.

The first thing to do is to click on CVHODL from the Keys tab in the app. You will see near the top of the screen a messaging icon with a lock on it.

Select that icon and you will be taken to a screen to encrypt a message only we can read. To ensure this, next you will need to select the key you wish to sign and encrypt this message with.

If you select the drop down menu, you will see your PGP key as an option. Select your key, and then begin constructing your private message. What would you say to us if you knew for sure that only we would be able to read what it says? Let us guess:

Once you have ensured all that information is correct, select the “Share” icon in the top right corner. You would be presented with whatever messaging apps you have installed on your device, or you can just copy it to your clipboard and then paste the message in your preferred E2EE messaging app, email or social media DM’s. It will look a little something like this to everyone else:

That Wasn’t So Hard, Now Was It?

You have now,

1. created your own personal PGP key,
2. imported andconfirmed another entity’s key,
3. verified a PGP signed message, and then encrypted your very own personal message all on mobile using nothing more than copy/paste.

OpenKeychain makes using PGP easy enough for anyone to do it. You will find yourself scouring the internet for posted public keys of people you interact with so that you can turn your Social Media DM’s and private communication from a honeypot of data just waiting to be exposed into an encrypted jumble of characters that Big Data and the Government cannot simply crack.

There are very few acceptable reasons to not use PGP when needed or necessary, and just one more way to eliminate so much dependency on those security holes known as trusted third parties. For more info or practice feel free to drop us some (encrypted) messages on Matrix, Signal or Session!

Our mission is to be your leading resource for learning and exploring the world of cryptocurrency, finance, and alternative investing. Since most of our content is FREE, your support goes a long way to helping us continue providing you with value. Here are some ways you can help:

• If you enjoyed reading this article, click here to tweet to tell others about it.
• Book a call with us
• Sign up for 1 and 1 consulting
• Buy something from our shop to support our work
• Join the discussion on matrix and access many resources

Have a question? Send us a message on Session.

Session ID: CVHODL