At school, I often spent hours with my friends devising either our own language or creating invisible ink out of lemons in order to be able to pass notes to each other during class. We would always get caught, but that didn’t stop us! The notes we had written were either invisible or complete gibberish to somebody that wasn’t fluent in our little made up language. In essence, we were able to keep our messages secure and encrypted long before we even knew what those words meant.
GPG is a simple method of encrypting messages for specific persons and works by using keys held by both parties. Each party must create their own, individual GPG key – typically 4,096 bytes. The key is then associated with a name and email address to identify it in the future and secured with a passphrase (a very strong password of your choosing). If using GnuPG (recommended), this will create a signing and decrypting key pair, with sub keys. If in the future your keys are compromised, a revocation certificate is needed to revoke them and render them useless.
Once the keys are created, they can be exported to a public keyserver such as https://keyserver.2ndquadrant.com/ which stores keys, fingerprints, and names. In order to retrieve someone else’s key, one must receive their public key fingerprint which will then be compared to the public key fingerprint of the key found on the keyserver. If there is a match, the keys can then be imported into the user’s keyring. Once the key holder’s identity has been verified the key can then be trusted, which is a confirmation of the validity of the key.
To send a message, the sender can write it in a text document and then encrypt it using their key. They will have to specify who they are encrypting the message for so they are able to decode it. Once the message is encrypted, it will show as a PGP message block of text:
The recipient can then copy and paste the text into a file on their own system and decrypt it to reveal the encrypted message inside!
This is a very important feature when handling classified or sensitive information as it is very difficult to decrypt a message without the intended decryption key. If the keys are lost or inaccessible due to a lost passphrase, the data encrypted by the keys is rendered inaccessible. This is an unfortunate risk of GPG encryption, but it is far outweighed by the positives!
GPG encryption can take the security stance of a journalist to another level and add some crucial security layers for information transfer online.
The author Julia L is an NCSC CyberFirst University Bursary Student, she spent her eight-week 2021 summer placement with GCA.