Yesterday, I’ve created my personal GPG key.
The description of GPG (or GnuPG) from the official website is:
GnuPG is the GNU project’s complete and free implementation of the OpenPGP standard as defined by RFC4880. GnuPG allows to encrypt and sign your data and communication, features a versatile key management system as well as access modules for all kinds of public key directories.
A really quick explanation of the process used by GPG can be found on the Wikipedia entry:
GnuPG encrypts messages using asymmetric keypairs individually generated by GnuPG users. The resulting public keys may be exchanged with other users in a variety of ways, such as Internet key servers. They must always be exchanged carefully to prevent identity spoofing by corrupting public key / “owner” identity correspondences. It is also possible to add a cryptographic digital signature to a message, so the message integrity and sender can be verified, if a particular correspondence relied upon has not been corrupted.
Basically, each GPG user create 2 paired keys: a public key and a private key. The public key is available on key servers to anyone, can be retrieved by its ID and verified with its fingerprint. When A wants to send an encrypted message to B, she uses B’s public key to encrypt the message. Then B can use her private key to decrypt the message. A can also sign her message, by using her private key. Then B can use A’s public key to check the integrity of the message. Yes I just re-explained the basics of asymmetric encryption. Also, I say “message”, but the encryption can of course be applied to all types of documents.
So, back to me. The issues of electronic surveillance these days are starting to worry me. Every few days, new revelations from Snowden/Greenwald make the news. The NSA is watching everything, recording everything. Or at least they can do it. And when a relatively secret organisation has the capacities to do something, we have to assume that they do it.
That’s why I’ve created a GPG key. My key details are:
- email address: firstname.lastname@example.org
- GPG key ID: 09AA30F2
- GPG key fingerprint: 2933 37C4 175C 879C 6192 406A C4DA 3A6A 09AA 30F2
I’m not a hacktivist. Not a hacker. Not a whistle-blower. My life is not in danger if a government has access to my emails and personal data. But I still want to be able to protect my privacy against a generalised surveillance. I think everybody should do that. Even if this is a bit hypocritical, since I’m still using Google products, I think that every little step is an improvement.