Backing up encryption keys and remembering pass phrases
Encryption is increasingly important, and there are many excellent encryption programs, including the non-commercial freeware version of PGP® (Pretty Good Privacy®) available for download within the U.S.at http://web.mit.edu/network/pgp.html and internationally at http://www.pgpi.org/products/pgp/versions/freeware/, and for commercial use within the U.S. at http://www.pgp.com/.
Encryption programs work well with most major e-mail programs, so sending and receiving encrypted messages is easy. In addition, any file, including image files, programs, DOC files, and others, can be encrypted. The encryption program can also be used to sign a document – even an unencrypted document – so that the reader can be assured that nobody has tampered with the message.
For those who imprudently don’t use encryption, let us give you a brief overview of the mechanics of the process. First, you have someone install the software on your computer. Then you choose a pass phrase (as opposed to a password). In order for encryption to work properly, you need to have a pass phrase that is of reasonable length, that can’t be guessed by others (as often happens with a simple password), and that you can remember! The program will generate a private key used by you to encrypt and decrypt your messages, and a public key used by others to send messages to you. In general, you want the longest key you can get, since today’s PCs aren’t bothered by high bit encryption requirements. Once this is done, you can post your key online so that other people can find it (the encryption program will handle this for you), and start collecting other people’s public keys (easy to do, and we aren’t going to discuss the details here).
You then have someone set up your email program so that you can click a button, select the receiver’s public key, and, voila!, the message is sent encrypted. When you get an encrypted messaged, you click on a button, enter your pass phrase, and the message is decrypted.
You also need to back up your private and public key rings in some safe place, so that if your computer dies or is stolen you don’t have to start from scratch. Some don’t keep their keys on their computer, preferring the added security of total separation, which is fine but you then have to secure the diskettes on which you have copies of your keys.
In the last week we have received a spate of calls from people who used encryption, but who had forgotten their pass phrases, or who had somehow managed to lose the computer key rings. Make your pass phrase one you can remember. Back up the key rings in some safe place, by which we mean that you should be able to recover it if your computer loses its hard drive, is stolen, or is destroyed.
If you cannot recover your keys, they are useless, and you will have to generate new ones. And if you cannot remember your pass phrase you will not be able to decrypt messages sent to you.