Pretty Good Privacy
As our readers know, we at LUBRINCO are big believers in encryption. We encrypt our telephone calls using the PrivatelTM 960V telephone encryptor from L3 Communications, and encrypt e-mail and files with Pretty Good Privacy. Although we have reviewed the Privatel, we have never really discussed PGP® or OpenPGP (the publicly shared standard) programs. We will not here discuss every feature of Pretty Good Privacy programs, and we will discuss only Windows software: Our goal is to give you an overview of the main features of several programs in encrypting, decrypting, and signing files and e-mail messages: The specific features will be found on the vendors’ Web sites.
PGP, developed by Phil Zimmerman, works on a public/private key principle. You have a private key you use to decrypt files and messages encrypted to you, and you have a public key that others use to encrypt files to you. Files and messages can be encrypted to multiple keys, and prudence says you should set the system to always add your key when you encrypt anything for others, so you can read it, too
Each version of PGP and OpenPGP has a mechanism for generating your key, and for getting keys of others from online keyservers. They give you choices in key length, with longer keys being theoretically more difficult to crack. We suggest choosing the custom option, and then choosing the largest number allowed. The reason for this is that in the old days, when we were running 6 MHz processors on our PCs, it took a long time to generate a long key. Today, with fast processors, the longest keys possible generate very quickly, so don’t skimp. If you lose your key you are completely out of luck, and will not be able to read encrypted messages, nor restore encrypted files, so be sure to back up your personal key, and keep it somewhere recoverable after the flood. Alternatively, make the key valid for only a short period of time – say six months – so if you lose it, or forget your passphrase, people won’t think it is still valid.
Once you have your public key made you can send it to others, and once you have the public keys of others you can send them encrypted messages. You can also sign messages with PGP, which allows the receiver to know that the message, encrypted or unencrypted, has not been tampered-with.
Since the functioning of most versions is very similar, we will spend a good deal of time discussing the features in the first product we discuss, and avoid a repetition of the same discussion in following products. Please do not consider this lack of re-discuss the features to mean we didn’t like the product. It merely means that we have already discussed that specific feature or feature set.
PGP 6.5.8 is an older freeware version of PGP. It is in-theory obsolete, but can still be found on the Internet in a number of places, and you can find a good tutorial on its use at.
While in theory PGP 6.5.8 is not supported under Windows XP, XP is nonetheless the platform on which we happily ran it. Note also that the freeware version is not for commercial use. We don’t encourage theft of services, so if you wanted to use it in your business, you should buy a license from PGP Corporation. Since this product is no longer supported, you will likely end up buying the license for their current product (which we will discuss below), and use it to cover the freeware version.
6.5.8 installs easily using standard installation software, and integrates nicely into your system, with an icon – PGPtray on the bottom of your screen in the system tray, and some choices added to the right click of the mouse in Windows Explorer. If you want to encrypt a file, you merely select it using Windows Explorer, click with the right button, choose PGP/Encrypt, choose to whom you want it encrypted (always set PGP to add your key to anything it encrypts), enter your passphrase, and you will have a second copy, encrypted, with the same name, but a new extension of pgp.
To send encrypted e-mail you have many choices.
• You can put the text into a document, encrypt the document, and attach it to your e-mail message. We often send encrypted Word documents, or encrypted Acrobat files.
• Copy the text (it goes to the clipboard), click on PGPtray and select clipboard/encrypt (the encrypted text will be put into the clipboard), then do a paste into your e-mail.
• Click on the PGPtray, select Current Window/Encrypt. Whatever text is in the current window will be replaced with the encrypted text
• If there is a plug-in for your e-mail client (Eudora or Outlook or Outlook Express. The Bat!, the e-mail client we use, supplies their own) you can just tell your e-mail program to do the encryption. Plug-ins have fallen into disfavor, as they are difficult to write, and to keep current as software changes.
Any of these options take mere seconds though having the e-mail client handle the work makes the process of encrypting (tell it to encrypt) and decrypting (tell it to decrypt) trivial.
Decrypting is equally simple. If you manually decrypt (as opposed to having the e-mail program do the work) you will either copy the encrypted text and do a Clipboard/Decrypt & Verify which will place the encrypted text in your clipboard, or a Current Window/Decrypt & Verify that will show you the decrypted text and give you the option to put it in the clipboard. You then paste the decrypted message in Notepad or Word, or whatever other program you choose.
You can attach an encrypted file to your encrypted e-mail. To do this you encrypt the file manually, as described earlier, and then attach it as you would any other file.
Finally, this version includes the ability to securely wipe files, which overwrites them so they cannot be read, and deletes the unreadable file.
This early version of FileCrypt Desktop is an open PGP variant that comes from Veridis SA and costs $49. In its current state, FileCrypt does not add a system tray, nor tamper with the right-button options. Instead, when you start the program it brings you to the key manager the File option includes choices to encrypt, to sign, or to encrypt and sign. The dialog box includes the option to choose a file, or to choose the clipboard. Encrypted files can be attached to e-mail, and the encrypted clipboard can be pasted into an e-mail (or anywhere else, for that matter).
To decrypt, you select File/Open, and either select an encrypted file (which will place a decrypted version in the specified location) or the clipboard (which will place the decrypted text in the clipboard).
We are told by the folks at Verdis that the next version of FileCrypt Desktop will integrate a system tray, a shell extension (the right-button stuff), and an Outlook plug-in, as well as other updates. This version should be available sometime in October.
The operation of the version of FileCrypt Desktop we tried was straightforward, swift, and trivial to use, and we expect the new version will be equally so.
Another Open PGPentry comes from Articsoft .
FAOPGP integrates with the system, adding an item to the system tray, and changing the behavior of the right mouse click in Windows Explorer to allow you to encrypt, decrypt, or wipe. But in order to do any of these things, you need to sign in to the application using a password you put in when you install the program. This password is not the same as the longer passphrase you use to encrypt and decrypt.
While much of the operation of FAOPGP is similar to that of the previously described programs, this program handles e-mail in an interesting fashion that avoids potential problems associated with plug-ins. To select files to encrypt and e-mail, you select the files in Windows Explorer, click on the selection with the right mouse button, and select protect. This brings up a panel that allows you to select to whom it will be encrypted, and the option to send as an e-mail. If you choose the e-mail option, you can also choose to add an encrypted message. This will open an editing panel, into which you can type your message. When you click on protect, it will open your e-mail program and present you with a message for sending.
FileAssurity OpenPGP is fast and easy to use, and a reasonable choice if you don’t want to use plug-ins, but still want a fairly integrated manner of sending encrypted e-mail.
PGP® Desktop Home 9.0 and PGP® Desktop Professional 9.0
Finally, we come to the versions for home and small business users from PGP Corporation. PGP Corporation offers their Home version for $99 and the Professional version for $79 to $199, depending on subscription (http://www1.pgpstore.com/product.html?productid=300023322). As best we can see, the primary difference between is that PGP Whole Disk Encryption and support for enterprise messaging (Lotus Notes and Microsoft Exchange) is not included in the home version. Both versions allow encryption of e-mail and, interestingly, instant messages.
This is a very complex program, and installation is likely to require some help. Unfortunately, we purchased licenses some months before we planned to install them to test. As it turned out, we should have read the small print. Free installation support is available only for 30 days after purchase, so by the time we did the install we had to rely on the kindness of strangers at the PGP support forum for help. It took about two months to get the program up and running, and, even with the advice we were able to give, based on our experience, to one of our associates co-opted for this exercise, he simply threw in the towel after a week of frustration.
Installing and using this program is like playing Go Fish with your five year old niece, with new rules appearing at each draw of the cards. As an example, we thought the program was working, but when we checked the message log we discovered that messages were being sent out unencrypted. We were told that the keys needed to be validated, and that if a key is not validated it will not be used, with the only notification being, post facto, the message log. How do you validate a key? According to the help file you do it by checking the key’s fingerprint. In fact, you do it by signing the key, the details of which we will not go into here.
In addition, PGP Desktop 9 doesn’t play well with others. The warning on the bottle, er, installation notes, says that if you run Norton AntiVirus 2005 (which we do) you have to disable scanning of incoming and outgoing e- mail. And if you use the VPN the FBI hands out for Infragard communications (which we do), you have a problem because it won’t co- exist with PGP Desktop 9. And even with the helpful efforts of the programming staff at Firetrust we were never able to make it work with Benign , which we use.
But let us assume, for the sake of argument, that you work in a corporate environment with all your software compatible with PGP, and that you are able to get the program installed and running, i.e., that you have an experienced IT staff at your disposal, and don’t have to do it yourself. In this case you end up with a pretty nifty product.
The integration with Windows Explorer is consistent with that previously described, and the Current Window and Clipboard features seen in other versions also are part of the PGPtray options. Handling of e-mail to those with known keys, however, is now totally automated, with PGP avoiding the plug-in issue by acting as an e-mail proxy server. Thus, when we send an e- mail with attachments (astonishingly, PGP Desktop 9 worked, sort of, recognizes that there is a key, encrypts the text, encrypts the files, and sends the whole kit and caboodle, encrypting both the message and any attached files. Well, usually: Sometimes it doesn’t seem to encrypt messages, and sometimes it doesn’t encrypt attachments, but this could be the fault of our not-certified e-mail client, or operator error.
When you get encrypted e-mail, PGP Desktop will automatically decrypt both the messages and the attachments before they hit your e-mail client, so that you are never aware that anything has been encrypted at all. If you like to have encrypted documents stored encrypted, you can either copy the attachment somewhere and re-encrypt it, or make an encrypted directory on your hard drive and store this information there.
In any case, if you have a good IT staff that can actually get the program working (We have no reason to believe that this is not actually possible: The fact that we are not able to do something doesn’t mean that others won’t be able to do it.), and if you have users who should be using encryption but sometimes forget, this program will automate the process for them, taking the decision as to when to encrypt or not completely out of their hands.
And the bottom line is…
Encryption, whether of voice or documents, is very important. For voice, get a Privatel. For document and e-mail encryption, choose one of the PGP or OpenPGP programs available to you – and there are more available than we have discussed here, particularly for the large-scale corporate user. One will surely meet your needs. Find it and use it.