GnuPG: The What and the Why (For Me, Anyway)27 Feb 2011 in Security
I'm a big advocate of GnuPG, the Free implementation of the OpenPGP standard. I've even recently begun to use a smart card for storing my keys. I've also answered some questions about why I do this, so I thought I'd write about it here. Put simply: the Bill of Rights is important to me. My privacy is important to me. Security is important to me. OpenPGP can help me protect the things that are important to me.
I firmly believe that people have an inherent right to privacy, especially against the government and major corporations (which are increasingly one and the same). Some parts of this are embodied in the 4th and 5th amendment to the constitution. Encrypting e-mail and data protects the contents thereof from being read by anyone other than myself and/or the intended recipient. This protects my e-mail against unlawful search (I have no objections to moral, lawful searches), accidental disclosure, snooping by someone at a coffee shop (though SSL helps with that as well) or any number of other privacy-invading cases. While, at the present, I have no need for this level of encryption, I'd rather have the tools and not need them than to discover a need and not have the tools.
Signing my e-mail protects my identity. Assuming that my keys are not compromised and the recipients of my e-mail correctly use an OpenPGP-compliant tool, it would be impossible for anyone else to masquerade as me and send signed e-mail. (No, I don't sign all my e-mail. But if it's important, it's probably signed.) Simply put, it's a proof of authorship.
Finally, as someone interested in information security, I think that using GnuPG is just a good practice. If nothing else, it helps me understand crypto better, which will make me a better information security engineer. Accordingly, I strongly encourage anyone else even interested in information security to install and learn to use GnuPG.
I currently use a master key (0x5DEA789B) that is kept under a very strong passphrase and is kept offline on a flash drive and 2 CD-ROMs. This key is used ONLY to sign my own keys and the keys of others. I do NOT bring it to keysignings: instead, I collect fingerprints, verify IDs, etc., and then sign the keys when I get home.
My master key has been used to generate 3 subkeys which are kept on a smart card. I have one each of a Sign, Encrypt, and Authenticate key. My Sign key is used for just that: signing documents, including e-mails. The Encrypt key is the key to which others should encrypt messages intended for me (don't worry, your OpenPGP-compliant application will pick this automatically). My authenticate key is what I am now using to authenticate to SSH servers. My server has now been configured to allow only key-based logins (i.e., no password based authentication). This, by the way, is wicked cool -- I have combined GPG+SSH into one system so I can just carry the one card (ok, and a reader) and get access essentially anywhere with the portable GnuPG.
Next up, I'll be looking at monkeysphere to manage SSH logins using these keys. So go ahead, give GnuPG a try -- you never know when you'll need it.