[How to] GPG and Signing Data

related

1 minute read

GNU Privacy Guard (GPG) uses public and private keys to secure communications (public-key cryptography). Many people use it to encrypt their email or other documents. An email encrypted with a user's public key can then only be decrypted with the same user's private key. This provides end-to-end encryption of the message, meaning that it is impractical for anyone that is listening in on the conversation to get the message in transit.


This is, of course, good and bad. For example, Google and other email providers use email text to gain intelligence about the user, sell user information and do better ad targeting. This revenue stream keeps these services free, but users pay for it in terms of 'sold' privacy. Email using end-to-end encryption cannot be analyzed for useful marketing information. Because of this, these providers don't want to make it easy for mass encryption.

On the other hand, criminals also use Cloud-based email services. Making encryption somewhat difficult means that sloppy criminals are less likely to use encryption. If so, they may be easier to detect and catch.

Related Book: Lucas, Michael. PGP & GPG: Email for the Practical Paranoid. No Starch Press. 2006.

Whether you are paranoid and want all your emails encrypted (good luck), or you are trying to implement a personal or business data classification policy, GPG can help with encryption requirements.

Beyond encryption, GPG is useful for signing data. This is not exactly a signature that you would put on a document. Instead it is a signature that verifies that the data is correct. The video below describes how to sign data.



Signing data lets your contacts know that the data has not been modified from the time it left your possession. Signing is NOT encryption. Everyone could see the contents. Singing just allows your contact to know the data came from you, and it is in it's original state.

Leave a Comment