If you haven’t read my Secure PGP Primer post, now would be a good time to do so and familiarize yourself with the basics of how PGP works. I will presume the reader knows the basics well enough to understand this content.
Before diving in to a PGP configuration, take a few minutes and reflect on what you plan to do with your PGP identity. A few good questions to ask yourself:
-
Why am I doing this? A great first step is understanding your use case. Is this a low-risk endeavor (something you’re doing for fun or learning), or is it medium risk (you’re protecting business assets), or is it high risk (your life depends on secrecy)? Is it business or personal? Should it be both?
Understanding your own use case will help you to make smart choices in securing your PGP identities. You don’t want a hasty choice right now that leads to serious consequences later on. -
Who will be my primary recipients? Are these people you know and trust, or are they strangers? How many people do you expect to communicate with using this identity? This will determine how you want to distribute your public key, and whether you will want to use a key server. Keyservers introduce a whole other set of questions like “public or private?” If the former, what email will you use in your identity? If the latter, how will the right people know to find and use it? Think this part through.
-
How many devices will I be using? You will be using your private keyring to decrypt and sign messages. Will you be doing this on one computer, or will you be using laptops? What about public computers? A good strategy is to set up subkeys and revocation certificates for each device. That way if a device is stolen or compromised, you don’t need to revoke the entire identity, just the subkeys used for that device.
-
How will I secure my keys and revocation certs? Your master private key and any revocation certificates are vital to the integrity of your PGP identity. If they’re lost or stolen, then you will never be able to decrypt anything intended for you again, nor will you be able to revoke the identity so that people know not to use it. In short, it will be a bad time.
It’s a very smart idea to back up your keys and revocation certs to a non-volitile medium like a USB drive. You could even print them out on paper. Lock the backup someplace secure like a safe or safety deposit box. -
Do I need maximum security or maximum speed? Something in between? PGP supports a number of encryption ciphers, each with its own set of strengths. Generally, the strongest ciphers are the slowest to use, while the fastest ciphers are the least secure. Any of them will give you enough security to thwart script kiddies and casual hackers. What’s most important to you will depend on your use case. In this guide, we’re going for maximum strength.
Giving some thought to questions like this will help you to understand why I’m recommending the items my next post on securely sharing PGP identities across devices.