GPG Basics... (Noob questions)

Confused Guy's Avatar

Confused Guy

06 Sep, 2015 06:35 PM

Hi!

I am VERY new to cryptography/security stuff. I wasn't able to find the questions on the disc/elsewhere (or maybe I wasn't searching properly...)

I have three main questions w/ additional info below:

1) How do I know/choose subkeys for encryption/signing?
2) How does sharing my public key work?
3) Can I access old encrypted mail from another computer/email address?

  1. My understanding is that it will pick one of my subkeys for E and one for S (I have two subkeys for each). I also have four emails (USER IDs?) connected to one master.
    So does this mean when I compose a message from any of those four id's it will pick one of the two E sub-keys and the same for the S?
    I HOPE THAT IS CLEAR!!! sorry.

2)
I understand that I can right click my master and click export (leaving the secret unchecked) and sent that file to people... alternatively i can just right click and "mail public key"
However, can people know what user IDs/master is attached to the key I send them?
I ask because say I have AAAA - [email blocked] (four emails)
What if [email blocked] is a government email address and [email blocked] is a political activist one?

Can the activists see AAAA, and the gov't see BBBB? (exposing my double-agent status)
Also, if either party intercepts an email, can't they just decrypt it using the encryption key sent to them, since they would be the same for both?

3) Lastly, I wonder if I can still open encrypted emails if I forward them to other accounts?
E.g. I encrypt from [email blocked] and send to BBBB (or the other two emails) ... I also forward a copy to my girlfriend... can I later access the email form my GF's account if I have a backup with the secret (and passphrase???) or do I have to be on one of my original four accounts??? Bah so confused...
___________________END OF RELEVANT STUFF ________
as a BONUS >>> Non-GPG Security <<<

TL;DR,
Safest way to secure information? Is it redundant and useless to Encrypt a .7z in a DMG? They both use AES… Aes 256 > Aes 128???
What’s the most secure encryption???
I am down to scrap all my extra measures below in favour of something simpler…
Can I store PW information using GPG on an email?
Is it safe*, or should I stick to the dmg/7z scheme…

Ultimate goal:
I want to be able to access all of my stuff if I get locked out from any service.
Not only that, but I need to be able to access this stuff offline, and if I am Stripped-naked… that is, e.g. I am lost in the dessert.

How do I securely store files/documents/text (text being the most important....)

So far I have my files on Google Drive, Drop Box, and One Drive encrypted using a .DMG and/or 7z inside the dmg... is it extra-secure to do the double-encryption?

I also have copies of passwords inside those encrypted files, also encrypted (PDF encryption)...

On top of that, I have all my passwords and "important things" e.g. SSN, driver's license, credit card info, whatever in there too… (bad idea?)

but then I also have all of that same information on Lastpass. I also have an encrypted file on the Secure Notes (using .DMG and 7Z combo again) that has my GPG Keys!

as an additional precaution, I exported my Lastpass info to an encrypted document and sent it to an email that I do not use and have no record of password (memorized!)… this is Tutanota by the way… protonmail has me waiting.

I don’t know why I’m going crazy with all these precautions, but I want to know which ones are useful/useless or maybe devise a better scheme….

Password 1: Memorized
My “failsafe” is my Tutanota email, where I have all of my information stored in a .7Z.
I do not use this and only will in an Emergency, or when I am at home. (Private Internet Access VPN is safer than home internet… right???)

Password 2: Memorized
Same password for computer and my Lastpass… I type these manually.

Password 3 + Variants: Memorized, but variants of one password
These are used to encrypt the DMGs/.7z’s and PDFs

password X = not memorized.
Dropbox, all of my emails, and all of my sites have unique and random passwords stored in Lastpass (and also backed up, as stated, in Dropbox, google drive, and One drive. although behind the double wall of extra security)…

On top of this, I have an offline USB copy of all those things that I have stashed under my bed. I also use Sesame as 2FA (and/or my phone) for everything…

HOLY CRAP THIS IS SO CONVOLUTED…. Will re-write hopefully after I am done my paper

  1. 1 Posted by Fastidious on 24 Sep, 2015 10:04 PM

    Fastidious's Avatar

    Use openssl for what you want. You do not need gpg.

  2. 2 Posted by Mento on 27 Oct, 2015 01:04 PM

    Mento's Avatar

    Hi,

    sorry for the late answer.

    1.) By default gpg2 uses the newest valid subkey for the operation. You have to use gpg2 direct in the Terminal, if you want a specific subkey to be used.

    2.) If you are an undercover agent, you should create two independent keys. Everyone who gets your public key can see all userIDs, because the userIDs are included in the key-block.

    2b.) gpg2 uses public-key-cryptography. This means an activist can encrypt a message with your public key, but only the person with the secret key (you) can decrypt it. Neither the government nor the activist can decrypt it anymore. GPGMail always encrypts a mail you send with your and the recipients keys, so you can read your sent mails.

    3.) If you forward the whole encrypted mail, you can decrypt it at any time, at any computer, as long as you have your secret key and the passphrase.

    The most secure encryption is called "One-time pad", but this isn't handy.
    It's not useless nor redundant to encrypt an encrypted file (if you use another password), but the security gain is minimal. I would recommend to only encrypt once with a very strong password.
    AES-256 is more secure than AES-128. You should also use a strong password with more than 20 characters.

    It is safe to store passwords in encrypted mail using gpg, if you don't "loose" your secret key.

    VPN can be more safe if used in the right way.

    Never use the same password twice!

    I hope i've answered all of your questions. Don't hesitate to ask more questions, but give me some time to answer :)

    Regards, Mento

  3. 3 Posted by Jame Frichittha... on 05 Nov, 2015 04:03 AM

    Jame Frichitthavong's Avatar

    Oh my god. Thank you so much for the reply. I almost didn’t see this - it ended up in my junk mail.

    Luckily I searched my computer for “gpg” because I forgot my passphrase!!! (thank you Mac Spotlight)

    You are my hero!

    Thank you!

    Jame

    You have helped more than enough, but if you’re bored:

    If you have any ELI5 (non-technical) links/guides for cyber security stuff that would be amazing! I’m learning VPN stuff at the moment, but need to go back to the drawing board in terms of everything. I mainly want to ensure privacy for both my internet activity, and my files/passwords!

    I’m using a vpn (Private Internet Access), and I’m planning on putting my Lastpass information export (with all of my passwords and sensitive info) in an email encrypted with GPG to be dispersed to all of my email accounts (just in case I get locked out of one!)

  4. Support Staff 4 Posted by Steve on 18 Nov, 2015 12:12 PM

    Steve's Avatar

    Jame, I suggest to discuss the other matters on some security / privacy mailing list or discussion forum.

    Glad, this is solved for you. I'm closing this discussion. If you need further assistance or have questions you can re-open this discussion here or open a new one any time.

    Best, steve

  5. Steve closed this discussion on 18 Nov, 2015 12:12 PM.

Comments are currently closed for this discussion. You can start a new one.

Keyboard shortcuts

Generic

? Show this help
ESC Blurs the current field

Comment Form

r Focus the comment reply box
^ + ↩ Submit the comment

You can use Command ⌘ instead of Control ^ on Mac