GPG guide/Textual Draft
Contents
- 1 Random Notes
- 2 Page elements
Random Notes
- Really think about ways that this will be about making the fact that you use GPG part of your online identity, and make this a vector for driving people to the guide. For example, have people put their GPG key up on their blogs and social media sites, with a link (perhaps with logo, graphic, embed code, something cool) to our guide. Is there a good standard way to list this on your FB? Twitter? We can get people to do this even if they are already using GPG.
- Audience: People who are excited about technology and involved in movements like ours, but don't already know how to use GPG. They are computer literate, though, and don't need their hands held through super basic stuff, like clicking next in a Wizard.
- Think about licensing
- How do we visually do the troubleshooting? The different operating systems?
- Name ideas
- Safe email 101
- Encryption 101
- Encrypt your email
- Safe email
- Make it clear that there are two different ways that "signing" is used.
- For signing keys, you could say "and so, if you go on a keyserver and you see that someone has a lot of signatures on their key, you can probably trust them more, because someone has verified their identity." This segues well into an optional description of the need for the Web of Trust, starting with explaining the threat of someone making fake keys to sign their other fake key.
- Why you shouldn't leak your private key: because then someone could both read your mail AND impersonate you
- Does Enigmail automatically refresh keys?
- The default is to import keys without verifying the fingerprint, "locally sign key" is not intuitive at all and to actually verify the fingerprint you need to click yet another button
- Explain key loss
- Explain the need to refresh (is this necessary when using Enigmail?
- Explain expiration and making new keys
- 2048 bit key with 5 year expiration date
- Adele's key is 0x92AB3FF7 not 0x4D486CC8.
- Explain encryption, then signing keys, then signing messages. Most people teach messages, then keys, but this order flows more naturally?
- Rationale for technical recommendations that we make (like key size and which keyserver to use)
- Links to more detailed descriptions of things on other pages (like how to use keyservers)
- RSA versus DSA
- Saving unencrypted drafts to servers, as per Micah Lee's email to liberationtech
- Link to dedicated keyserver for people to use, run by us, so that we can track who is getting started through our campaign.
- Other email client security settings, like in <https://securityinabox.org/en/thunderbird_security>
- A section on verifying incoming email, like on <http://en.flossmanuals.net/thunderbird-workbook/receive-encrypted-mail/>. Hopefully this can just be worked in to the try it out section
- Different ways of identifying keys.
- Right click Adele's public key and click View Signatures from the context menu. You should see your name at the bottom of the list.
- Credit the Adele Website if we end up using it: <http://www.g-n-u.de/>
- Explain that you can send a signed email to anyone but you can only send an encrypted email to someone who has a public key.
Page elements
- Infographic
- Intro paragraph
- Says it's great to do this with a friend, but we designed it so that it also works fine for one person.
- Step-by-step guide
- Next steps section
Infographic breakdown
Guide breakdown (based loosely on <https://www.enigmail.net/documentation/quickstart.php>)
The idea is for the guide to be broken down into concise steps, with a focus on the actual steps, r=== ather than in-depth explanations of why or how things work. The guide will have a series of sections, each with introductory text. Each section will have a series of steps, each with a number and concise but descriptive name, to make it easy to refer to different parts of it. Each step will have an FAQ-style troubleshooting section, and each entry in the troubleshooting will have a name and a body, which consists of help text. We need to think about the visual presentation of the versions for different operating systems and of the troubleshooting. One possibility is tabs for the operating system and expanding boxes that start collapsed for troubleshooting. Troubleshooting could also be in a separate section at the bottom of the page that looks like an FAQ. Keep in mind that the order and content of the steps may change a lot in development.
Global intro paragraph
The goal of this guide is to make GPG as simple as possible.
Section 1: Get the pieces
Do we want to have people check if they have them first? If so, what's the best way to do it? Alternately, do we want to check that the client is up to date?
Step: Get an Icedove-like email client if you don't already have it
- Check if you have Icedove installed. A variant of this program, like Thunderbird or SeaMonkey will also work. If you have one of these, skip this step.
- If you don't have it, install it.
Step: Configure your email client for your email account if it isn't already
- Check if you have Thunderbird configured for the email account you want to use. If you do, skip this step.
- Configure it. We may need to link out to another tutorial to avoid covering a huge number of different questions about various mail server configurations.
Step: Get GnuPG if you don't already have it
- Check if you have GnuPG installed. If you do, skip this step.
- Download and install
Step: Install Enigmail
- Check if you have Enigmail installed. If you do, skip this step.
- In your email client, select Tools -> Add-ons, then search "Enigmail" with the search bar in the upper right. You can take it from here. Your email client may require that you restart it to finish installing.
Section 2: Make your keys
What if someone already has the email client configured and it makes the wizard more complicated, like in <https://securityinabox.org/en/thuderbird_encryption#4.2>?
Intro text
Explains the difference between signing and encryption with example cases.
Step: Make a keypair
The wizard claims to run automatically on the first install. Mention that the optimization will put your messages in plaintext, and that if you want to keep HTML as default you can hit Shift while you hit Write? Talk about the fact that any key pair generated using OpenPGP Setup Wizard is automatically based on a 2048-bit structure, and has a lifespan of 5 years. Both these characteristics cannot be changed after the key pair has been generated using this method. Revocation cert?
- In your email client, select OpenPGP -> Setup Wizard. You don't need to read the text in the window that pops up unless you'd like to, but it's good to read the text on the later screens of the wizard.
- On the second screen, titled "Signing," select "No, I want to create per-recipient rules for emails that need to be signed."
- Use the default options until you reach the screen titled "Create Key"
- On the screen titled "Create Key," pick a strong password! Your password should be at least 8 characters and include at least one lower case and upper case letter and at least one punctuation mark. Don't forget it, or all this work will be wasted!
Troubleshooting
- Enigmail detected an existing key on my computer
- I can't find the OpenPGP menu
Step: Upload it to a server
I think the Wizard already does this
- Upload it to this specific server.
Section 3: Try it out!
Now you'll try a test correspondence with a computer program named Adele, which knows how to use encryption. You'd follow the same steps if communicating with a real person. Then you'll send your first signed email to a real person!
Step: Download Adele's public key from a keyserver
- In your email client, go to OpenPGP -> Key Management -> Keyserver -> Search for Keys.
- In the "Search for keys" field, type adele-en@gnupp.de. That's Adele's email address.
- Check the first result (Key ID starting with 9) and hit OK.
Step: Send a test encrypted email
- Write a new email in your mail client, addressed to adele-en@gnupp.de. Make the subject "Encryption test" or something similar and write something in the body.
- Before sending the email, click the icon of the key in the bottom right of the composition window (it should turn yellow). This tells Enigmail to encrypt the email with the key you downloaded in the last step.
- When Adele receives your email, she will use her private key to decrypt it, then fetch your public key from a keyserver and use it to encrypt a response to you.
- It may two or three minutes for Adele to respond. In the meantime, you might want to skip ahead and check out the Use it well section of this guide.
- When you receive Adele's email and open it, Enigmail will automatically detect that it is encrypted with your public key, and then it will use your private key to decrypt it.
Step: Sign a key
- In your email client, go to OpenPGP -> Key Management.
- Right click on Adele's public key and select Sign Key from the context menu.
- Select "I will not answer" and click OK
- In your email client, go to OpenPGP -> Key Management -> Keyserver -> Upload Public Keys and hit OK.
Step: Send a test signed email to a friend
- Write a new email in your mail client, addressed to a friend. If you want, tell them about this guide!
- Before sending the email, click the icon of the pencil in the bottom right of the composition window (it should turn yellow). This tells Enigmail to sign the email with you private key.
- After you click send, Enigmail will ask you for your password. It will do this any time it needs to use your public key.
Section 4: Use it well
Intro paragraph
Everyone uses this a little differently. Send signed emails in this context. Send encrypted emails in this context. Talk about the Web of Trust.
Step: Make it part of your online identity
- Publish it to your email signature, social media profile, blog, Website, business card in these ways. Put it anywhere that you put your email address.
- Tell your friends about it
Step: Participate in keysigning
- Refer them to the instructions in the previous step
Step: Keep it up to date
- Refresh your keys, especially after some kind of signing has happened that necessitates it
- Keep track of expiration dates
- How to exchange public keys
Next steps breakdown
- Attend or host a keysigning party (is there a good way to find them?)
- An encrypted email group where people talk about encryption: <http://groups.yahoo.com/neo>/groups/PGPNET/info
- Try other encryption technologies: OTR, encrypting your hard drive, Tor
- Link to surveillance collection in directory, or prism-break with free software filter, if that has been set up
- Donate to the FSF or GnuPG, Thunderbird or Enigmail!