Using the Internet Securely

A guide on GPG/PGP keys and best practices for online security.

March 16, 2025 • 3 min read

The internet is a powerful tool, but it comes with risks. Securing your online presence is essential to protect your data, privacy, and communications. One of the most effective tools for encryption and authentication is GNU Privacy Guard (GnuPG), which implements the Pretty Good Privacy (PGP) - Wikipedia standard. This guide covers the basics of GPG/PGP keys and general security practices for safer internet usage.

Understanding GPG/PGP Keys

PGP and GPG use public-key cryptography to encrypt and sign data. Each user has a key pair:

• Public Key: Shared with others to encrypt messages for you.
• Private Key: Kept secret and used to decrypt messages and sign data.

By using GPG, you can send encrypted emails, verify software integrity, and authenticate communications.

Generating a GPG Key

To create a new GPG key:

1. Install GPG:

   • Linux/macOS: Check installation with gpg --version. If not installed, install it using:
     • macOS: brew install gnupg
     • Linux (Debian-based): sudo apt install gnupg
   • Windows: Use Gpg4win

2. Generate a key:

   gpg --full-generate-key
   

   Follow the prompts to select key type, size, and expiration.

3. Export your public key:

   gpg --export --armor your@email.com > publickey.asc
   

4. Share the public key so others can encrypt messages for you. You can upload it to a keyserver like:

   • keyserver.ubuntu.com
   • keys.openpgp.org

Encrypting and Signing Messages

To encrypt a message:

echo "Confidential message" | gpg --encrypt --armor -r recipient@email.com

To sign a message:

echo "Important document" | gpg --clearsign

To verify a signed message:

gpg --verify message.asc

For more details, refer to the GPG Command Line Guide.

General Internet Security Practices

Use Strong, Unique Passwords

• Avoid reusing passwords across different sites.
• Use a password manager to store and generate strong passwords.
• Recommended Password Manager: GNU Pass (A simple command-line password manager using GPG encryption).
• Alternative: KeePassXC (A libre, cross-platform password manager).

Secure Your Email and Communications

• Use end-to-end encrypted email services like ProtonMail.
• Consider self-hosted email solutions for full privacy, such as SnappyMail (a lightweight, privacy-focused webmail client).
• Prefer encrypted messaging apps like Element (Matrix-based).

Keep Software Updated

• Regularly update your operating system, browser, and software.
• Avoid using outdated plugins and extensions that may introduce vulnerabilities.
• Enable automatic updates wherever possible.

Browse the Web Safely

• Always use HTTPS.

• Avoid clicking on suspicious links or downloading unknown attachments.

• Use a privacy-focused browser like:

  • LibreWolf (A hardened fork of Firefox with enhanced privacy settings).
  • Tor Browser (For anonymous browsing via the Tor network).
  • Firefox (Configure it for privacy).

• Consider using a libre VPN like Mullvad or Riseup VPN to hide your IP address and encrypt traffic.

Verify Software Integrity

When downloading software, always check its authenticity by verifying its GPG signature:

gpg --verify software.sig software.tar.gz

Most open-source projects provide GPG signatures for their releases, which can be verified against their public keys. Check the project's official website for details.

For example, verifying a Arch Linux ISO download:

1. Download the public key:

   gpg --recv-keys 3E80CA1A8B89F69CBA57D98A76A5EF9054449A5C
   

2. Verify the signature:

   gpg --verify archlinux-2025.03.01-x86_64.iso.sig archlinux-2025.03.01-x86_64.iso
   

Conclusion

Online security is an ongoing effort. By using GPG for encryption and authentication, along with adopting strong security habits, you can significantly reduce your risk of data theft and surveillance. Stay informed, keep your software updated, and be cautious when sharing information online.

For further learning:

• GPG Manual
• Privacy Guides - Free and Open-Source Privacy Resources