So let's say you want to send over a password, a private key, or a secret message to somebody how can you do that if your ISP, E-mail provider and everyone else in that connection is potentially spying on it?

Why would you need private communication?

Well of course you should not give out your passwords that you don't want, but there may be cases where you might want to trade a password for something. For example giving out your WiFi Password to your trusted neighbor, but you only want him to see it, and nobody else. Or trading gift cards, or even digital tokens like in Bitcrystals you can trade blockchain based cards I believe.

Why would you need private communication if you are not a criminal?

This is bullshit but, everyone always implies that only criminals need privacy. This is false. Aside from the use cases mentioned above, even businessmen need privacy in order to communicate their business strategy secretly. You might have a good business or investment plan and you don't want anyone else to know about it but the person you are sharing it with online. You might have a very profitable trading strategy that you only share with a few trusted people.... and so on.

Why are "normal" communication methods not good?

Well, you have all these e-mail providers, instant messengers, mobile apps, that promise you on their mother's life that they won't spy on you... but of course they do it anyway.

Even the VPN providers that I have talked about earlier, especially those that have their location undisclosed, you can't know for sure whether they legitimate service providers, or honeypots set up by criminals to spy on you and steal all your personal data.

So the Internet is the most watched place, and if you do need to send over sensitive information, then you should only do that with GPG.

What is GPG?

GPG is an software that provides asymmetric encryption for private data, that you can send over an insecure channel like the Internet. It was specifically designed for this purpose.

You get your recipient's public key, which is public by default, like a telephone number, which he might not give out to everyone, but even if it leaks, it's no big deal, since by itself doesn't contain anything sensitive.

The message that you are sending out (which must be > 16 bytes I believe, so more than 2 words, and a maximum of 4 GB of size) is encrypted with the public key, and if the message is not made public (which is the whole point), then the message can only be decrypted with the recipient's private key, which he is storing securely, hopefully.

So this provides a secure 1 way communication channel with a recipient, and if you have a GPG key as well, then the recipient can message you back securely, creating a 2 way communication channel.

Grab your recipient's GPG key

First grab the GPG key of the recipient, I am going to use the key of the Electrum developers which can be found here:

• https://pgp.mit.edu/pks/lookup?op=get&search=0x2BD5824B7F9470E6

Note that the key ID is 0x7F9470E6, but this ID could be forged so we use the fingerprint to verify it which is:
6694 D8DE 7BE8 EE56 31BE D950 2BD5 824B 7F94 70E6

This is like a checksum which is unique to that particular key, so if the checksum matches then, the integrity/authenticity of the key is verified. To verify the fingerprint enter in the console:
gpg --fingerprint 0x7F9470E6

The key can also be obtained through GPG with a simple command:
gpg --receive-keys 0x7F9470E6

However, the fingerprint has to be still verified by checking it against trusted sources. The key itself is that long random text (if in ASCII), so if the recipient e-mails you his key, you have to format that to begin with the -----BEGIN PGP PUBLIC KEY BLOCK----- and end with the -----END PGP PUBLIC KEY BLOCK----- and don't add any spaces or word wrap or anything, otherwise it will be incorrect. There is also a binary format which is not preferable since who knows it could be malware, so the text format is better.

But if the privacy of the public key itself is not an issue, then it can just be uploaded to the MIT server or one of the public GPG servers, like a phone book for instance, and then people can search it up, and then you can just use the gpg --receive-keys <keyID> command to grab it. And don't forget to verify the fingerprint of the key gpg --fingerprint <keyID>!

Sending a Message

1) To send a message, write your message in a text file, and save it like:

file.txt

2) Then in the same directory open up the console enter the following:

gpg --encrypt -a -r <KEYID> -o <OUTPUT> <INPUT>

Which in our case is:
gpg --encrypt -a -r 0x7F9470E6 -o encryptedfile.txt file.txt

3) Send the encryptedfile.txt to your recipient over e-mail or any other medium, and only he can read it, nobody else!

4) Delete the plaintext file, possibly entirely as described in this tutorial

Example:

This warning always comes up when you import a new key, the software expects you to set the trustlevel of the key to high after you have verified the fingerprint. This is to avoid impostors since anyone could impersonate anyone, which is why a long web of trust has to be built, as I explained here.

Just enter "Y" after you confirmed that the fingerprint belongs to the recipient you want to talk with.

The encrypted file looks like this, and it can be sent over safely, since only the recipient can decrypt it. If the file is encrypted without the -a command, then it will generate a binary file output which can’t be opened in a text editor, which you would want to use if you send the file over like a file, but if you just copy the message itself (with the header and footer text as it is) and sent it over like a PM for instance in an e-mail then the ASCII version is preferable.

The -a command is called “Armoring” which basically makes the file ASCII readable, without it a default binary file is made. So don’t get scared if you find a binary message or a binary public key, those can be imported too. But of course the ASCII version is preferable, the binary version might be a malware.

Receive a Message

To decrypt a secret message that you receive, you have to have your own key loaded into GPG first, so if you don’t have your own key, you have to make one, and of course your sender has to encrypt his secret message with your public key, so before you can receive a message securely you have to give your public key to your partner. So a public key exchange is usually done before communication like a phone number exchange.

To decrypt a secret message just enter:
gpg --decrypt <filename>

And then enter the password to your key. Obviously you have to take care of your GPG key just as your recipient, otherwise if it’s compromized then anyone can send messages on your behalf, impersonating you. So the GPG passwords or the keys have to be secret, only the public keys can be revealed.

---

Sources:
https://pixabay.com

---

Upvote, ReSteem &