<!-- Language list for browsers that do not have JS enabled -->
<ul id="languages" class="os">
- <li><a class="current" href="/en">english</a></li>
- <li><a href="/es">español</a></li>
- <li><a href="/fr">français</a></li>
- <li><a href="/de">deutsch</a></li>
- <li><a href="/it">italiano</a></li>
- <li><a href="/pt-br">português do Brasil</a></li>
- <li><a href="/tr">türkçe</a></li>
- <li><a href="/ro">română</a></li>
- <li><a href="/ru">русский</a></li>
+ <li><a class="current" href="/en">english - v4.0</a></li>
+ <li><a href="/es">español - v3.0</a></li>
+ <li><a href="/fr">français - v3.0</a></li>
+ <li><a href="/de">deutsch - v3.0</a></li>
+ <li><a href="/it">italiano - v3.0</a></li>
+ <li><a href="/pt-br">português do Brasil - v3.0</a></li>
+ <li><a href="/tr">türkçe - v3.0</a></li>
+ <li><a href="/ro">română - v3.0</a></li>
+ <li><a href="/ru">русский - v3.0</a></li>
<!--<li><a href="/ml">മലയാളം</a></li>-->
<!--<li><a href="/ko">한국어</a></li>-->
- <li><a href="/ja">日本語</a></li>
- <li><a href="/el">ελληνικά</a></li>
+ <li><a href="/ja">日本語 - v3.0</a></li>
+ <li><a href="/el">ελληνικά - v3.0</a></li>
<!--<li><a href="/ar">العربية</a></li>-->
+ <li><a href="https://libreplanet.org/wiki/GPG_guide/Translation_Guide"><strong><span style="color: #2F5FAA;">Translate!</span></strong></a></li>
</ul>
<ul id="menu" class="os">
class="share-logo" alt="[Hacker News]">
</a>
</li>
- <li class="spacer">V4.0</li>
</ul>
<!-- ~~~~~~~~~ FSF Introduction ~~~~~~~~~ -->
</p>
<p>
<strong>
- We want to translate this guide into more languages, and make a version for encryption on mobile devices. Please donate, and help people around the world take the first step towards protecting their privacy with free software.
+ Please donate to support Email Self-Defense. We need to keep improving it and making other materials like, for the benefit of people around the world taking the first step towards protecting their privacy.
</strong>
</p>
</div>
<p>Even if you have nothing to hide, using encryption helps protect the privacy of people you communicate with, and makes life difficult for bulk surveillance systems. If you do have something important to hide, you're in good company; these are the same tools that whistleblowers use to protect their identities while shining light on human rights abuses, corruption and other crimes.</p>
-<p>In addition to using encryption, standing up to surveillance requires fighting politically for a <a href="http://gnu.org/philosophy/surveillance-vs-democracy.html">reduction in the amount of data collected on us</a>, but the essential first step is to protect yourself and make surveillance of your communication as difficult as possible. This guide helps you do that. It is designed for beginners, but if you already know the basics of GnuPG or are an experienced free software user, you'll enjoy the advanced tips.</p>
+<p>In addition to using encryption, standing up to surveillance requires fighting politically for a <a href="http://gnu.org/philosophy/surveillance-vs-democracy.html">reduction in the amount of data collected on us</a>, but the essential first step is to protect yourself and make surveillance of your communication as difficult as possible. This guide helps you do that. It is designed for beginners, but if you already know the basics of GnuPG or are an experienced free software user, you'll enjoy the advanced tips and the <a href="workshops.html">guide to teaching your friends</a>.</p>
</div><!-- End .intro -->
<p class="notes">It may take two or three minutes for Edward to respond. In the meantime, you might want to skip ahead and check out the <a href="#section5">Use it Well</a> section of this guide. Once he's responded, head to the next step. From here on, you'll be doing just the same thing as when corresponding with a real person.</p>
-<p>When you open Edward's reply, Enigmail may prompt you for your password before using your private key to decrypt it.</p>
+<p>When you open Edward's reply, GnuPG may prompt you for your password before using your private key to decrypt it.</p>
</div><!-- End .main -->
</div><!-- End #step-3a .step -->
<div id="step-3d" class="step">
<div class="main">
- <h3><em>Step 3.d</em> Send a test signed email to a friend</h3>
+ <h3><em>Step 3.d</em> Send a test signed email</h3>
<p>GnuPG includes a way for you to sign messages and files, verifying that they came from you and that they weren't tampered with along the way. These signatures are stronger than their pen-and-paper cousins -- they're impossible to forge, because they're impossible to create without your private key (another reason to keep your private key safe).</p>
<p>You can sign messages to anyone, so it's a great way to make people aware that you use GnuPG and that they can communicate with you securely. If they don't have GnuPG, they will be able to read your message and see your signature. If they do have GnuPG, they'll also be able to verify that your signature is authentic.</p>
- <p>To sign an email to a friend, click the pencil icon next to the lock icon so that it turns gold. If you sign a message, Enigmail will ask you for your password before it sends the message, because it needs to unlock your private key for signing.</p>
- <p>When the pencil is gold but the lock is grey, the email will be signed but not encrypted. When the pencil is grey and the lock is gold, the email will be encrypted but not signed. When they're both gold, the email will be signed and encrypted.</p>
+ <p>To sign an email to Edward, compose any message to him and click the pencil icon next to the lock icon so that it turns gold. If you sign a message, GnuPG may ask you for your password before it sends the message, because it needs to unlock your private key for signing.</p>
+
+ <p>With the lock and pencil icons, you can choose whether each message will be encrypted, signed, both, or neither.</p>
</div>
</div>
+
+ <!-- ~~~~~~~~~ a div for each step ~~~~~~~~~ -->
+ <div id="step-3e" class="step">
+ <div class="main">
+ <h3><em>Step 3.e</em> Receive a response</h3>
+ <p>When Edward receives your email, he will use your public key (which you sent him in <a href="#step-3a">Step 3.A</a>) to verify that your signature is authentic and the message you sent has not been tampered with.</p>
+
+ <p class="notes">It may take two or three minutes for Edward to respond. In the meantime, you might want to skip ahead and check out the <a href="#section5">Use it Well</a> section of this guide.</p>
+
+ <p>Edward's reply will arrive encrypted, because he prefers to use encryption whenever possible. If everything goes according to plan, it should say "Your signature was verified." If your test signed email was also encrypted, he will mention that first.</p>
+ </div><!-- End .main -->
+ </div><!-- End #step-3c .step -->
</div>
</section>
<div>
<!-- ~~~~~~~~~ section introduction: interspersed text ~~~~~~~~~ -->
<div class="section-intro">
- <h2><em>#4</em> Learn the Web of Trust</h2>
-
<p>Email encryption is a powerful technology, but it has a weakness; it requires a way to verify that a person's public key is actually theirs. Otherwise, there would be no way to stop an attacker from making an email address with your friend's name, creating keys to go with it and impersonating your friend. That's why the free software programmers that developed email encryption created keysigning and the Web of Trust.</p>
+<h2><em>#4</em> Learn the Web of Trust</h2>
+<p>Email encryption is a powerful technology, but it has a weakness; it requires a way to verify that a person's public key is actually theirs. Otherwise, there would be no way to stop an attacker from making an email address with your friend's name, creating keys to go with it and impersonating your friend. That's why the free software programmers that developed email encryption created keysigning and the Web of Trust.</p>
-<p>When you sign someone's key, you are publicly saying that you've verified that it belongs to them and not an impostor. Signing keys and messages is the same type mathematical operation, but they carry very different implications. It's a good practice to generally sign your email, but if you casually sign people's keys, you may accidently end up vouching for the identity of an imposter!</p>
-
-<p>People who use your public key can see who has signed it. Once you've used GnuPG for a long time, you may have hundreds of signatures. The Web of Trust is a constellation of GnuPG users, connected to each other by chains of trust expressed through signatures. The more signatures of people you trust a key has, the more trustworthy that key is.</p>
+<p>When you sign someone's key, you are publicly saying that you've verified that it belongs to them and not someone else.</p>
+<p>Signing keys and signing messages use the same type of mathematical operation, but they carry very different implications. It's a good practice to generally sign your email, but if you casually sign people's keys, you may accidently end up vouching for the identity of an imposter.</p>
+<p>People who use your public key can see who has signed it. Once you've used GnuPG for a long time, your key may have hundreds of signatures. You can consider a key to be more trustworthy if it has many signatures from people that you trust. The Web of Trust is a constellation of GnuPG users, connected to each other by chains of trust expressed through signatures.</p>
</div><!-- End .section-intro -->
<h4>Advanced</h4>
<dl>
<dt>Master the Web of Trust</dt>
- <dd>Unfortunately, trust does not spread between users the way <a href="http://fennetic.net/irc/finney.org/~hal/web_of_trust.html">many people think</a>. One of best ways to strengthen the GnuPG community is to properly <a href="https://www.gnupg.org/gph/en/manual/x334.html">understand</a> the web of trust and to carefully sign as many people's keys as <a href="http://www.cryptnet.net/fdp/crypto/keysigning_party/en/keysigning_party.html">circumstances</a> permit.</dd>
+ <dd>Unfortunately, trust does not spread between users the way <a href="http://fennetic.net/irc/finney.org/~hal/web_of_trust.html">many people think</a>. One of best ways to strengthen the GnuPG community is to deeply <a href="https://www.gnupg.org/gph/en/manual/x334.html">understand</a> the Web of Trust and to carefully sign as many people's keys as circumstances permit.</dd>
<dt>Set ownertrust</dt>
- <dd>If you trust someone enough to validate other people's keys, you can assign them an ownertrust level through Enigmails's key management window. Right click on the other person's key, go to the "Select Owner Trust" menu option, select the trustlevel and click OK. Only do this once you've read and understand "Master the Web of Trust" above.</dd>
+ <dd>If you trust someone enough to validate other people's keys, you can assign them an ownertrust level through Enigmails's key management window. Right click on the other person's key, go to the "Select Owner Trust" menu option, select the trustlevel and click OK. Only do this once you feel you have a deep understanding of the Web of Trust.</dd>
</dl>
</div><!-- /.troubleshooting -->
</div><!-- End .main -->
<p><img src="//static.fsf.org/nosvn/enc-dev0/img/en/screenshots/section5-01-use-it-well.png" alt="Section 5: Use it Well" /></p>
</div><!-- /.sidebar -->
<div class="main">
- <h3>When should I encrypt?</h3>
-
- <p>The more you can encrypt your messages, the better. If you only encrypt emails occasionally, each encrypted message could raise a red flag for surveillance systems. If all or most of your email is encrypted, people doing surveillance won't know where to start.</p>
+ <h3>When should I encrypt? When should I sign?</h3>
-<p>That's not to say that only encrypting some of your email isn't helpful -- it's a great start and it makes bulk surveillance more difficult.</p>
+ <p>The more you can encrypt your messages, the better. If you only encrypt emails occasionally, each encrypted message could raise a red flag for surveillance systems. If all or most of your email is encrypted, people doing surveillance won't know where to start. That's not to say that only encrypting some of your email isn't helpful -- it's a great start and it makes bulk surveillance more difficult.</p>
+<p>Unless you don't want to reveal your own identity (which requires other protective measures), there's no reason not to sign every message, whether or not you are encrypting. In addition to allowing those with GnuPG to verify that the message came from you, signing is a non-intrusive way to remind everyone that you use GnuPG and show support for secure communication. If you often send signed messages to people that aren't familiar with GnuPG, it's nice to also include a link to this guide in your standard email signature (we're not referring here to your cryptographic signature, but rather the one that your email program can create by default, which normally includes your name).</p>
</div><!-- End .main -->
</div><!-- End #step-5a .step -->
<div class="main">
<h3>Be wary of invalid keys</h3>
<p>GnuPG makes email safer, but it's still important to watch out for invalid keys, which might have fallen into the wrong hands. Email encrypted with invalid keys might be readable by surveillance programs.</p>
- <p>In your email program, go back to the second email that Edward sent you. Because Edward encrypted it with your public key, it will have a message from Enigmail at the top, which most likely says "Enigmail: Part of this message encrypted."</p>
+ <p>In your email program, go back to the first encrypted email that Edward sent you. Because Edward encrypted it with your public key, it will have a message from Enigmail at the top, which most likely says "Enigmail: Part of this message encrypted."</p>
<p><b>When using GnuPG, make a habit of glancing at that bar. The program will warn you there if you get an email encrypted with a key that can't be trusted.</b></p>
</div><!-- End .main -->
</div><!-- End #step-5b .step -->
<div id="step-5c" class="step">
<div class="main">
<h3>Copy your revocation certificate to somewhere safe</h3>
- <p>Remember when you created your keys and saved the revocation certificate that GnuPG made? It's time to copy that certificate onto the safest digital storage that you have -- the ideal thing is a flash drive, disk, or hard drive stored in a safe place in your home.</p>
+ <p>Remember when you created your keys and saved the revocation certificate that GnuPG made? It's time to copy that certificate onto the safest digital storage that you have -- the ideal thing is a flash drive, disk, or hard drive stored in a safe place in your home, not on a device you carry with you regularly.</p>
<p>If your private key ever gets lost or stolen, you'll need this certificate file to let people know that you are no longer using that keypair.</p>
</div><!-- End .main -->
</div><!-- End #step-5c .step -->
<div id="step-lost_key" class="step">
<div class="main">
<h3><em>Important:</em> act swiftly if someone gets your private key</h3>
- <p>If you lose your private key or someone else gets ahold of it (say, by stealing or cracking your computer), it's important to revoke it immediately before someone else uses it to read your encrypted email or forge your signature. This guide doesn't cover how to revoke a key, but you can follow the <a href="https://www.gnupg.org/gph/en/manual.html#AEN305">instructions on the GnuPG site</a>. After you're done revoking, send an email to everyone with whom you usually use your key to make sure they know.</p>
+ <p>If you lose your private key or someone else gets ahold of it (say, by stealing or cracking your computer), it's important to revoke it immediately before someone else uses it to read your encrypted email or forge your signature. This guide doesn't cover how to revoke a key, but you can follow these <a href="https://www.hackdiary.com/2004/01/18/revoking-a-gpg-key/">instructions</a>. After you're done revoking, make a new key and send an email to everyone with whom you usually use your key to make sure they know, including a copy of your new key.</p>
</div><!-- End .main -->
</div><!-- End #step-lost_key .step-->
<div class="section-intro">
<p style="margin-top: 0px;" class="image"><img src="//static.fsf.org/nosvn/enc-dev0/img/en/screenshots/workshop-section1.png"></p>
<h2><em>#1</em> Get your friends or community interested </h2> <p>If you hear friends grumbling about their lack of privacy, ask them if they're interested in attending a workshop on Email Self-Defense. If your friends don't grumble about privacy, they may need some convincing. You might even hear the classic "if you've got nothing to hide, you've got nothing to fear" argument against using encryption.</p>
- <p>Here are some arguments you can use to help explain why it's worth it to learn GnuPG. Mix and match whichever you think will make sense to your community:</p>
+ <p>Here are some talking points you can use to help explain why it's worth it to learn GnuPG. Mix and match whichever you think will make sense to your community:</p>
</div><!-- End .section-intro -->
<div class="main">
<h3>Strength in numbers</h3>
- <p>Each person who chooses to resist mass surveillance with encryption makes it easier for others to resist as well. People normalizing the use of strong encryption has multiple powerful effects: it means those that truly need privacy, like potential whistle-blowers and activists, are more likely to learn about encryption. More people using encryption for more things also makes it harder for surveillance systems to single out those that can't afford to be found, and shows solidarity with those people.</p>
+ <p>Each person who chooses to resist mass surveillance with encryption makes it easier for others to resist as well. People normalizing the use of strong encryption has multiple powerful effects: it means those who need privacy the most, like potential whistle-blowers and activists, are more likely to learn about encryption. More people using encryption for more things also makes it harder for surveillance systems to single out those that can't afford to be found, and shows solidarity with those people.</p>
</div><!-- End .main -->
<div class="main">
<h3>People you respect may already be using encryption</h3>
- <p>Many journalists, whistleblowers, activists, and researchers use GnuPG, so your friends might unknowingly have heard of a few people who use it already. You can search for "BEGIN PUBLIC KEY BLOCK" + keyword to help make a list of people and organizations who use GnuPG which your community will likely recognize.</p>
+ <p>Many journalists, whistleblowers, activists, and researchers use GnuPG, so your friends might unknowingly have heard of a few people who use it already. You can search for "BEGIN PUBLIC KEY BLOCK" + keyword to help make a list of people and organizations who use GnuPG who your community will likely recognize.</p>
</div><!-- End .main -->
<div class="main">
<p>In the physical realm, we take window blinds, envelopes, and closed doors for granted as ways of protecting our privacy. Why should the digital realm be any different?</p>
</div><!-- End .main -->
+ <div class="main">
+ <h3>We shouldn't have to trust our email providers with our privacy</h3>
+ <p>Some email providers are very trustworthy, but many have incentives not to protect your privacy and security. To be empowered digital citizens, we need to build our own security from the bottom up.</p>
+ </div><!-- End .main -->
+
</div><!-- End #step-2a .step -->
<h2><em>#2</em> Plan The Workshop</h2>
<p>Once you've got at least one interested friend, pick a date and start planning out the workshop. Tell participants to bring their computer and ID (for signing each other's keys). Also tell the participants to bring dice (for making passwords), but also bring as many as you can, in case they don't. Make sure the location you select has an easily accessible Internet connection, and make backup plans in case the connection stops working on the day of the workshop. Libraries, coffee shops, and community centers make great locations. Try to get all the participants to set up an Enigmail-compatible email client before the event. Direct them to their email provider's IT department or help page if they run into errors.</p><p>
</p><p>Estimate that the workshop will take forty minutes plus ten minutes for each participant, at a minimum. Plan extra time for questions and technical glitches.</p>
- <p>The success of the workshop requires understanding and catering to the unique backgrounds and needs of each group of participants. Workshops should stay small, so that each participant receives more individualized instruction. If more than a handful of people want to participate, keep the facilitator to participant ratio low by recruiting more facilitators, or by facilitating multiple workshops. Small workshops among friends work great!</p>
+ <p>The success of the workshop requires understanding and catering to the unique backgrounds and needs of each group of participants. Workshops should stay small, so that each participant receives more individualized instruction. If more than a handful of people want to participate, keep the facilitator to participant ratio high by recruiting more facilitators, or by facilitating multiple workshops. Small workshops among friends work great!</p>
</div><!-- End .section-intro -->
<h2><em>#3</em> Follow the guide as a group</h2>
<p>Work through the Email Self-Defense guide a step at time as a group. Talk about the steps in detail, but make sure not to overload the participants with minutia. Pitch the bulk of your instructions to the least tech-savvy participants. Make sure all the participants complete each step before the group moves on to the next one. Consider facilitating secondary workshops afterwards for people that had trouble grasping the concepts, or those that grasped them quickly and want to learn more.</p>
<p>Even powerful surveillance systems can't break private keys when they're protected by lengthy Diceware passphrases. Make sure participants use the Diceware method, if dice are available. Stress the importance of eventually destroying the piece of paper the Diceware password is written on, and make sure all the participants back up their revocation certificates.</p>
- <p>In <a href="index.html#section2">Section 2</a> of the guide, make sure the participants upload their keys to the same keyserver so that they can immediately download each other's keys later (sometimes there is a delay in synchronization between keyservers). During <a href="index.html#section3">Section 3</a>, give the participants the option to send
encrypted messages to each other instead of or as well as Edward. Similarly, in <a href="index.html#section4">Section 4</a>, encourage the participants to sign each other's keys.</p>
+ <p>In <a href="index.html#section2">Section 2</a> of the guide, make sure the participants upload their keys to the same keyserver so that they can immediately download each other's keys later (sometimes there is a delay in synchronization between keyservers). During <a href="index.html#section3">Section 3</a>, give the participants the option to send
test messages to each other instead of or as well as Edward. Similarly, in <a href="index.html#section4">Section 4</a>, encourage the participants to sign each other's keys.</p>
</div><!-- End .section-intro -->
</div>
<!-- ~~~~~~~~~ section introduction: interspersed text ~~~~~~~~~ -->
<div class="section-intro" style="border: none; padding-bottom: 0px; margin-bottom: 0px;">
<h2><em>#4</em> Explain the pitfalls</h2>
- <p>Remind participants that encryption works only when it's explicitly used; they won't be able to send an encrypted email to someone who hasn't already set up encryption. Also remind participants to double-check the encryption icon before hitting send, and that subjects and timestamps are never encrypted. See the guide's <a href="index.html#step-headers_unencrypted">Security Tips</a> subsection for more information.</p>
- <p>Advocate for free software, because without it, we can't <a href="https://www.fsf.org/bulletin/2013/fall/how-can-free-software-protect-us-from-surveillance">meaningfully resist invasions of our digital privacy and autonomy</a>. Explain the <a href="https://www.gnu.org/proprietary/proprietary.html">dangers of running a proprietary system</a>, and why GnuPG <a href="https://www.gnu.org/philosophy/proprietary-surveillance.html">can't begin to mitigate them</a>.</p>
+ <p>Remind participants that encryption works only when it's explicitly used; they won't be able to send an encrypted email to someone who hasn't already set up encryption. Also remind participants to double-check the encryption icon before hitting send, and that subjects and timestamps are never encrypted.</p>
+ <p> Explain the <a href="https://www.gnu.org/proprietary/proprietary.html">dangers of running a proprietary system</a> and advocate for free software, because without it, we can't <a href="https://www.fsf.org/bulletin/2013/fall/how-can-free-software-protect-us-from-surveillance">meaningfully resist invasions of our digital privacy and autonomy</a>.</p>
<!-- ~~~~~~~~~ section introduction: interspersed text ~~~~~~~~~ -->
<div class="section-intro" style="border: none; padding-bottom: 0px; margin-bottom: 0px;">
<h2><em>#6</em> Follow up</h2>
- <p>Encourage the participants to continue to gain GnuPG experience by emailing each other, and considering offering to correspond with them in encrypted form. If you don't hear from them for a couple of weeks after the event, reach out and see if they would like additional assistance.</p>
+ <p>Encourage the participants to continue to gain GnuPG experience by emailing each other, and offer to correspond with them in encrypted form. If you don't hear from them for a couple of weeks after the event, reach out and see if they would like additional assistance.</p>
<p>If you have any suggestions for improving this workshop guide, please let us know at <a href="mailto:campaigns@fsf.org">campaigns@fsf.org</a>.</p>
</div><!-- End .section-intro -->
projects / enc.git / commitdiff