GnuPG neophyte inquiries.

[Graham]

On Sunday 20 August 2006 6:31 am, Caitlin wrote:

> Hi all.

Hi and welcome :-)

> Ok. I'm quite interested in GnuPG but I felt compelled to ask a few
> questions. Ready?
>
> 1). My roommate and I share a WinXP box. If I install GnuPG 1.4.5 on
> it, would this represent a potential security concern?

There should be no security problems.  Only you will know your 
passphrase, but if you let anybody have access to your passphrases, 
then they will be able to decrypt messages on your box.  I take it that 
you use different (passworded) accounts and therefore you would not 
normally gain access to the data of your roommate, and he/she not your 
data. To keep things extra secure, however, I would keep your keyring 
separate and download it into your machine before use and delete the 
keyring on ending your session.

> 2). Would I have to copy and paste encrypted messages received via
> email to a disk (for example) then transport them to the machine
> mentioned in #1 for decryption?

Depending upon the email program you use, this should be done 
automatically.  I would suggest you use Thunderbird as your email 
program with the Enigmail extension to handle GnuPG, but you may wish 
to stick with another.  Just make sure it supports the OpenPGP 
standard.

> 3). If a security issue arises with the version of GnuPG I'm using,
> what happens to my keyring, private key, etc. when I upgrade? I'm
> assuming I would have to send my friends/associates a newly generated
> public key so we could resume communication?

People are trying all the time to find chinks in GnuPG's armour in order 
that the security and stability of the program is maintained.  They do 
occasionally find chinks and as these are reported to the GnuPG 
developers a new version is very quickly out.  It all depends on the 
security risk, but I have never had to generate new keys for this 
purpose in the six years I've been using GnuPG.  There is an OpenPGP 
standard to which GnuPG adheres, so there shouldn't be any reason why 
your keyring, private keys, etc can't be used with a new version of 
GnuPG.

> 4). How secure (generally speaking) is installing GnuPG on a flash
> drive and using it for all GnuPG related activity? I'm a college
> student and security on the campus network is clearly of paramount
> importance.

As I am (although a VERY mature student!).  There is no problem with 
security (other than general problems with Windows security) in using a 
flash drive.  It all depends if you are using a machine that will 
recognise your flash drive.  What I do under Linux is carry my keyring 
on an SD/MMC card and connect a card reader to the USB port of the 
machine.  It is then recognised as a mass storage device.  I point the 
email program to GnuPG and my keyring at its location.  I'm not sure 
how I would do it under WinXP, but you might like to look up WinPT, a 
front end for GnuPG on Windows.

-- 

Graham
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 245 bytes
Desc: not available
Url : /pipermail/attachments/20060820/36a3fb4c/attachment.pgp