GnuPG neophyte inquiries.

Sun Aug 20 16:13:55 CEST 2006

Caitlin wrote:
> 1). My roommate and I share a WinXP box. If I install GnuPG 1.4.5 on
> it, would this represent a potential security concern?

We can't answer this question with a 'yes' or a 'no'.  Decisions about
security are up to you.  We can hopefully give you some questions which
will help you make your decision, though.

1.  Do you trust your roommate?

2.  Do you trust Windows XP?

If both questions are answered 'yes', then it's very unlikely sharing a
Windows XP box with your roommate would present a security concern.  But
if you don't trust your roommate, or you don't trust Windows XP, then
pretty much anything you do on your PC needs to be considered
suspect--not just GnuPG.

> 2). Would I have to copy and paste encrypted messages received via
> email to a disk (for example) then transport them to the machine
> mentioned in #1 for decryption?

Usually, you run GnuPG on the same machine you receive email on.  If you
do that, then there are many mail clients that offer excellent GnuPG
integration.  (Shameless plug: Mozilla Thunderbird, available from
http://mozilla.com, has a GnuPG plug-in called Enigmail, available from
http://enigmail.mozdev.org.  I have had excellent results with this setup.)

> 3). If a security issue arises with the version of GnuPG I'm using,
> what happens to my keyring, private key, etc. when I upgrade?

That depends on what security issue is discovered.  If it's a bug in how
the keys are generated or stored, then you may have to generate a new
pair.  If it's a bug elsewhere in GnuPG, then your keyring, public key,
private key, configuration file, etc., will be absolutely unchanged.

Bugs of the first sort are very rare.  To my recollection there's only
been one such bug since GnuPG hit 1.0, and it affected only about 1,000
people.

> 4). How secure (generally speaking) is installing GnuPG on a flash
> drive and using it for all GnuPG related activity? I'm a college
> student and security on the campus network is clearly of paramount
> importance.

You may want to look into something called Portable Thunderbird, which
is a Thunderbird + Enigmail installation meant to be run from a flash
drive.  Without knowing particulars of your environment it's hard to
give you simple answers, but I can tell you that many people use
Portable Thunderbird in such environments with strong success.

However, I'd strongly recommend keeping anti-virus software on your home
PC and checking your flash drive for infection whenever you come back
home after using a campus PC.  University computers tend to be breeding
grounds for all sorts of nasty things.