1. Home
  2. Categories
  3. General
  4. General Help
  5. Offline, transport-agnostic, PGP-like encryption but for humans

Offline, transport-agnostic, PGP-like encryption but for humans

  • aitap

    I've been using Gpg4win to exchange private information with a small number of people I couldn't contact otherwise (or that we had previously agreed about not transmitting elsewhere). While my girlfriend is fine with this despite the UX, my parents just don't manage it well, which caused a few problems while I was in a different country.

    What typically gets them is the requirement to copy&paste the whole armoured message block, from -----BEGIN PGP MESSAGE----- to -----END PGP MESSAGE-----. They can botch the newline after the BEGIN line, or forget some dashes, or forget the BEGIN and END lines, resulting in a honest but mostly unhelpful message from Kleopatra telling them that their text doesn't look like an OpenPGP message. I can't rely on the mail client to do it right for them because one of them uses web-mail; besides, we could be using a different transport.

    I guess we could exchange UTF-8 encoded .txt.gpg files to avoid the problems with armoured blocks, just like we exchange other encrypted files, but is there other software we could use instead?

    Being transport-agnostic is a requirement. I don't particularly care about forward secrecy (which seems to preclude offline encryption) or metadata (of course I exchange information with my relatives and friends, that's not exactly secret). I just need signed and encrypted files and text that I can send over whatever.

    1 Zecc pcooper 2 Replies
  • Zecc
    đźš˝ Regular

    @aitap Not sure if this is a silly suggestion, but the first thing that pops in my mind is using Syncthing to transfer random files among yourselves.

    3
  • Jaloopa
    kills Dumbledore

    Are your needs more than what an end to end encrypted service like WhatsApp provides?

    3
  • pcooper

    @aitap It's been a long time since I've looked at current PGP software, but I would naively expect there to be plugins and extensions and whatnot for typical web browsers and webmail providers, in addition to those for typical standalone email clients. If I were you, I'd just try to remove the copy-and-paste from the steps needed to use it, rather than trying to switch to something besides PGP messages.

    If you were to really want to move to something else, probably the easiest end-user-usability-wise is hosting your own password-protected website that's secured with TLS, and just sending an email with a notification that a new message is available on it, and trusting your recipients to go to the right site and keep the password secure. That's basically what banks/medical/etc. sites do for secure messaging, and while it's really frustrating that somehow usability of PGP-like stuff hasn't improved substantially over the decades, it sadly seems to be the standard approach.

    4 Gribnit 1 Reply
  • aitap

    @Zecc Thanks! That's an out-of-the box answer I wouldn't be able to come up with myself, and they seem to support all the platforms I care about and then some. I'll definitely consider this.

    @Jaloopa Well, maybe not, if there's such a service that doesn't base the security on a phone number, doesn't Facebook the private keys, and has a real™ PC client (and not just an Electron app -- that would be exchanging one set of UX problems for a new, different set of UX problems). I've been looking for services like that. Do you have experience with Matrix, or Element, or however they call themselves now? Wire's desktop client was a real turn-off for me last time I tried it.

    In a way, being transport-agnostic means that we can jump ship from one service as it becomes too shitty to use to a different one that's still good enough. We used to exchange encrypted 7-Zip archives, sending one-time passwords via text messages, until most e-mail services blocked encrypted archives for "safety" reasons. For the most part, I don't blame them -- they made it easy to escape AV scanning -- but banning them all the way is also terrible for privacy.

    @pcooper Thanks! I'll see if there's any downsides to exchanging encrypted text files. I foresee newline-related problems (I should be careful to always send them with CR-LF newlines) and encoding-related problems (will Windows notepad auto-detect UTF-8, or should I use the ANSI code page of the recipient?), but those are all solvable on my side.

    I'm also a bit afraid of PGP in the browser, with it constantly being exposed to websites we visit and the telemetry added with the updates.

    3
Log in to reply