ARCHIVED: How secure is PGP?

Used in the right context, PGP, GnuPG, and other modern OpenPGP implementations can be considered military strength. That context includes:

• Lengthy public/private key pair: Larger keys require more processing time for encryption and decryption, but offer better security. For most purposes, 1024 bits should be sufficient.
  
  
• Proper private key management: It's safest not to store your private key on a shared file system, but rather to keep it on a removable storage device (e.g., floppy, CD-R, keychain external drive) that you can take with you. If you must keep your private key on a shared system (such as a central system at IU):
  
  
  • Make sure the private key file (e.g., .pgp/secring.pgp) is read/writable only by the owner. To do so on a Unix system, issue the shell command chmod go-wr secring.pgp .
  • Connect to the remote system only via an encrypted connection, such as SSH or SSH2. SSH2 is more secure than SSH, so if it is available, use SSH2. An encrypted shell will prevent your pass phrase from going out in plaintext via telnet.
  
  
• Good pass phrase choice: The pass phrase "locks" your private key as a safety measure. A bad pass phrase makes your private key easier to crack.
  
  
• Proper pass phrase usage: You should type your private key pass phrase (required for decrypting mail messages for example, or digitally signing them) only on machine consoles, or over encrypted network links (e.g., via SSH).

While PGP is installed on UITS shared computers, using it on them violates the second and possibly the fourth points above. Therefore, it's not nearly as secure as it would be if it were locally installed on a workstation.

Comments/Questions/Corrections