Lockdown: How to secure your PC without going crazy
Good digital security inevitably requires some hassle, but the size of that headache is really up to you. If you’re someone who wants to go all out with 64-character passwords, no Facebook account, and a second laptop that never connects to the Internet, because it houses all your deep, dark secrets, well, this guide is not for you.
This is a guide for practical folks. People who want a healthy amount of PC security (perhaps motivated by ongoing revelations about the National Security Agency and its surveillance activities), but with a minimum of hassles such as dealing with key fobs for two-factor authentication, juggling complicated passwords, and setting up email encryption. We can’t promise you a completely pain-free experience, but we will show you how to get up and running with a pretty good security setup that keeps your passwords, email, hard drive and sensitive USB drives as secure as possible without going overboard.
A strong password is the first, best line of defense
Good computer security and privacy begins with strong passwords. Sure, there are serious criticisms about how online services use passwords, and Apple may be trying to take biometrics mainstream with TouchID on the iPhone 5s, but for now passwords are still the best solution we have for keeping third parties away from our data.
The problem with passwords is that they should really be random, unique, and relatively long to be of any use. That’s where password managers come in: These programs help you generate random passwords and store them securely, allowing you to remember just a handful of gnarly 10-character random passphrases instead of 15 or 20.
KeePass and LastPass are both good, free password managers that are worth your time. KeePass is popular because it’s open-source, and it has a few nice features, like keylogging obfuscation and secure notes.
The problem with KeePass, however, is that it doesn’t have an online component to sync passwords across devices. That means you’d have to create a cloud sync setup yourself using Dropbox or another cloud storage service. You can read more about how to do that with our look at the third-party utility Dropbox Folder Sync, or by perusing the KeePass plugins library.
Another good alternative—and my personal favorite—is LastPass. Like KeePass, LastPass offers password generation and encrypted notes, but it also syncs your encrypted password database to the cloud so you can access it across multiple devices.
LastPass is available as a free browser plug-in, and you can also use the LastPass mobile app for $12 per year. Read all the technical details on the LastPass website.
Password managers are a relatively personal choice and will depend largely on your own needs and what level of trust you’re willing to put in a commercial company like LastPass or newcomer Dashlane.
Most of us prefer to use Web-based email apps like Gmail, because it’s faster and much easier to open a Web page than to fire up a desktop app. But when you need to keep your email private from prying eyes, an old-fashioned email desktop client combined with OpenPGP public-private key encryption is the way to go.
Email travels across the Internet as plain text by default, which means a determined snooper could intercept and read your message. Encryption helps combat this by making it nearly impossible for anyone but the recipient to decode your message. OpenPGP is an excellent open-source encryption system you can use to send encrypted email. Problem is, you can only encrypt email to people who are also using an implementation of OpenPGP. So if you plan on swapping ciphered mail with someone, make sure they are set up for this as well.
Encryption is also only as secure as the people using it. If someone decrypts your mail, copies it as plain text and forwards it on to someone else, the effectiveness of your encryption is broken. Malware can also ruin encryption by snatching data in a decrypted state. So remember that while encryption is definitely more secure than plain old email, it is not foolproof.
Finally, keep in mind that email metadata is never encrypted. So you won’t be able to hide the subject line or the email address of the person you’re corresponding with.
The first step is to download and install the Mozilla Thunderbird email client for the account you want to use for encryption and email signing. Thunderbird has a plug-in that makes it particularly easy to set up OpenPGP. (PGP’s inventor also recommends HushMail.) Next, download and install the OpenPGP key management software Gpg4win.
Creating your own key pair
Start Thunderbird, click the menu icon in the far right corner, and select Add-ons. In the next window that opens, search for
Enigmail and click Install. After Enigmail installation is complete, shut down Thunderbird and then open the program again.
Now you’ve got all the tools you’ll need to create your own key pair. Go back to the menu icon in the far right corner and select OpenPGP > Key Management.
When the Key Management window opens, select Generate > New Key Pair.
Now we’re just about to generate our first encryption key pair. Most of the default settings in this window should be fine. However, I would highly recommend creating a passphrase for your keys. If you don’t and one day Thunderbird decides to ask you for a password even though you don’t have one (it happened to me), you’ll be heading for a world of frustration.
When you’re ready to enter the fabulous world of OpenPGP email, click the Generate key button. After a few minutes, your key pair will be ready.
Once your key pair is done, Enigmail will suggest you create a revocation certificate. This is an extremely important step that I suggest you take: A revocation certificate is a simple file with the .ASC extension that you can use to invalidate your keys, should you forget your password or lose control of your computer.
Best practices say you should save the certificate to a USB thumb drive and then keep that thumb drive in a safe place.
Now that your key pair and revocation certificate are ready, you need to let the world know you’re accepting encrypted email. The best way to do that is to upload your public key to a keyserver where other users can find it—it’s sort of like a phone book for security-minded people.
To do this, open the Key Management window again—if it isn’t already open—and select Keyserver > Upload Public Keys.
By default, Enigmail will suggest you upload your key to “pool.sks-keyservers.net.” That should be fine, since this isn’t actually a keyserver at all, but a hub that pools its database with multiple keyservers.You can change this by clicking on the drop-down menu. Another option, for example, is to upload directly to MIT’s keyserver.
You could also publish your public key on a personal website, Tumblr, or blog. To copy your public key, go back to the Key Management window, make sure the Display All Keys by Default checkbox is marked, and then highlight your email account once it appears. Next, right-click and select Copy Public Keys to Clipboard.
So you’ve generated a new key pair and published your public key. Now it’s time for a test run by sending a signed email to Adele, the friendly OpenPGP email robot.
Hold down the shift button on your keyboard and then click on the Write button in the top left side of Thunderbird. This will open a new message window without any HTML formatting. Adele can only handle plain text, so bold headlines, italics, and embedded links are out. In fact, for simplicity’s sake, it’s always easier to create encrypted email as plain text.
Next, fill out Adele’s email address, which is email@example.com. Create a subject line and message body with whatever you’d like to say. Then click the OpenPGP menu option, and make sure that only the “Sign Message” and “Attach My Public Key” options are selected. Hit Send, enter your password, and you’re done. In a few minutes, Adele should send you a reply to confirm whether your signing was successful.
Once Adele gives you the okay, you are ready for the world of encrypted email.
Product mentioned in this article
LastPass generates passwords, plus syncs its encrypted password database to the cloud.