(PGP Quick Start Guide-A.Lizard)

PGP QUICK START GUIDE
by A.Lizard
this is the article as submitted plus images:
Note: the primary version of this document is maintained at
http://www.ecis.com/~alizard/PGPQuickStart.html .

Commercial usage rights to this and future versions of this work have been exclusively assigned to 8wire.

This document was hastily converted from a Word doc using the rtf > html conversion in Arachnophilia, I'll clean up the results and reinsert the illustrations if time ever allows.
Copyright for the PGP trademark is owned by Network Associates.

NOTE: PGP bought itself back from Network Associates, the implications will be discussed in the next revision. I'll just say this is a very good thing.

The world owes a debt of gratitude to the original PGP author, Phil Zimmermann who went to a great deal of trouble and risked Federal prison to give us freedom to speak privately online.

This document is only intended to provide the new PGP user with the minimum information needed for a PGP user to effectively use PGP. This is not a replacement for the full PGP documentation, just a supplement to get you on the air quickly. For more information, check the PGP help file and manual or see the Resources list later in this document. I recommend that you do read this at the first opportunity, cryptographic applications are much safer to use for informed users who understand the basic concepts. Also, the documentation is very readable and provides a very good introduction to cryptographic concepts in general.

What does PGP do?
It puts your e-mail or your files in a digital envelope, that only the intended recipient with a cppy of PGP can read. Anybody else sees a random-looking sequence of ASCII characters We call this process “encryption”. It allows you to open digital envelopes, encrypted to your public key.. This is the converse of the encryption process called “decryption”.

Many products have “secure” modes which allegedly provide secure storage and transmission of information. Unfortunately, most of those products are susceptible to “password cracker” programs readily available at various Internet sites in both freeware form, often aimed at the “black hat” community, or commercialware marketed to corporation help desks who often have to help their users figure out the passwords they forgot and to law enforcement. If your “secure” product is one that can be cracked this way, it isn't secure.

As for why you need privacy, anything that you discuss subject to an NDA in e-mail should be encrypted. E-mail is not secure, anyone with sysadmin access, either legal or hacked with access to any of the dozens of nodes any e-mail goes through between you and a recipient can read what you send. Your business or personal or poltical secrets can suddenly become public knowledge by pushing the wrong screen button, typing in an e-mail address wrong, or when a router burps. At best, if you send out a readily accessible document labeled CONFIDENTIAL in e-mail and it gets to the wrong address, you and your company look like a gang of idiots.

The scenarios you should be looking at to decide whether you need PGP or not are:

That the most sensitive document you will ever send in e-mail from your workstation gets routed to your worst personal enemy or biggest business competitor.

Whether or not you need digital signatures on electronic documents other than SSL transactions at vendor sites at which you pay with credit cards. If you're faxing your signed contracts, you probably should consider PGP, a digital signature created by PGP is several orders of magnitude harder to forge than a faxed signature.

With PGP you have secure e-mail, you have secure file attachments, and you also can sign plain-text e-mail with a digital signature that is traceable to you which can be verified by any other PGP user who has a copy of your public key. If somebody is forging posts attributed to you to public forums or altering real ones by you, sign them with PGP and your real posts and the fake ones can readily be told apart. The bad ones will show as INVALID, the ones that went out as you sent them will show GOOD SIGNATURE. Want to digitally sign a contract in a way usefully compliant with the new US e-signature law? This will work fine, I've used it for that purpose.

Where to get it?

The freeware version and related utilities can be downloaded at the PGP International site at http://www.pgpi.com . This is for personal and test purposes.

One recommended utility is called PGPfone. It's a secure voice conferencing application, you can chat via voice in real-time with any other user. Unlike most voice conferencing software, versions are available for both Windows 9.x (probably will run on NT) and for the MacIntosh OS. It will work either with a live Internet connection or via modem.

For commercial use, you can purchase the program from Network Associates http://www.pgp.com , you can download it from the site or buy it in shrinkwrap. I urge you to try before you buy, but if you do use it for business, buy a copy. These people have done the user community a great service by continuing to provide constantly updated freeware versions.

Dialup users should know that PGP is a multi-meg download. It's worth it.

Versions:
I am using version 6.5.8. Earlier versions of the Windows / Mac products should not be used by anybody as they contain a bug that the 6.5.8 version was intended to fix. These instructions should work for the current 7.x releases. Version 7.0.3 is the last release Phil Zimmermann was involved with before leaving the company. He left Network Associates, who purchased PGP Inc., in a dispute over making the code available for public examinination as was done in the past. The best way to be reasonably certain that a crypto application is back-door free or contains no other ugly surprises is to make it widely available for people to take apart. Unfortunately, Network Associates doesn't agree. I can not recommend versions of PGP past 7.0.3 until Network Associates open sources its PGP code again. The good news is that 6.5.8 and 7.0.3 contain all the features most users are ever likely to need. Further discussion of the differences between the two can be found in the PGP Applications not covered here section.

How secure is it?
Perhaps the National Security Agency and comparable major national intelligence agencies can crack it if they are willing to devote significant resources to the job. The debate on this subject has been going on for years. No reputable expert believes that organizations of lesser expertise can break PGP.

It looks like the FBI can't crack it, they had to use a keystroke logger of some sort in order to make a case against a Mafioso who used PGP recently. This is not to say that only criminals use PGP, it appears that the Mafia boss who used it believed that his business information deserves just as much protection as yours does. While his business is presumably illegal, his viewpoint is entirely reasonable.

However, there's an important lesson to be learned. No single-point security solution will or can solve all your problems. The FBI intercepted Mr. Scarfo's messages by grabbing them before they got to PGP, either using a keystroke monitoring application running in background or by attacking a “black box” keystroke monitor installed inside Mr. Scarfo's keyboard. Some people still use Post-Its stuck to their monitors to keep track of passwords. If a person or a camera is looking over your shoulder when you type in your password, your security has disappeared. Like a firewall, PGP is a security tool.

Security is a process, and the most important thing about the process is the end user learning enough about the tools to avoid doing stupid things with them.

My guess is that the NSA can, but it's the sort of situation where an operative has to make a good case to his boss and maybe his boss will have to get approval from his boss before they can put their supercomputer farms on your job. In other words, if the NSA can decrypt PGP-encrypted messages, they have to spend real money per message, too many PGP decryptions would put a dent even in the NSA budget, and in any case, it is highly unlikely they can do this in close to real-time.

This is adequate for just about every conceivable business, personal, and even political purpose.

Note that if the NSA is after your ass, you need a lot more than a piece of software to protect your privacy and security. Further, if the NSA can crack PGP messages, they are not going to admit to this ability except as a last resort under circumstances where they can accomplish something by publically revealing they can crack PGP that's more important than having access to the communications of everybody who thinks their communications are secret. A black bag job on somebody's office and grabbing plain-text files, installing a keystroke logger, or even kidnapping somebody and using chemical and physical interrogation makes a lot more sense for the NSA than admitting to being able to crack PGP.

How does it work?
Read the PGP documentation. This guide is intended to show you how to use it in a hurry.

How do I use it?

Get a copy.

When installing it, do not install PGPnet unless you absolutely have to. PGPnet is their personal peer-to-peer VPN. (Virtual Private Network) You don't need it to run PGP, and I've had problems with it. I don't recommend it unless you really need VPN (if you don't know what it is, you don't need it) On a LAN, VPN is probably better implemented by a sysadmin on the server, especially since some VPNs probably won't talk to PGPnet anyway. It also interferes with Zero Knowledge Systems Zero-Knowledge anonymizing software.

Systray with PGP

IMPORTANT. PGP on your system is most easily accessed by going to the padlock icon in your Systray (the row of icons on the bottom right of your screen) and opening the menu by right-clicking the icon.

Right Click Menu

The right-click menu is your friend! You can perform any function you need to use PGP in daily use from there without opening the program.

Key Generation

Now that you've installed it, the first thing you have to do is to create a key pair. If you have not done so at the close of the installation when the program gives you the option to do so, do it now. If you just installed it and you are looking at the first “make a new key” screen, start with f. in the list below. You are creating a key pair consisting of a private key and a public key. To do this:

go to the lock icon in your Systray.

Right-click it.

Go to PGPkeys.

Go to the Key menu on the PGPkeys top Menu bar.

Open the “New” command. This opens the Key Generation Wizard.

Follow the prompts. I suggest the Full Name and e-mail address match the ones you most commonly use.

Use the default Diffie-Hellman/DSS key (i.e. don't change the setting)

Select a 3072 bit key size. (change it from 2048)

I recommend using the default “Key Pair Never Espires” unless you have a reason to make a time-limited key.

Passphrase Creation Screen
The passphrase is the PGP version of a password. It is recommended that you use more than one word. Make it a phrase easy for you to remember but something anybody else is unlikely to guess about you from publically available information. Put numbers in it somewhere, use upper and lower case words and punctuation. However, you must remember the exact phrase you use for a passphrase. Forget where you put a comma or that you capitalized a word that normally isn't capitalized and your PGP key and messages suddenly become useless to you. Once you've re-entered it, WRITE IT DOWN BEFORE CLICKING THE NEXT BUTTON.
I forgot a passphrase once., DON'T LET IT HAPPEN TO YOU. Write this down until you have memorized it, keep it in your wallet or pocketbook until you've done so. DO NOT PUT IT ON A POST-IT ATTACHED TO YOUR MONITOR. A safe deposit box might be a good place for it. You need both your private key file and your passphrase to use your PGP software.
Hit NEXT. If it says your passphrase is a security hazard, make a longer one. Once you've got it together, hit NEXT again to make it generate the key. You'll see a prompt that says Send my key to the root server now. This means it will send your PUBLIC key to the root PGP key server. If you are online, check that box NOW and hit NEXT. If you are not online, if you can, go online and do this. This will spread your private key to a worldwide network of key servers, so anybody who needs to contact you privately or to verify your PGP-signed message can do so.
- The public key is used by other people to send private messages to you. This is the key you send to your friends and business associates. This is the key you put on your Website. The public key is the one you post to public forums. (usually a bad idea) Anybody with PGP and a copy of your key can send you private messages and verify your digital signature. If you want to create other keys in future, start with the letter a. in this list.
- If you want to send a copy of your public key right now directly to a friend or business associate, simply start an e-mail to that person, right-click the Systray, select PGPKeys, and drag and drop the line of the directory corresponding to your PGP key (it'll have the username/address - DH key pair on it) from the directory list into the message.

PGP Keys – Directory Listing of the keys in your Public keyring.
(note: deletions to preserve privacy of my personal entries to the list)

What you will drag into the document will look something like this when you see it in the document:

-----BEGIN PGP PUBLIC KEY BLOCK-----
Version: PGPfreeware 6.5.1 for non-commercial use <http://www.pgp.com>

mQGiBDl26G4RBADNgMrgVOzTyBSyC1IEaNTuy1XB2/MU1E3/iTf6rf87NU1zCa/m
7p2ROAt6o+fHZV990a1fEZfqRvJmJZbfre/hH1EqQ6wJTHkmEEPwqnUfQRYPoJHM
qW/uPgaDLak/BdRY/HigZg25aP/n8Pfa0SflAi3yLlVPpX+lqAaL49RjlwCg//qL
GHMIfOyntcbpQQUdH9FBJZMD/RwdDnZCKMLvEpaeILhAodgcxujyNtAnUDUh2i2X
/kcDv6l2Jq2HJ/JLnBinWVpbz96Lg+g1RWPlbsEeJzSalxXoRV/jwcItzyFjGImd
7HOYEbS1bk433SMCh1weboHZdyzFyfbRfRZ5iuvv9C30MMHaHR744uaaczZTAy5h
AK+yA/9IVuwI9JVVyMVpxdrL4fywBcsSl2Uf9HQSgcS5UbAKTfLiUWPiQBjnu3f7
KDcgA52hbZik0CLQGTxmsW/Wzu8xHQ7X25F7JCGCm0X6+Wkn81NyK3d8r/iHauED
vhNPWRgE4L5reUZ5jJ2VJq7VpFJW7tMCDR6MtqNB2eOq+/9zeLQZZXhhbXBsZSA8
ZXhhbXBsZUBpc3AudGxkPokATgQQEQIADgUCOXbobgQLAwIBAhkBAAoJEFh0rq+b
lPSWQi4AoPNHMJ9eY+kTP/XOkV+S0HTP8HKqAKC8yWrNljLaRjCBGb081WASW83P
J7kCDQQ5duhvEAgA9kJXtwh/CBdyorrWqULzBej5UxE5T7bxbrlLOCDaAadWoxTp
j0BV89AHxstDqZSt90xkhkn4DIO9ZekX1KHTUPj1WV/cdlJPPT2N286Z4VeSWc39
uK50T8X8dryDxUcwYc58yWb/Ffm7/ZFexwGq01uejaClcjrUGvC/RgBYK+X0iP1Y
TknbzSC0neSRBzZrM2w4DUUdD3yIsxx8Wy2O9vPJI8BD8KVbGI2Ou1WMuF040zT9
fBdXQ6MdGGzeMyEstSr/POGxKUAYEY18hKcKctaGxAMZyAcpesqVDNmWn6vQClCb
AkbTCD1mpF1Bn5x8vYlLIhkmuquiXsNV6TILOwACAgf8CXH2KtfoNBMCFWrI9pgK
q93+duDDbMLiP3cku/chqmCq98weIJ2hsZxJIlDuuYQ/0cz4syeIn+8riSrs+RAQ
No+mdq9Yclsw1zd44/S/071klclm2PkiOELUvDhIf+huKCOpJU+C0Fr4bswN8c4i
IxF7FZO/X4w9l7zgEZd/LJZS/csuJhM2qDZ5Cv/9OXllhAwXOCRW5CQOf5B/HXmQ
Nskbvbu+47FMRzkt10B1If+l7MvOgSftJ3KNISm4C4On284jr4K58iRSW5XtKkMc
RjyzfTsvTkWD9dVS7rVPV37GkTiog1auW2MYnAgKLPQnYCff9QQkAEWxyqBhuwr1
74kARgQYEQIABgUCOXbobwAKCRBYdK6vm5T0lh9SAKDLqvkrpp4A9PgwxJHYbKCd
vEouqACeMLIJ4k0dNmDsVuCTRNHCo84dqOk=
=uG5Z
-----END PGP PUBLIC KEY BLOCK-----

You can also drag and drop this into Word messages and other documents that support drag and drop, e.g. the code for a Web page open in a text editor. You can close PGPkeys now.

The private key is used by you to read private messages sent to you and by you to digitally sign a plain text message.

KEEP YOUR PRIVATE KEY PRIVATE and SAFE.

Anybody with your private key can not only read your no-longer-secure mail, that person can digitally sign for you. Electronic money transfers, for instance. Contracts. If the signature is yours, under the provisions of the E-Sig law, the burden of proof that you didn't sign is on YOU.

If you don't have exclusive access to the computer(s) you use it on, I recommend making a floppy disk with your private and public keyrings (the files where PGP keeps private keys and public keys).and carry it with you. I also suggest making a copy of this disk and putting it in a safe deposit box or a trusted friend or other secure off-site location. Remember, you can't read your mail or electronically sign things with PGP without it. If the default key rings are too large to fit on a floppy (of course, you can use a CD-R) you can delete everything but the keys you usually use, most of these keys are for people you don't know and probably don't need to talk to.

PGP-signed message example:
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

This is a plain-text message digitally signed with my public key via
PGP.

-----BEGIN PGP SIGNATURE-----
Version: PGPfreeware 6.5.1 for non-commercial use <http://www.pgp.com>

iQA/AwUBOXbjhAz+OSTcRE8fEQI8KQCfaPk9l2c8w3RGa0PriVKD2DAhDNAAn1UT
oI1P45vYQimQbEemH7gCvPYC
=/Pkd
-----END PGP SIGNATURE-----

Provisions for revoking a key, i.e. labeling it in such a way so that PGP will say “Invalid Key” if anyone tries to use it are available. Find them in the PGP documentation.

Note that the following procedures are for use with any Windows software package whether or not it has the PGP Plug-In built in. It is possible to integrate PGP with Eudora or Outlook Express. However, I find this easy enough to do with a little practice that unless one wants to send all your e-mail encrypted, while I have the PGP Plug-In installed, I don't bother with it, I just right-click the Systray icon.

Message sending (and how to get other people's public keys)

Now, let's send a message. First, you need the public key of your PGP-using friend or business associate. I recommend asking him for it in e-mail. When you get his e-mail, open it as usual, then with the message open, simply right-click the PGP icon in the Systray and open Current Window. Your next choices will be:

Decrypt and Verify. This is used for receiving and decrypting mail. It's also used to grab public keys.

It'll ask you if you want to add a key to your public key ring. Tell it YES.
The new key has been added. You are now ready to send him e-mail.

PGP Server Key Search

Another way to get a public key is to go to the server menu and select Search. The search window above will open. This accesses the worldwide public key server network. Enter the name or e-mail address of your associate. If he remembered to post it to the servers, you'll get a search hit on whatever you entered… double-click it and it'll grab the key for you You can also search on Key ID. (a numeric sequence uniquely associated with any key pair made by PGP.)
Open your e-mail program as usual. Start a message to somebody. Write it exactly as you usually would. When you are done, simply right-click the PGP icon in the Systray (see Right Click Menu above) and open Current Window. Your next choices will be:
Decrypt and Verify. This is used for receiving and decrypting mail. Not relevant here.
- Encrypt and Sign. This encrypts the message to the public key of the person you're sending it to and appends your digital signature to the document. Good for signing contracts, not so good if you don't want your signature attached to the document, i.e. you're sending an anonymous report on company or government misconduct to a reporter. I encourage reporters to get PGP, post their key to the public key servers, and if possible, put a line like “my PGP key is available on key servers under the name 'user@userisp.com'.” in each article. This should encourage whistleblowers and inside sources.

Passphrase Prompt

Sign. This appends your digital signature to a plain-text document like the PGP-signed message example above. Remember, if you use this option anybody can read it and verify that you wrote it, and if you attach this to a contract, you've signed it unless there is a disclaimer within the document that says you haven't at the time you signed it with your private key. You can NOT do this after the fact, the message will show up as “invalid”.

Encrypt. This encrypts the message to the public key of the person you're sending it to without attaching a digital signature from you. Note that the recipient does not need to know who you are or have a copy of your public key to read this, that's why it doesn't require you enter a password.

Key Selection Dialog

Once you've selected one of these options, a Key Selection Dialog box will appear on your screen. Find the intended recipient on your key list above. Drag and drop that user ID into that box.

Note that you can drag any number of keys into that box, so you can send an encrypted message to any number of users.

One good name other than the intended recipient is YOURS. That way, you can read the copy of the message you're sending from your mail Outbox. Remember, if it's not encrypted to your key, an outgoing message can't be read by you any more than it can be read by a hostile party. It's a lot more fun to be able to read your own outgoing mail if you have to refer to this later than it is to ask the recipient to decrypt it, encrypt it with your key and send it back. Especially if you are in a legal or personal dispute with the recipient.

Note the checkboxes for “Secure Viewer” and “Conventional Encryption” above. Secure Viewer allows the application to display only to a special applet that does not automatically save the message to a file or even allow copy and past, though the plain-text output can be saved via screen dump. I don't recommend it except for messages whose content actually justifies the nuisance value. “Conventional Encryption” means encrypt to a password known to both parties, not to a public key.

When you've entered the keys, hit OK. If you're signing the message, the passphrase prompt will appear. Enter your passphrase exactly as you originally entered it when generating the key pair.

Congratulations. You have generated your first PGP-signed and/or PGP encrypted message. Send it as you usually would.

Receiving Mail

Open the encrypted e-mail as usual.
Right-click the Systray icon. Select the Open Current Window menu entry (See Right Click Menu for illustration, then select Decrypt and Verify.
If the program needs the sender's public key, i.e. it doesn't have the key in your public key ring, it will prompt you asking if it wants the program to check the server. If you don't have the key YES. (I assume you're still online, if not, go online)
If the document is plain-text signed, once you have the key, a prompt will appear telling you if the message is valid (i.e. signed with the key the message allegedly was generated by and got to you completely unaltered or invalid, meaning there's a problem and you should contact the original sender to find out what's going on, the original sender might want to resend it, or you may both find out that the alleged sender had nothing to do with that message to you.
If the message is encrypted with your public key, the passphrase prompt will open. Enter your passphrase.
The apparently random characters in your message will rearrange into what the sender typed.

File Attachments

How you do this depends on the file length. A relatively short message, e.g a Word document can be encrypted the same way as shown in Message Sending above. Done this way, the file name remains unchanged. However, messages that are too long will not work this way, and some applications are incompatible. If you are encrypting the content of the open window and it doesn't seem to want to go into PGP, use the menu File – Select All command in whatever application you're using before you do the encryption.
For longer files or files you want to rename with a .pgp extension, right-click the Systray PGP icon and open PGPtools.

PGP Tools with Function Labels

The relevant icons are Encrypt, Sign, Sign & Encrypt, Decrypt/Verify. They work exactly as in the above examples using t+he right-click PGP icon in Systray, except when selecting the icons, you'll see a standard Open File dialog asking you to select the file / files you wish to encrypt or decrypt. Select the function you want, select the file in the Open File dialog, and interact with the prompts exactly as above. If you are encrypting / signing a file, you will get a Save File dialog which defaults to the original filename with a PGP extension, e.g. subversion.txt will be renamed subversion.txt.pgp . Go ahead and use the default unless you have some reason not to. You can also encrypt the file using your own key only so only you can read it. Use Wipefile if you do to zap the original You'll also find that the .pgp file will be compressed in size comparable to the way ZIPfile archive packages compress, speeding upload/download time..

The Wipefile function to obliterate the original plain-text file or other selected files completely via overwriting the file contents.This is much more secure than ordinary file deletion, special utilities can easily recover “deleted' files, usually in a complete and original form. Wipefile overwrites this file to make this much more difficult. .Eraser is probably superior, but that's another program for another day.

Key Properties, Key Fingerprints

Key Properties

You can get this for both your keys and the keys of anyone listed in your public key ring, i.e. anyone in the PGP key directory listing which comes up with you invoke PGPkeys. You get to it by right-clicking the directory line corresponding to the PGP key and going to Key Properties. Don't do anything else with this menu until you've read the documentation packaged with PGP. You can use this to verify the sender or recipient public key, for instance, you can call the sender / recipient via voice phone and ask him to read her key fingerprint to you. If it doesn't match what you've got, you've got a forged key and need to get a new one from the person you are trying to communicate with.

Resources
The documentation provided with PGP is in general very good. The only thing that's missing is a quick-start guide, so I wrote one.

FAQ locations:
http://crypto.yashy.com/www/

http://www.pgpi.org/doc/faq/

http://www.cryptorights.org/pgp-help-team/procedures.html

Online tutorial: http://www.pitt.edu/~poole/PGP.htm

Mailing lists – Sometimes it's helpful to have a place where you can actually ask questions. Note: the volume on these lists is sufficient that I recommend using the digest option, this takes all the posts over a day and concatenates them into a single e-mail that is sent to you. Otherwise, you get all the postings as individual e-mails. Find subscription addresses at the following URLs:
PGP-Basics - http://groups.yahoo.com/group/PGP-Basics This is the place to post and read answers to the “silly new user” questions that the documentation doesn't seem to cover.

PGP-users – list home page: http://cryptorights.org/pgp-users/ The interesting thing about PGP-Users is that people from the Network Associates PGP development team actually read and post to this list. I don't recommend that novices post to this list.

Usenet: news:alt.security.pgp

PGP Applications not covered here:

“OpenPGP” - I have not had occasion to use GNUpg or the other PGP compatible “OpenPGP” programs that are out there

Non-Windows versions of PGP: There are versions of PGP available for MacIntosh, Linux, and several other operating systems. All produce messages that can be read by the other platform PGP versions.

PGPnet VPN application is not covered here because I had problems with it and don't have anyone to connect to with it anyway. If you need a VPN, there's no reason not to try it, what is unstable in my workstation config may be stable in yours. It appears IPSEC-compatible.

ADK – The Automated Decryption Key when used automatically encrypts PGP information to a second key, it's used in an organization context where if an employee using PGP leaves an organization, it must have access to that former employee's work.

Signing Keys: Key management in general above the simplest level, how to get them / send them / use them is as far as this primer was intended to go. Go to the PGP documentation.

Command line is available in PGP, there's a separate Command Line manual provided in the PGP documentation directory.

X.509 Certificates: Generally only used in large organizations. Setting this up and explaining this to users should be the sysadmin's problem.

V7+ features not in 6.5.8:
This is a list of the features most significant from the user's viewpoint. A full list of features for the various PGP releases can be found at http://www.McCune.cc/PGPnew.txt .

PGP-Fire – a firewall / personal IDS Based on what I remember posted on the PGP-users list, I'd consider this a beta. I prefer ZoneAlarm or Tiny Personal Firewall for use in the Windows environment at this point.

PGPnet has been renamed to PGPvpn.

PGPdisk, the secure hard disk application, is not covered because I believe that encrypting hard disk content in a “secure” environment is a bad idea. Recovering files is generally enough of a nuisance on a normal hard drive volume, especially if there's a problem with the hard drive. Even backups aren't necessarily a total solution, unless you back up every time you make a file change.

In general, I recommend the use of encrypted hard drive volumes when you would rather lose the information than have the “bad guys” recover it. In the case of a laptop where the bulk of your confidential information is on your home/office workstation anyway, anything but an encrypted volume is total idiocy. A laptop can disappear in an instant, as the President of Qualcomm found out when his, complete with NDA material got stolen at a trade show.
Http://www.infoworld.com/articles/hn/xml/00/09/18/000918hnlaptop.xml

Ironically, Qualcomm makes Eudora, one of the few mail products which integrates with PGP. If he had been running PGPdisk on his laptop, the incident would have been merely annoying and inconvenient, not frightening.

Interoperabilty with Instant Messaging: ICQ 99b and ICQ 2000 - I didn't discover this until I was doing the research for this article. This is the first good reason I've seen for a user to upgrade from v6.5.8 .

Admin settings: This is a tool for system administrators for enforcing organization policies regarding how employees can use PGP. Irrelevant to single-user environments.

Smart Card support for private key storage.

Windows ME support. Other versions of Windows are supported including 2000. XP appears to be supported except for the MS Outlook Express plug-in. This is neither a recommendation that you use it nor a guarantee that it will work correctly.

My PGP key is available on all PGP public keyservers under alizard@ecis.com or KeyID 0xE3EF45A7 .