Buy it now

Reviewed by Tom Perrine

PGP and GnuPG (GPG) have been staples of the privacy, activist and crypto communities for years, yet have never really caught on outside the "geek" community. It's long been taken as an article of faith that both PGP and GnuPG have suffered from a lack of good, readable end-user documentation which has hindered their widespread adoption. The wait is over, PGP & GPG: Email for the Practical Paranoid from No Starch Press, is the book we all needed years ago and anyone who wants to correctly send encrypted email needs today.

First of all, this book is a great reference to both PGP (the commercial software) and GnuPG. More importantly, it is a tutorial on how to safely protect your data, either as files or email, using either tool. Without getting bogged down in key sizes, the details of AES or RSA or philosophical arguments about key signing, it cuts to the heart of the problem: How do you as a practical paranoid use encryption tools to protect yourself from eavesdroppers and snoops?

The book starts off with the usual history of public key encryption, the original Pretty Good Privacy (PGP), the PGP company, and open source implementations of the OpenPGP specification, such as Gnu Privacy Guard (GPG). There's enough meat here for those who are curious, but not so much as too cause the typical persons' eyes to glaze over. This is followed by a good introduction to cryptography, but with an emphasis on crypto from the user's point of view.

After this there's a discussion of creating key pairs, pass-phrases and revocation certificates, all written in a user-focused, easy to understand style. Key distribution servers and the web of trust are also discussed, but most importantly, there are good explanation of why certain things are done. For example, there's a good explanation of the rationale behind the web of trust, and a comparison with more centralized systems of trust, such as Certificate Authorities (CAs).

This book covers both commercial PGP and GPG, usually by separating the information about each in to separate chapters. I had initially thought this would be more confusing, but in the end it made for better flow and more useful examples. For instance, there's a chapter on installing PGP, and one on installing GPG, followed by a common discussion of the Web of Trust. This is then followed by chapters on key management, one for PGP and one for GPG Then there's a common chapter on email encryption, followed by chapters on email, each specific to PGP and GnuPG. This organization turned out to work very well at keeping the differences between PGP and GPG obvious and made it easier to find the information I was looking for.

But some of the real jewels in this book are in the chapters on integrating PGP/GPG with popular email clients. Outlook (and Outlook Express) are discussed as well as Thunderbird, and how to use proxies and other software to integrate with other clients. The instructions are clear and easy to follow throughout, and should have any user sending encrypted email within a few minutes.

Finally, there's an entire chapter on all ways the GnuPG and PGP encryption can go wrong. Everything from poor usage to hardware and software compromises, fake keys and compromised people are discussed. Let's face it, encryption in only part of the answer for privacy and safe computing, and it's nice to see that acknowledged.

Overall, I really liked this book. I'm fairly crypto-literate, and I created my first PGP key in 1985, but this book raised points that I'd either not considered or not fully explored. As a reference and tutorial for the "average user", it's dead on. The writing style is very friendly without being cutesy, and it always seems to seek and find the right level of detail and technology for the specific topic. If you want to be a hard-core crypto-anarchist or want to analyze the underlying algorithms, go read the The Crypto Anarchist Manifesto or Bruce Schneier's classic book Applied Cryptography.

This book is for the rest of us, those who just want to protect our privacy, and care more about practically achieving that goal than the underlying philosophies, mathematics or technology.

Bookmark/Search this post with:

delicious | digg | technorati