TL;DR
I’m now using PGP for archive file encryption.
The trigger
This summer, I read Permanent Record from Edward Snowden, “Ed” for those in the know. I was pretty impressed at how a government organization with billions of dollars budget can organize a mass surveillance program at a worldwide scale in only a few decades.
“Encryption works. Properly implemented strong crypto systems are one of the few things that you can rely on. Unfortunately, endpoint security is so terrifically weak that NSA can frequently find ways around it.”
― Edward Snowden
Also, I’ve really enjoyed a french tv show called “Le Bureau Des Legendes” or “The Bureau” for the US version talking about French Intelligence practices. Highly recommended! 🇫🇷
After this great reading and this TV Show, It was obvious to me that I need to level up my privacy practice for personal data management.
File Encryption
As of today, my data were synchronized to either AWS S3 (with bucket encryption enabled, and in-transit encryption), and also using Dropbox (At Rest/In Transit Encryption).
I’m also using macOS native feature called FileVault for disk encryption of my laptop.
This practice only covers a small part of the problem: Cloud Encryption, and physical access to my laptop.
As Chris Farris said about Cloud Encryption, what does this prevent ? : “Is it Ninjas descending on us-east-1a to steal the hard-drives your data is stored on ?”. Very unlikely.
Because technically, your data is still located on your laptop, with only one (weak?) password away from unwanted usage.
So, to cover data leak or malicious usage of my data, I need a local archive vault to backup encrypted data at rest using: RSA4096.
To do so, I’ve chosen the standard approach using Pretty_Good_Privacy (PGP).
Phil Zimmermann, PGP Creator
Generate your PGP Key
I will not describe this part, as many, many, many explain this since 1991 (29 years).
Handy encryption commands
I’m a big fan of using alias and bash functions to simplify my life.
# Encryption
alias encrypt='tar -cvz . | gpg -e -r KEY_ID_HERE -o ../$(basename `pwd`).tgz.gpg'
decrypt () {
gpg -d $1.tgz.gpg | tar -xz
}
With the previous alias and function, I’m able to run encrypt command inside a folder that I want to be encrypted in a tgz archive. Then I could delete later manually the initial folder.
To handle all encrypted tgz.gpg files, you will need to use a decrypt function with the name of an archive (ie name of the folder), like:
$ decrypt my_folder
This is useful for archive usage, but not so handy for daily usage as you need to decrypt every time you need access to a file, and the search engine of your computer won’t work inside this encrypted vault.
If you want to go further on macOS hardening, please check-out this wonderful guide
Going further
This is first steps to my journey of protecting my online privacy. The next milestones for me are:
- Switch from Gmail to Protonmail
- Switch from Chrome to Brave, or Firefox
- Switch from Google to DuckDuckGo ✅
- Switch from FreeWifi to FreeWifi + VPN ✅
- Switch from Shared computer usage to TAILS on USB Key
- Delete Instagram, Facebook ✅, WhatsApp Accounts (Use Signal instead)
- Use PiHole + uBlock Origin ✅
And you folks, whats are your tips to ensure your online privacy ? Please describe in comments 🔒
Ho, I was about to forget, please find my PGP public key: 5B15B62672A3B95CFAC598AED75EEBBBF4990859
That’s all folks!
zoph.