MarpX Privacy

Best Practices

  1. Use MarpxPrivacy on a disconnected Windows PC
  2. If you use a disconnected PC for privacy, then use any computer or device you want for your normal routine
  3. Second best -- use flash drive plus temporarily disconnected Windows PC
  4. IMPORTANT: Force your Windows PC to show file extensions
  5. Accumulate your PKE files alongside the MarpxPrivacy.exe program
  6. To text wrap or not to text wrap, that is the question
  7. Back up your work
  8. Track authentication data securely
  9. Share authentication data securely
  10. Encrypt closed files only
  11. Keep encrypted content away from word processors
  12. Restrictions on export

For greatest security, use MarpxPrivacy on a disconnected Windows PC:

Think of maintaining in the office a Windows PC that is totally disconnected from the Internet. Almost any surplus Windows PC will do, Windows 7 or later. (Windows Vista may work, Windows XP does not.) Block any wireless access as well. Then hackers cannot invade, track, eavesdrop, or do malevolent things. Keystrokes cannot be sent out from a computer disconnected from the Internet. Hackers are cut off from any information.


The aim is to keep the following out of view:

It's best if you delete the unencrypted version of a PKE file once it has been included in a new roster entry and automatically encrypted. It does not matter at all if anyone sees the rest of the files in an installation -- the help files, the subdirectories, the program executable.


Incidentally, it's okay for other fully trusted members of your team to use the same disconnected computer, so long as they each have their own installation area. That means some files are on the computer multiple times, but it is the safest way to avoid mixing together the PKE files for two different persons.

If you use a disconnected PC for privacy, then use any computer or device you want for your normal routine:

Use of a separate disconnected Windows PC for encryption and decryption means that files and messages need to be carried from and to regular devices and computers, on flash drives or by other hardware-based methods. That little bit of extra work greatly increases security. It also adds flexibility for people who routinely use macOS or Chrome OS or Linux or whatever. Incidentally, MarpxPrivacy handles any file type from any operating system.

Second best -- use a flash drive plus a temporarily disconnected Windows PC:

If you are not a person who habitually misplaces things, keep your entire installed set of files including PKE files on a flash drive. Use MarpxPrivacy only on a PC that has dependable anti-virus protection, so that no keystroke capture software is present. Each time that you need to encrypt or decrypt messages or files, physically unplug the PC's Internet connection. If it has wireless access, turn that off.


If you go this route, do not lend your flash drive to anyone.

IMPORTANT: Force your Windows PC to show file extensions:

Microsoft by default hides file extensions unless you deliberately choose to see them. It's essential to know the suffix at the end of a file name, especially when there are combination endings such as .enc.txt or .PKE.enc. The second page in this help series tells in detail how to make file extensions show.

Accumulate your PKE files alongside the MarpxPrivacy.exe program:

Whenever you purchase a Private Key Expander, you will receive a file with extension .PKE. Put the unencrypted PKE file in the same directory as the MarpxPrivacy.exe file. When you add a new roster entry with a PKE file, it is encrypted automatically and placed in a subdirectory named "PETS". Ideally, you should build each new PKE into a new roster entry, test with your confidant that it works, then delete the unencrypted .PKE file, and leave in the PETS subdirectory the version that ends .PKE.enc.

To text wrap or not to text wrap, that is the question:

Small messages are routinely wrapped in what is called Base64 text. That is, the message consists totally of letters, digits, and a few punctuation characters. Here is an example, the first sentence of Lincoln's Gettysburg Address, encrypted:
      sBeDzP6W jdUvMftY kMcjCktw 7CkOcEu5
      xFeSMDM8 wRmCM1kf vL78Vniw QhmeTw9b
      BIE7ig4q oWsnynCT bTVBVOcp VOsUTsim
      gEXWVWdw 7FAUllZ3 tR4zfuxG ffVYhOEm
      9PyJKGxZ mtvup3Xh uMMbORCy D4Sz.4hy
      k3H18xoi Nm11Iiv9 vr7sQbYf fu4W8F1e


Base64 text wrapping is commonly used in computing. It brings files to a simple standard (pure text) and removes any immediate threat, since Base64 text files cannot be executed like programs.


Should text wrapping be used for files as well? That depends.


The problem with text wrapping is that it expands content by anywhere from 33 to 50 percent. If your objective is to archive large files, you will use more storage space by text wrapping. It's usually not worth the extra computer cycles. Wrapping is useful, however, if a file is sent as an attachment to email. That's because some -- not all, but some -- email systems make changes in attached files. If characters (other than spaces and line ends) are added to an encrypted file, it will no longer be possible to recover the original content. So the rule of thumb: Do not routinely check the "text wrap" box when encrypting a file, but do check it if the file will be sent as an attachment to email.

Back up your work:

Murphy's Law: "That which can go wrong will go wrong." Corollary to Murphy's Law: "Murphy was an optimist." In other words, it's a normal part of everyday life for things not to work out as planned. Therefore, backup is a normal part of using a computer. For encrypted content, the greatest risks are not knowing the key OR unplanned changes in encrypted files. (See the headings that follow.) Therefore it really helps if you have an unencrypted version of every file and message, archived offline where a hacker cannot reach it.

Track authentication data securely:

Personal ID codes, manually selected keys for encryption and decryption, and confidant codes are mission-critical. In other words, there are selected pieces of data that must be kept from anyone who is not intended to gain access to information. You don't want hackers to know, but you sure want to know. In the case of manually selected keys, you want intended recipients to know. That's because no key means no decryption.


Paper and pencil records protect nicely against online hackers and eavesdroppers. But please keep them out of sight and don't leave sticky notes with confidant codes attached to or near your computer!

Share authentication data securely:

A personal ID code, you should never share, not even with your mother or (gasp!) your mother-in-law.


If another person is the intended receiver for an encrypted message or file from you, and if that key was manually selected, then that person has to have the same key that you used to encrypt it.


Please, please, please, never ever send codes or keys by email. Monitoring email packets is the kind of stuff that budding hackers learn to do when they are not yet in their teens. Think of email as public. Think of it as a billboard, just waiting for others to read. And emails are never really deleted. They are likely to turn up somewhere on a server or in some recipient's collection of email.


Telephone is much better. The likelihood of the same gang hacking your computer and eavesdropping on your phone is pretty low. So phone exchanges of keys are fairly reliable. The NATO phonetic alphabet is a good way to transit letter keys by voice. Instead of the letters, use the words... Alfa, Bravo, Charlie, Delta, Echo, Foxtrot, Golf, Hotel, India, Juliett, Kilo, Lima, Mike, November, Oscar, Papa, Quebec, Romeo, Sierra, Tango, Uniform, Victor, Whiskey, X-ray, Yankee, Zulu.


If you are in an office with multiple phone lines, set up one line so that it goes to an answering machine. Then someone who has sent you a file or message can be prompted to leave a phone message along these lines: "This is so-and-so. It's Thursday at 2:30 and I just sent you an email encrypted using key all letters in caps NQGPY4D, that is, November - Quebec - Golf - Papa - Yankee - digit four - Delta."

Encrypt closed files only:

When you select a file to be encrypted, choose it from within Windows Explorer (or Windows 10 File Explorer). If the file is open in any other software on your computer and if you select it from within that software, the law of unintended consequences will assert itself. Think Titanic. Think Custer's Last Stand. Think Election Day, or some other suitable disaster. Which leads us directly to the following item.

Keep encrypted content away from word processors:

Among the newly-discovered aboriginal tribes is one that has been found to use computers, but in a very curious way. They run all, repeat all, their programs from within their word processor. This tribe would be an excellent subject for anthropological study. We fear greatly, though, that when they discover MarpxPrivacy products, they will become totally confused and depressed. That's because they have not yet learned a fundamental of modern life: Word processors have an insatiable lust to inject their specialized formatting into every file. Unless very carefully controlled, word processors destroy encrypted files. Example: It's okay to open a Base64 text-wrapped encryption, and to copy and paste the entire encrypted content somewhere else. That's fine. But the moment you allow the word processor to "save" that file, it becomes useless for its one and only purpose -- decryption by an intended recipient.


We hope that you have no relatives in this tribe. Why is this "diatribe" (pun intended) included in this page on best security practices? Because we have encountered personally a member of this tribe. Sigh!

Restrictions on export:

Under United States law, you are not permitted to export PKE (Private Key Expander) files. Further, sharing them within the United States with a national of a sanctioned destination country constitutes export, a serious offence under the Bureau of Industry and Security's Export Administration Regulations. You might also want to familiarize yourself with the federal government's Export Consolidated Screening List. Pater dixit. Sigh!


MarpX Privacy