- Use Extreme Encryption on a disconnected Windows PC:
- Second best -- use flash drive plus temporarily disconnected Windows PC:
- Use any computer or device you want for your normal routine:
- IMPORTANT: Force your Windows PC to show file extensions:
- Accumulate your PIE and KEY files alongside the ExtremeEncryption.exe program:
- You may, if you wish, replace your Sched_##.KEY files:
- To text wrap or not to text wrap, that is the question:
- Back up your work:
- If you create your own keys, track those keys securely:
- If you create your own keys, share those keys securely:
- Encrypt closed files only:
- Keep encrypted content away from word processors:
- Restrictions on export:
Think of maintaining in the office a Windows PC that is totally disconnected from the Internet. Almost any surplus Windows PC will do, Windows 7 or later. (Some XPs work, some don't.) Block any wireless access as well. Then hackers cannot invade, track, eavesdrop, or do malevolent things. Keystrokes cannot be sent out from a computer disconnected from the Internet. Hackers are cut off from any information.
The aim is to keep the following out of view:
The PIE files are encrypted, but they are the most important files in Extreme Encryption. It does not matter at all if anyone sees the rest of the files in an installation -- the help files, the subdirectories, the program executable.
- any encryption and decryption keys that you input;
- your Private Information Exchange (PIE) files; and
- your automated key selection (KEY) files.
Incidentally, it's okay for other fully trusted members of your team use the same disconnected computer, so long as they each have their own installation area. That means some files are on the computer multiple times, but it is the safest way to avoid mixing together the PIE and KEY files for two different persons. The PIE files are encrypted differently for each person; if they are mixed, the system will not work as expected.
If you are not a person who habitually misplaces things, it's okay to install Extreme Encryption on a flash drive. When you need to encrypt or decrypt, select a PC which has at the moment neither wireless access nor physical connection to the Internet. That computer should have dependable anti-virus protection, so that no keystroke capture software is present. Plug in the flash drive, and launch the program from there.
If you go this route, do not lend your flash drive to anyone.
Use of a separate disconnected Windows PC for encryption and decryption means that files and messages need to be carried from and to regular devices and computers, on flash drives or by other hardware-based methods. That little bit of extra work greatly increases security. It also adds flexibility for people who routinely use macOS or Chrome OS or Linux or whatever. Incidentally, Extreme Encryption handles any file type from any operating system.
Microsoft by default hides file extensions unless you deliberately choose to see them. It's really helpful to know the suffix at the end of a file name. For example, if you see a file simply named "WARNING", double clicking on it may get you useful information if its extension is ".txt", but it can deliver great grief to you if its extension is ".exe" and it was written by a sociopath.
It is important to set that computer so that it shows file extensions. All the instructions and tips about Extreme Encryption™ will make more sense if you do.
To show extensions, go to the Windows start menu (usually in the lower left corner), type "folder options". Choose the "View" tab in the pop-up dialog, and uncheck the box for "Hide extensions for known file types". Click OK at the bottom.
Whenever you purchase a Private Information Exchange setup, you will receive an encrypted KEY file and a doubly encrypted PIE file. Put both files in the same directory as the ExtremeEncryption.exe file. The next time the program is started, encrypted KEY files are decrypted and the outer level of decryption is removed from PIE files. That's all done automatically, so you don't have to be concerned about it. The extra encryption served as protection while the files were being transmitted to you.
Each of your Private Information Exchange (PIE) setups includes a file Sched_##.KEY. That's the PIE number in the middle. Each KEY file consists of 54,000 random bytes. When you use automatic key selection, keys are created from little pieces of the file.
If you replace the Sched_##.KEY files, that adds two layers of security. First, Marpex Inc. will not have access to your automatically generated keys. Second, no-one else other that the participants in the particular Private Information Exchange have ever seen the replacement KEY file in any form.
How is it done? Any collection of random bytes will do, so long as it is at least 54000 bytes in size and has never been used for other purposes. Give each key file the same name as the one it is replacing ...Sched_ followed by the PIE number and .KEY. If random byte files are hard to find, you can make a moderately random substitute yourself! Just get some file from the Internet and encrypt it. Have other participants in that Private Information Exchange do exactly the same thing; you each need exactly the same file for key selection to work.
Small messages are routinely wrapped in what is called Base64 text. That is, the message consists totally of letters, digits, and a few punctuation characters. Here is an example, the first sentence of Lincoln's Gettysburg Address, encrypted:
sBeDzP6W jdUvMftY kMcjCktw 7CkOcEu5
xFeSMDM8 wRmCM1kf vL78Vniw QhmeTw9b
BIE7ig4q oWsnynCT bTVBVOcp VOsUTsim
gEXWVWdw 7FAUllZ3 tR4zfuxG ffVYhOEm
9PyJKGxZ mtvup3Xh uMMbORCy D4Sz.4hy
k3H18xoi Nm11Iiv9 vr7sQbYf fu4W8F1e
Base64 text wrapping is commonly used in computing. It brings files to a simple standard (pure text) and removes any immediate threat, since Base64 text files cannot be executed like programs.
Should text wrapping be used for files as well? That depends.
The problem with text wrapping is that it expands content by anywhere from 33 to 50 percent. If your objective is to archive large files, you will use more storage space by text wrapping. It's usually not worth the extra computer cycles. Wrapping is useful, however, if a file is sent as an attachment to email. That's because some -- not all, but some -- email systems make changes in attached files. If characters (other than spaces and line ends) are added to an encrypted file, it will no longer be possible to recover the original content. So the rule of thumb: Do not routinely check the "text wrap" box when encrypting a file, but do check it if the file will be sent as an attachment to email.
Murphy's Law: "That which can go wrong will go wrong." Corollary to Murphy's Law: "Murphy was an optimist." In other words, it's a normal part of everyday life for things not to work out as planned. Therefore, backup is a normal part of using a computer. For encrypted content, the greatest risks are not knowing the key OR unplanned changes in encrypted files. (See the headings that follow.) Therefore it really helps if you have an unencrypted version of every file and message, archived offline where a hacker cannot reach it.
Most of the time, you may prefer to use auto-key selection. It saves you the bother of thinking up keys, recording them, and finding ways to share those keys with other participants in the same Private Information Exchange.
But if you override the auto-selection feature, you don't want hackers to know the keys you use. But you sure want to know. And you want intended recipients to know. No key? No decryption.
Paper and pencil records protect nicely against online hackers and eavesdroppers. An online log might be okay, if you remember to encrypt it frequently and erase the plain text version. Warning: If a hacker found an unencrypted log, all files and messages listed would be compromised. We have been hesitant to add an automatic log. You would have to specify a key to be used for its encryption, and the risk is that a hacker or eavesdropper might pick up on that key. [Please use the Feedback button above if you wish to share with us your thoughts on whether an automatic log should be included as part of the program.]
This section applies only if you override auto-key selection.
If another person is the intended receiver for an encrypted message or file from you, then that person has to have the same key that you used to encrypt it.
Please, please, please, never ever send passwords or keys by email. Monitoring email packets is the kind of stuff that budding hackers learn to do when they are not yet in their teens. Think of email as public. Think of it as a billboard, just waiting for others to read. And emails are never really deleted. They are likely to turn up somewhere on a server or in some recipient's collection of email.
Telephone is much better. The likelihood of the same gang hacking your computer and eavesdropping on your phone is pretty low. So phone exchanges of keys are fairly reliable. The NATO phonetic alphabet is a good way to transit letter keys by voice. Instead of the letters, use the words... Alfa, Bravo, Charlie, Delta, Echo, Foxtrot, Golf, Hotel, India, Juliett, Kilo, Lima, Mike, November, Oscar, Papa, Quebec, Romeo, Sierra, Tango, Uniform, Victor, Whiskey, X-ray, Yankee, Zulu.
If you are in an office with multiple phone lines, set up one line so that it goes to an answering machine. Then someone who has sent you a file or message can be prompted to leave a phone message along these lines: "This is so-and-so. It's Thursday at 2:30 and I just sent you an email encrypted using key NQGPYED, that is, November - Quebec - Golf - Papa - Yankee - Echo - Delta."
For regular correspondents, you could exchange with your intended recipients a randomly generated list of keys that you will use in various time periods. A schedule might list a new key for each month, week, day, even hour or quarter hour. If you can't find a teenager to write this script for you, use the Feedback button at the top of this page to ask us for a C++ console version. Incidentally, if you send out key schedules, be sure to encrypt them. And the first time, you need to get the key for that first encrypted file to them by some other way -- phone, snail mail, whatever.
Yet another method for key exchange of messages is for each person to include at the end of each message a seven letter key for the recipient to use next time. Example: "When you respond, please privatize your message using for your key RMSVPWK."
When you select a file to be encrypted, choose it from within Windows Explorer (or Windows 10 File Explorer). If the file is open in any other software on your computer and if you select it from within that software, the law of unintended consequences will assert itself. Think Titanic. Think Custer's Last Stand. Think Election Day, or some other suitable disaster. Which leads us directly to the following item.
Among the newly-discovered aboriginal tribes is one that has been found to use computers, but in a very curious way. They run all, repeat all, their programs from within their word processor. This tribe would be an excellent subject for anthropological study. We fear greatly, though, that when they discover MarpX Privacy products, they will become totally confused and depressed. That's because they have not yet learned a fundamental of modern life: Word processors have an insatiable lust to inject their specialized formatting into every file. Unless very carefully controlled, word processors destroy encrypted files. Example: It's okay to open a Base64 text-wrapped encryption, and to copy and paste the entire encrypted content somewhere else. That's fine. But the moment you allow the word processor to "save" that file, it becomes useless for its one and only purpose -- decryption by an intended recipient.
We hope that you have no relatives in this tribe. Why is this "diatribe" (pun intended) included in this page on best security practices? Because we have encountered personally a member of this tribe. Sigh!
Under United States law, you are not permitted to export the Extreme Encryption product. Further, sharing it within the United States with a national of a sanctioned destination country constitutes export, a serious offence under the Bureau of Industry and Security's Export Administration Regulations. You might also want to familiarize yourself with the federal government's Export Consolidated Screening List. Pater dixit. Sigh!