- Choose a Windows PC:
- Decide whether to connect or not to connect to the Internet:
- Force the computer to show file extensions:
- Consider using two flash drives:
- To text wrap or not to text wrap, that is the question:
- Back up your work:
- Track keys securely:
- Share keys securely:
- Encrypt closed files only:
- Keep encrypted content away from word processors:
Choose the Windows PC (personal computer) that you will use to encrypt and to decrypt your content. You can of course use your regular Windows PC. Or almost any Windows PC; there is no need to install the software. (Windows XP is no longer supported by Microsoft, but sometimes even that is okay.) Simply plug in your flash drive, and MarpX Good Privacy is ready.
However, the ideal is to use a surplus PC that is never attached to the Internet. Advantages:
- Non-connected computers pose no threat to networks or to the peace of mind of system administrators.
- Even if the PC did have viruses or hidden keystroke recording software, any data gathered could never be communicated back to hackers.
- Low cost -- Surplus PCs don't cost much. An old Windows 7 machine works just fine.
- Having on hand a dedicated disconnected PC helps if your regular computer is Apple or Unix-based.
An entire office or department could share an offline machine dedicated for the one purpose of secure encryption and decryption.
As pointed out above, the greatest possible physical security for encryption and decryption comes from a dedicated offline computer. A connected computer is less secure, but more convenient. For any PC that is ever connected to the Internet, be sure that it has high quality anti-virus protection. If you find it easy to disconnect and reconnect to the Internet, temporary disconnection will reduce your security risk when you use MarpX Good Privacy.
Microsoft by default hides file extensions unless you deliberately choose to see them. It's really helpful to know the suffix at the end of a file name. For example, if you see a file simply named "WARNING", double clicking on it may get you useful information if its extension is ".txt", but it can deliver great grief to you if its extension is ".exe" and it was written by a sociopath.
It is important to set that computer so that it shows file extensions. All the instructions and tips about MarpX Good Privacy will make more sense if you do.
To show extensions, go to the Windows start menu (usually in the lower left corner), type "folder options". Choose the "View" tab in the pop-up dialog, and uncheck the box for "Hide extensions for known file types". Click OK at the bottom.
If you use a disconnected computer to encrypt and decrypt, you will need to transport files and messages back and forth between the dedicated MarpX Good Privacy machine and the connected computer or device that you use to send out, receive, or archive content. If you use a second flash drive for this purpose, then your MarpX Good Privacy need never be attached to a computer that might house viruses or be subject to hacker monitoring.
Small messages are routinely wrapped in what is called Base64 text. That is, the message consists totally of letters, digits, and a few punctuation characters. Here is an example, the first sentence of Lincoln's Gettysburg Address, encrypted:
sBeDzP6W jdUvMftY kMcjCktw 7CkOcEu5
xFeSMDM8 wRmCM1kf vL78Vniw QhmeTw9b
BIE7ig4q oWsnynCT bTVBVOcp VOsUTsim
gEXWVWdw 7FAUllZ3 tR4zfuxG ffVYhOEm
9PyJKGxZ mtvup3Xh uMMbORCy D4Sz.4hy
k3H18xoi Nm11Iiv9 vr7sQbYf fu4W8F1e
Base64 text wrapping is commonly used in computing. It brings files to a simple standard (pure text) and removes any immediate threat, since Base64 text files cannot be executed like programs.
Should text wrapping be used for files as well? That depends.
The problem with text wrapping is that it expands content by anywhere from 33 to 50 percent. If your objective is to archive large files, you will use more storage space by text wrapping. It's usually not worth the extra computer cycles. Wrapping is useful, however, if a file is sent as an attachment to email. That's because some -- not all, but some -- email systems make changes in attached files. If characters (other than spaces and line ends) are added to an encrypted file, it will no longer be possible to recover the original content. So the rule of thumb: Do not routinely check the "text wrap" box when encrypting a file, but do check it if the file will be sent as an attachment to email.
Murphy's Law: "That which can go wrong will go wrong." Corollary to Murphy's Law: "Murphy was an optimist." In other words, it's a normal part of everyday life for things not to work out as planned. Therefore, backup is a normal part of using a computer. For encrypted content, the greatest risks are not knowing the key OR unplanned changes in encrypted files. (See the headings that follow.) Therefore it really helps if you have an unencrypted version of every file and message, archived offline where a hacker cannot reach it.
You don't want hackers to know the keys you use. But you sure want to know. And you want intended recipients to know. No key? No decryption.
Paper and pencil records protect nicely against online hackers and eavesdroppers. An online log might be okay, if you remember to encrypt it frequently and erase the plain text version. Warning: If a hacker found an unencrypted log, all files and messages listed would be compromised.
We have been hesitant to add an automatic log. You would have to specify a key to be used for its encryption, and the risk is that a hacker or eavesdropper might pick up on that key, should you be using MarpX Good Privacy on a PC that is connected to the Internet. [Please use the Feedback button above if you wish to share with us your thoughts on whether an automatic log should be included as part of the program.]
If another person is the intended receiver for an encrypted message or file from you, then that person has to have the same key that you used to encrypt it.
Please, please, please, never ever send passwords or keys by email. Monitoring email packets is the kind of stuff that budding hackers learn to do when they are not yet in their teens. Think of email as public. Think of it as a billboard, just waiting for others to read. And emails are never really deleted. They are likely to turn up somewhere on a server or in some recipient's collection of email.
Telephone is much better. The likelihood of the same gang hacking your computer and eavesdropping on your phone is pretty low. So phone exchanges of keys are fairly reliable. The NATO phonetic alphabet is a good way to transit letter keys by voice. Instead of the letters, use the words... Alfa, Bravo, Charlie, Delta, Echo, Foxtrot, Golf, Hotel, India, Juliett, Kilo, Lima, Mike, November, Oscar, Papa, Quebec, Romeo, Sierra, Tango, Uniform, Victor, Whiskey, X-ray, Yankee, Zulu.
If you are in an office with multiple phone lines, set up one line so that it goes to an answering machine. Then someone who has sent you a file or message can be prompted to leave a phone message along these lines: "This is so-and-so. It's Thursday at 2:30 and I just sent you an email encrypted using key NQGPYED, that is, November - Quebec - Golf - Papa - Yankee - Echo - Delta."
For regular correspondents, you could exchange with your intended recipients a randomly generated list of keys that you will use in various time periods. A schedule might list a new key for each month, week, day, even hour or quarter hour. If you can't find a teenager to write this script for you, use the Feedback button at the top of this page to ask us for a C++ console version. Incidentally, if you send out key schedules, be sure to encrypt them. And the first time, you need to get the key for that first encrypted file to them by some other way -- phone, snail mail, whatever.
Yet another method for key exchange of messages is for each person to include at the end of each message a seven letter key for the recipient to use next time. Example: "When you respond, please privatize your message using for your key RMSVPWK."
When you select a file to be encrypted, choose it from within Windows Explorer (or Windows 10 File Explorer). If the file is open in any other software on your computer and if you select it from within that software, the law of unintended consequences will assert itself. Think Titanic. Think Custer's Last Stand. Think Election Day, or some other suitable disaster. Which leads us directly to the following item.
Among the newly-discovered aboriginal tribes is one that has been found to use computers, but in a very curious way. They run all, repeat all, their programs from within their word processor. This tribe would be an excellent subject for anthropological study. We fear greatly, though, that when they discover the free MarpX Good Privacy product, they will become totally confused and depressed. That's because they have not yet learned a fundamental of modern life: Word processors have an insatiable lust to inject their specialized formatting into every file. Unless very carefully controlled, word processors destroy encrypted files. Example: It's okay to open a Base64 text-wrapped encryption, and to copy and paste the entire encrypted content somewhere else. That's fine. But the moment you allow the word processor to "save" that file, it becomes useless for its one and only purpose -- decryption by an intended recipient.
We hope that you have no relatives in this tribe. Why is this "diatribe" (pun intended) included in this page on best security practices? Because we have encountered personally a member of this tribe. Sigh!