The Best of the PGP-Users List "Do's and Don'ts

1. Create a Key Revocations Certificate--Immediately! This one comes from your list owner. More times that I can count, I have received a message from someone saying "Oh my G-d, I lost my (secret key in a hard drive crash/my pass-phrase), what do I do now. Well, in short, you are in real trouble. Especially if you have posted you key to the public key servers. However, there is a way to protect yourself from this problem and every PGP users should be made aware of it. When you create your public/secret key pair, create a key revocation certificate too and place the certificate in a safe place in case you ever need it (if fact, I suggest multiple copies, on your hard drive, on floppy and possibly off premises). Remember, you need your secret key and pass phrase to do this, so after you lose one or forget the other, its too late. That's why the ideal time to create a key revocation certificate is when you generate your key pair initially. A note of caution. Generating a key revocation certificate will trash the public key you just made. How do you get around this? Two ways. One is to extract copies of your public and secret keys from the rings first, then revoke the keys and save the key revocation certificate, and finally add your unrevoked keys back onto the rings. The other way is to make a copy of your key rings first, revoke the key, save the certificate, and then simply copy your good copy of the key rings back in place. If your key is compromised, your secret key lost or your pass-phrase forgotten, you will then be able to immediately post the key revocation certificate to the public key servers, generate a new key pair, and not have your "PGP Identity" compromised. If you haven't done this yet..do it today!
2. Don't confuse a message signature with a person's public key. I used to do it all the time when I first started and I just had somebody ask me what the problem was because he was doing the same thing. Not a "destructive" problem but it sure is frustrating when you think you are adding a key and PGP keeps telling you that there are no keys to be found.
3. Store your secring.pgp file safely I have them just store secring.pgp on a disk, in a safe place, since it's IDEA encrypted to the pass-phrase anyway. If they want to generate a key revocation certificate that is OK, but I try to keep things simple.
4. Naming Conventions for different Secret Keys One thing I did, almost by accident, that has helped me in the past is that when I created my key I made it " - 512" so that key can be distinguished from others (1024 bit for instance). This helped when I decided to suspend the 512 in favor of the 1024. When I made my 1024 I signed it with the 512 and vice-versa so that if ever there is any doubt that one is the newer version of the other it can be appeased by the signature of my "established" 512 bit key.
5. Don't use 2048 (or 2047) bit key pairs The reason is convenience. A friend of mine created a 2048 bit key and used it on his old, slow 386. Each decrypt or clearsign takes the best part of a *minute* to run. By contrast, a 1024 bit key pair is much more than twice as fast. Surely 1024 bits isn't as secure as 2048? That's true and if you're hiding stuff from a major government maybe you *should* go for 2048 bits. In my opinion, 1024 bits is quite adequate for the rest of us.
6. Never assume that just because a file "looks" encrypted that it really is. It may just be radix-64 format. This is a very handy and often used feature but one should understand what it is and how it works. PGP makes a very effective tool for compression and for converting binary to a mailable form. There is a section in the PGP docs about using as a "better uuencode" that should be read by all.
7. Know your computer and the software on it. Every day you use PGP please look any all new files created that day on your computer. I was doing so recently and discovered that not only does PGP use a tmp variable that may be set in the pgp config.txt file, but, tcp/ip also uses a temp variable and on my system it does not point to the same place as the PGP temp variable and guess what the one that is set in the config.sys is the one that is used by the system regardless what is set in config.txt. Now that I know I use my security system to encrypt the contents of f:tcpiptmp which is the directory used by tcpip and the original user of the tmp variable in the config.sys. Things like this can cause real exposure. So actively look for things like this.
8. DO learn the principles of cryptology, i.e., single key versus pubkey concept. These are concepts which are commonly confused. Many of the links on the pgp-users mailing list web page will explain these concepts, particularly the pgp manual.
9. DON'T, Don't issue any kind of command just to see what happens. Great way to ruin your day. Another good reason to backup your computer daily, or at least backup critical parts of your hard drive.