Encryption Using GnuPG

Posted on November 29, 2006 by Michael Koby

Encryption, it is probably something you have heard about. Something you might have wondered about. You may have even considered using it at some point but did not know where to start. Chances are, you have heard of a little program called Pretty Good Privacy (Wikipedia). Pretty Good Privacy has been around for a good while and is, for the most part, the standard when it comes to personal encryption. Pretty Good Privacy’s website at PGP.com offers several tools for both individual and corporate customers to encrypt everything from email to laptops and even portable USB devices. However, while PGP was once free to download it now costs you money. Great encryption comes at a cost, and if you have the money to spend it does not get any better than PGP. So where does that leave us normal users? Well, the fine people of the open source community have gifted us with Gnu Privacy Guard (GnuPG), a free open source alternative that is compatible with PGP versions 5-7 and is designed as a complete replacement for PGP. Today we are going to learn a few things about GnuPG and learn how to do encryted email messages.

We know what GnuPG is and a little bit on where to get it but the version on the main GnuPG website is based primarily for Linux users. Since most of us in the world use a Windows PC we will need to download the windows version of GnuPG located at http://www.gpg4win.org/ and more specifically at their download page. Since we will not be able to cover everything you could possibly do with GnuPG, I would suggest you download the full version that includes the manuals. Once you have downloaded and installed the package, you are ready to go.

The first thing we need to do is create a key. Keys are what makes this system all work. By creating keys you are in a sense creating an “identity” that others can use as a basis of verification. You would upload your public key to your website or a key server and then others can download it and add it their “keyring” so that they can read messages from you. Since no one can send a message using your key, because they would need to type in a passphrase to encrypt the message, a person reading a message “signed” with your public key can verify that the message is in fact from you. So lets create a key.

First thing we need to do is open WinPT, this can be found under the GnuPG for Windows menu on your Start Menu. Look at the screenshot below to see what I mean.

Once you have the WinPT open you should see a screen that looks like this but empty.

We can create a new key by click on the “New Key” icon (the key icon furthest on the left). This will take us step by step in creating a new key. The keys we create will be based on our name email address, if you have more than one email address, try to use the one you download into something like Microsoft Outlook or Mozilla Thunderbird. For me I used my Gmail account because I use Thunderbird when I am home to download my email so my key is based on that email address (as you can see in the screenshot).

Once you have clicked the the icon for creating a new key you will be introduced to a dialog that will ask your real name and email address. Type both of these in an click the “OK” button. You will now see a box asking you to type a passphrase. A passphrase is like a password but an entire phrase. Here you want to use something with some length to it. Things that work best are lines from movies, books, songs, or grandfathers. In other words, a complete sentence works best. You will be asked to type it in twice now and everytime you send an email that you either want to sign or encrypt so make sure that is something you can remember easily and type the same exact way every time. After you verify your pass phrase, you are done with creating your new key. That is it. Pretty painless huh?

Creating your encryption key is only half the battle. Now you have to make use of it. There are a couple of ways you can do that, but we are going to focus on the email side of things. I use Thunderbird from Mozilla (see link above) and it comes with an extension for encrypting mail by default. The extension is call Enigmail. As you can see from the screen shot below, you only need to select the OpenPGP Security options for your email account inside Thunderbird and there are some options. The easiest way to first check the checkbox up at the top that reads “Enable OpenPGP support (Enigmail) for this identity” and then click the radio button for “Use email address of this identity to identify OpenPGP key.” By selecting this particular option you will not have to select the specific key for this email address it will be selected for you. If you would like to default it to a particular key, you may do that by selecting the second radio button and then using the “Select Key…” button to select the specific key you would like to use. Next, ensure that the checkboxes for “Sign non-encrypted mail by default” and “Sign encrypted mail by default” to ensure you begin signing your emails from this point forward. And finally, you will need to click the “Advanced Button” and select the PGP/MIME tab in the dialog window that pops up. You will want to select the radio button for “Always use PGP/MIME” and then select SHA1 from the drop down list. What this does is send the signature as an attachment rather than put a bunch of extra stuff in your messages, making them more difficult to read.

What exactly have we accomplish? Well, everytime you send an email it will ask you to enter your passphrase. When you enter your passphrase and the email is sent, a small attachment will go out with the email. This attachment is the signature of the email signed with your GnuPG key. Thunderbird automatically handles this attachment and verifies using the keys you have on your keyring to ensure that the email signature is from someone you know and that you have a key for. It will let you know if the email signature is legit and by making the verification you know if the email you just got really is from the person that it claims to be from as well as if the contents can be trusted.

This does not encrypt every message you send but rather just simply “signs” them. To encrypt a message takes an extra step when sending it. Don’t worry, the extra step is not difficult. When sending a message there is an icon for OpenPGP next to the “Attach” icon. Clicking on the little down arrow directly next to the OpenPGP icon will give you some options related to signing and encrypting the message. You simply need to click on “Ecrypt Message” and the message will be encrypted upon being sent. The resulting mail looks like this when not in Thunderbird:

—–BEGIN PGP MESSAGE—–
Version: GnuPG v1.4.3 (MingW32)
Comment: Using GnuPG with Mozilla – http://enigmail.mozdev.org

hQEOA0p0PL7iKVewEAQAidlV/fOP25VRWZq0zFLaZIltASJxrIfEr9wxTOWYzk4W
5XdqMsm1IQXLuZ9eZlznwh6dkDumnY5B6STYVLPP6vwVC5ITBuvVFD1G85wwkGA2
kc3psP3Rf3DENh/TNqDp72Fm1jkhEQ6E4ZuMCNRxFLVDhAqpNWBMmqkSzHCqr38D
/0asiwi/E1OGWLy2rh6NzgRSZd0JTf4Zt14zsxw4Ybr/DoGxlQ9mKpm1Ip1Sa7G8
YP5xUepry1YbQjeapFe20edJ6P/BECpPW9kiAbnLunSUUCXkJGC/rxxZcHC8nKk4
mLGNEtkXeE8quq+GUWZfg2BOhDJOcOus7rethlz2ttuG0sBcAW0cv5fdMsibNkUw
EWHhWxCZ6UJ7pRsUyHpX8ty6eGQSIQ/HmHioO5o+YSFXZOf6VhRlndMieLkq6qCw
NhHt45oSFyOYgp7fX6ggVeDFLRC+aFuKe5Bad88DfF2oVz5Os4AkXIibhhMJ98K4
z7o2ckahgrvyJwUYojPc7T13N0Mwy+Fgc+XlVrZ3C4Mz7/ydNsnhOqRvSymW6cpm
+xKOsDZKekZtpi41WU+1hSMKZVAkh1aMdKl5jqeEUL4CuRez18PfvXLMC1dCRu5s
s0eI6hXcINf65QrDLHFGk8E21Jn7vr3e4DFSYIWeroGNqyC24SRfNEpxB1bS/oK9
rG4xHeVEN1A9DTdTKzOFQ56UOG2nQautA9K+b50U1KU=
=HVVy
—–END PGP MESSAGE—–

Pretty cool huh? Now, if someone was able to intercept this message they would not be able to read it. The only way they could read it is if they had my key in their keyring and the chances of that is unlikely.

So why sign or encrypt your email? For starters, it is generally just a good idea. Even if the people you are sending to do not have your public key, they will see the attached signature. They can start using this as a way to verify the email comes from you. No attached signature, they can assume that the message is not from you and they should be cautious of the email’s contents. If you go that extra route and encrypt your email, well you have just made yourself that much more secure. If someone can not read the email then they have no interest in it. Making things difficult for people to hack and get to your information makes them lose interest in it and they will move on to the next person. Keep in mind that email is sent in plain text across the internet. All someone has to do to read the email you are sending is to intercept the data packets traveling along the network and boom, they got your email. When you encrypt it, it still goes out in plain text but that text has been changed to look like something that is unreadable without the key. Do you really need to encrypt your email? Probably not, if you send a lot of personal information then I would highly recommend encrypting your emails. But for normal everyday use, simply signing is good enough.

I hope that you have learned a thing or two about encryption today. While I did not go over how the key based encryption works in great detail you can find more information in this article supplied by Wikipedia. I hope that you will take the steps necessary to secure yourself in this digital world.

Do you use encryption? Why or why not? Leave a comment and let us know.

[Technorati Tag: ]
[Technorati Tag: ]
[Technorati Tag: ]

This entry was posted in Technology. Bookmark the permalink.