What is GnuPG (GPG)?GnuPG is a freely available, open-source program which makes military-grade encryption available to everyone. It can be a little tricky to get set up correctly, but once it is, it is easy to use. If you would like to know why you should care, please read this article.
Getting it set up
- Install GnuPG:
- Windows: Download this installer, and run it. It will install all the GPG support for you.
- Mac OS/X: If you don’t have it already, install from here
- Linux: You probably already have GnuPG on your system. Type gpg --version from a shell to verify you have it. If not, follow your distro’s instructions for how to install it.
- Install ThunderBird (TBird): Simply download the ThunderBird email program and set it up for your email account.
- Add “Enigmail” to TBird: Once you’ve set up an email account in TBird, click on the menu (it’s the three horizontal bars appearing in the upper right part of the TBird window) and select “Add-ons”. Then, type “enigmail” in the search box in the upper-right portion of that screen. You should see “Enigmail 1.5.2” (or later) there. Click the “Install” button, and in a few seconds it will be installed.
- Create your GnuPG key-pair:
In TBird, select the menu again (the three-bar icon), and select
“OpenPGP” and then “Key Management”. A window will show up, allowing
you to manage your GnuPG “key ring”. Assuming you don’t already have
a key-pair, you need to create one. Select “Generate” from the top
menu bar, and then “New key pair”.
Type in a good “passphrase”. In this context, “good” means it is reasonably long and something you can remember and other people will not guess. A combination of several words and symbols or numbers, like Give my monkey 123 dollars! will make it hard for people to guess while still making it easy for you to remember. And you will have to remember your passphrase! Do not write it down, please…
Now click on “Generate Key” and in a few seconds you will have a shiny new GnuPG encryption key. Enigmail will now ask you to create a “revocation certificate”, which you may choose to do or not, as you see fit. Such a certificate is to be used if you want to inform others your key was compromised (stolen, etc).
The last step in this process is to publish your key so others can use it to communicate with you. Go back to the Key Management window and right-click your new key and select “upload to keyserver”. It should only take a few seconds to complete this step.
- Import the GnuPG keys of people you want to communicate with:
This is probably the easiest thing. Using the Key Management window,
select “Keyserver”, then “Search for keys”. In the dialog, type in
the email of the person or the “key ID” of the key you want, and press
“OK”. It will search for the published key matching what you entered
(it may come up with a lot of matches if you use a name or email
instead of an ID).
You can also select a key from a webpage, copy it to the clipboard and then “Edit”, “Import from clipboard”. This is a way to get a key which has not been published, for example.
Using GPG to protect your mailSetting up GPG was the hard part. Using it is pretty simple, by comparison. Here’s how it works:
- Compose your email in TBird. If the recipient doesn’t know your GPG public key, make sure to inform him (in the mail or by phone) of what the key is so he can respond to your mail with encryption you can read.
- Using the TBird “OpenPGP” menu, select ‘Encrypt Message’ and ‘Use PGP/MIME’. Enigmail should automatically choose the encryption key to use based on the recipient’s email address, and will encrypt the mail so that only you and the recipient will be able to read it again.
- When you receive an encrypted email, Engimail will prompt you for your passphrase. Just enter it and it will decrypt the mail for your eyes only.
- You can also choose to “sign” the mail (whether or not you encrypt it), which lets the recipient know for certain that you sent the mail.
Using GPG to protect your filesWindows and OS/X users should have “integrated” GPG support, after having installed the packages listed in the first section. What that means is that they should be able to use their regular “file explorer” applications and select “encrypt” or “decrypt”, etc. However, on all platforms one may use the GPG command line:
gpg -e -r towhom filename
In this case, “towhom” is the email of the recipient, or his GPG key ID. You may also encrypt to multiple recipients if you use more than one “-r towhom” stanza. Decryption is just as simple:
gpg -d encrypted-filename
How does it work?GPG uses something called public key cryptography to perform its magic. The mathematics behind it all is complex, but the idea can be explained very simply: the “key pair” you create is like two mating locks which must both be used to succesfully encrypt and decrypt. When you encrypt to a recipient (including to yourself), you use that person’s “public key”. That’s the key everyone knows, it’s published on the internet, etc. It has to be public so others can send to that person.
The “secret key” is known only to the recipient (you, for example). It must never be made public. When someone encrypts to you using your “public key”, only you, using your “secret key”, can decipher the message.
Likewise, when you “sign” a document, you do so with your secret key. Others can use your public key to ensure that you must have been the signer — since noone else could have used the secret key.