Protecting Email With Gnu Privacy Guard

Introduction

Gnu Privacy Guard (gpg) is the Free Software Foundation's version of the popular encryption software Pretty Good Privacy (pgp). With GNU Privacy Guard you can encrypt, decrypt, sign and authenticate documents. You can generate and exchange encryption keys. Today I will talk about how to use gpg with the mozilla thunderbird email client.

Installation

If you are using debian, then you should apt-get the following packages: gnupg and mozilla-thunderbird-enigmail. If you are using an rpm system, then look for gpg and mozilla-enigmail. Presumably you already have thunderbird installed – if not, then go to mozilla.org for downloads and instructions, or check your favourite package archive.

Generating Your Private Key - CLI

The first thing you need to do is generate a public key. gpg is a command line utility. You can generate your key at the command line using the command

bash$ gpg –-gen-key

You will have to do this command twice – the first time it just creates the directory and options file. The second time it will actually create the key. It will ask you some questions. Generally just choose the default options. When it asks for your name and email address then enter your name and email address (or a pseudonym if you are so inclined). The most important entry is your passphrase. This is the secret code that you will use to encrypt, decrypt and sign email message. The passphrase should be fairly long – the longer the better – but also something easily remembered. And you should write it down immediately. If you forget the passphrase then you are hosed.

Generating Your Private Key – Enigmail

Launch the thunderbird email client. If you have enigmail installed then you should have an “Enigmail” menu on the menubar. Select the “OpenPGP Key Management” menuitem from the Enigmail menu. An OpenPGP Key Management window will appear. Select the “Generate” menu and the “New Key Pair” menuitem. Now you can create a personal private key, set the expiration date, etc. Again, you must remember your passphrase or you will be in trouble later.

Exporting a Public Key using Enigmail

In the OpenPGP Key Management window, select the “Export Key” menuitem from the Files menu. Click NO when it asks if you want to export the private key (won't be private anymore, would it?). Then enter a filename and export the public key. The file will be in “armored ascii format” so you can put it on a floppy or USB stick and exchange keys with your friends.

Setting Enigmail Preferences

From the Enigmail menu select the Preferences menuitem. I would recommend these preferences:

Under Basic:

Under Sending, select the following

Under PGP/MIME

Under Advanced select:

Under Advanced

Signing and Encrypting Email

Click on the Write button to start writing an email. The compose window appears. Now you should set the default message encryption/signature options. Select the Enigmail menu on the menubar, and select the Default Composition Options menuitem, then the Signing/Encryption Options item. I would suggest that you sign all your email messages by default. You may also wish to encrypt all email messages, but I prefer to selectively encrypt my messages. Of course, we already set a preference to encrypt our replies to any encrypted email.

You might also notice that a new button called “OpenPGP” appears in the compose window buttonbar. Click on that button and a dialog box appears. This is where you can override the default options for encryption and signature. You can also do it on the Enigmail menu using the top two menuitems.

When you send a signed or encrypted email message you must enter your passphrase.

Receiving Encrypted or Signed Email

When you receive an encrypted or signed email you need the senders public key. You can request the key from an internet key server or you can get the public key directly from the individual, which is the prefered method.

To get a key from a keyserver, use the OpenPGP Key Management window. Select the Search for Keys menuitem from the Keyserver menu. Enter the email address of the key you need and maybe you will find a public key.

To import a key from a floppy or usb stick, again using the OpenPGP Key Management window, select the File menu and the Import keys from file menuitem. Enigmail can import keys in armored ascii, gpg and pgp format.

More Information

For more information about GNU Privacy Guard consult The GNU Privacy Handbook. (http://www.gnupg.org/gph/en/manual.html)

For help with enigmail, you can use the Help menuitem on the Enigmail menu, or go directly to the Enigmail Help Webpage. (http://enigmail.mozdev.org/help.html)

If you prefer kmail, mutt, pine, etc, then google can help you find instructions about how to use gpg with your prefered email client.





Andrew Howlett, May 2005