Version 28 (modified by 14 years ago) ( diff ) | ,
---|
How can I use gpg to both encrypt my email and prove my identity?
In plain language, what does it mean to encrypt my email?
For most of us, when we first decide we want to encrypt our email, we only think about one half of the equation: scrambling our message in a way that only the intended recipient can read it.
A second, and equally important component that is often over looked is authenticity. If someone sends you a secret message, how do you know it was sent by the person who is claiming to have sent it? A little known fact about the Internet is that forging the from address in an email message is just about as easy as forging the from address on a postal letter.
Encryption (scrambling your message) and authenticity (knowing who really sent the message) are the two pillars of secure communication. You must have both to securely send private messages between two parties.
Therefore, when sending mail that you want to keep private, you will typically want to both encrypt the message and digitally sign the message. When receiving email using GnuPG you will typically want to de-crypt the message and verify the signature.
Alternatively, if you want to send message and it's not important to keep it private, but you want the recipient to be sure it is you who is sending it, then you may simply want to digitally sign the message and not encrypt it.
GnuPG, gpg, OpenPGP, PGP, what does it all mean?
There are a lot of confusing acronyms involved in email encryption. Here's a very brief explanation:
GnuPG (also known as GPG) stands for Gnu Privacy Guard (GNU is a project to create an entirely free operating system).
GnuPG is an implementation of the open standard called OpenPGP.
An open standard means that a group of people have come together to decide on how to communicate. The OpenPGP folks have defined a way to communicate encrypted information securely.
GnuPG is one program (of many) that uses this open standard. GnuPG is free software and is one of the most popular implementations of OpenPGP.
In list form:
- PGP
- is Pretty Good Privacy, which is a corporate trademark held by Symantec at the moment.
- OpenPGP
- is the name of the standard that defines the techniques and data structures.
- GPG
- is the GNU Privacy Guard, an implementation of using and interfacing with the defined techniques and data structures.
- keys
- are mathematical constructs
- identities
- are labels that humans can attach to real-world entities
Public and private keys
The technology behind encryption relies on keys. A key is nothing more than a small text file with a lot of random-seeming characters in them. Jamie's gpg key can serve as an example for the curious. In order to use OpenPGP you will need to generate a public/private key pair. That means you will need two keys (two small text files with a lot of random-seeming characters): one that is public and one that is private. These two keys are generated together because they have a special relationship:
- A message encrypted with the public key can only be de-crypted with the private key
- A message signed with the private key can be validated with the public key
As the names imply, the private key should be kept private. It should be saved on your personal computer, preferably one that nobody else has access to. Furthermore, it is typically password-protected, meaning that every time you want to use it, you will need to enter a password. The public key, on the other hand, should be freely given to everyone.
If someone has your public key, then they will be able to send you an encrypted message and if you send them a signed message, they will be able to verify your signature.
It's important to note: you cannot send someone an encrypted message unless you already have their public key. In other words, it is not enough that you know how to use OpenPGP, your intended recipient must also know how to use it, have it setup on their computer, already have a key, and already have given you their public key. Similarly, you cannot verify someone's signature unless you already have a copy of the sender's public key.
Using GnuPG on a Macintosh Computer
How do I use GnuPG with a Macintosh and Thunderbird?
- Download and install Mac GnuPrivacy Guard, or if you running 10.4 or newer, download and install Mac GPG2.
- Follow the directions below to install and configure Enigmail for Thunderbird and generate a private/public key pair.
How do I use GnuPG with Macintosh, web mail and Firefox?
- Download and install Mac GnuPrivacy Guard and GPG Keychain Access. There are several other packages available for download which are not required but you may find useful.
- Run the GPG Keychain Access program and generate a new public/private key (FIXME: we need documentation on how to do this).
- Follow the directions below to install and configure FireGPG for Firefox.
Using GnuPG on a Windows Computer
How do I use GnuPG with Windows and Thunderbird?
- Download and install GnuPG for Windows, which provides the core GnuPG program.
- Follow the directions below to install and configure Enigmail for Thunderbird and generate a private/public key pair.
How do I use GnuPG with Windows, web mail and Firefox?
- Download and install Gpg4win, which provides a suite of encryption related packages for Windows, including GnuPG (the core program) and Gnu Privacy Assistant which is used for managing your keys.
- Use GnuPrivacy Assistant to create a private/public key pair.
- Follow the directions below to install and configure FireGPG for Firefox.
Using GnuPG on a GNU/Linux Computer
Every major GNU/Linux operating system (e.g. Ubuntu, Debian, Fedora, etc) comes by default with GnuPG for their desktop installations. The following directions assume you are using Debian or Ubuntu or another Debian-based Linux installation.
Seahorse is a graphical user interface for managing your keys. It is a useful program to have regardless of whether you use Thuderbird (Icedove) or Firefox (Iceweasel) and webmail. You can install it with:
sudo aptitude install seahorse
How do I use GnuPG with Linux and Thunderbird (Icedove)?
- Install Enigmail:
sudo aptitude install enigmail
- Restart any Thunderbird (or Icedove) instances.
- Follow the directions below to install and configure Enigmail for Thunderbird and generate a private/public key pair.
How do I use GnuPG with Linux, web mail and Firefox (Iceweasel)?
To use with Firefox/Iceweasel and webmail, follow the directions below to install and configure FireGPG for Firefox.
Specific Programs
How do I use GNU Privacy Assistant to generate a private/public key pair?
- Launch GNU Privacy Assistant
- When running for the first time, you should be prompted to use the key generation wizard. If you are not prompted to start the wizard, click Keys -> New Key...
- Complete the wizard to generate your key.
- Publish your key. Click Server -> Send keys...
How do I install and configure Enigmail with Thunderbird?
- Download Enigmail, a plugin for Thunderbird that provides OpenPGP support. Enigmail has an excellent manual to get you started. Below are the quick and dirty steps:
- Install Enigmail.
- Create your private/public key.
- Optionally, publish your public key.
- Practice signing and encrypting your email
How do I install and configure FireGPG with Firefox?
- Click the download FireGPG button while running Firefox. After installing FireGPG you will need to restart Firefox before you can use FireGPG.
- FIXME: need instructions on using FireGPG to sign, verify and decrypt messages.
How do I know what version of Thunderbird I'm running?
You can see what version of Thunderbird you have by:
- go to Thunderbird
- click on "Help" (File menus at the top)
- "About Mozilla Thunderbird"
Conclusion
What else should I know about GnuPG?
- Web of trust. An important concept not covered here is: how do you get other people's public keys? OpenPGP uses a decentralized model of trust called web of trust.
- Transactional data. GnuPG only encrypts the body of your email message - not the headers. Therefore, when sending email, your email address, the date of the message, the recipient and other information regarding the transport of your message may be sent in the clear. One solution to that problem is to only work with providers that use providers that support starttls (note: May First/People Link, despite not being included in the list, does use starttls).
- Verifying fingerprints. When exchanging public keys, it's important to verify the fingerprints of the keys you are exchanging.