A Gpg4win tutorial, or how to get Gpg4win (GnuPG, etc) and Thunderbird to work together.
With Echelon and such, or more simply, with webmails such as Gmail, you never know how many people (or at least, how many bots) are going to read your private e-mails. You’ll probably think it doesn’t matter that much, yet my personal stand on this is to at least try to make their job a bit harder sometimes. A great way to do this is to encrypt your e-mails. And by encrypt, I don’t mean just using SSL when fetching your e-mail from your POP server or browsing the HTTPS flavor of Gmail, I mean really encrypt, with PGP, or of course GnuPG. At the end of this tutorial, you’ll (hopefully) be able to read my OpenPGP public key and use it to send me an encrypted e-mail.
Getting the tools
You just need 2 things:
- ThunderBird (plus the Enigmail extension, which is an interface between Thunderbird and the encryption software)
- Gpg4win, which is a big package containing all the tools to create and manage your keys, as well as to perform the encryption. It also has a pretty large and well-written documentation, that you may find interesting if you need more details than what’s in the tutorial.
Just run the installer. As for the components to pick, we’ll only need GnuPG and Kleopatra. You might be interested in GpgOL if you’re planning on using Outlook instead of Thunderbird. Install the others components as you wish. The “Compendium” is how they call the documentation.
During the installation you’ll be asked to define trustable root certificates, for the S/MIME configuration. In this tutorial we won’t be using S/MIME so you can skip this step. Then, ta-da! you’re done for this part.
Generating and configuring your key (in Kleopatra)
Note that I’m pretty sure this step isn’t actually required if you only want to send unsigned encrypted e-mails.
Launch Kleopatra. In the menu, go to File → New certificate. Then select Create a personal OpenPGP key pair. Then enter your name. Note that your real full name is advisable because:
- people reading your key might find it fishy if it doesn’t match your name
- if you put your key on a key server (cf later), your name will provide a way for other people to search for your key
Then enter the e-mail address with which you’ll be using this key. I’m not sure it really has to match the actual e-mail you’ll be using, still the same as for real name applies, plus specifying a mismatching e-mail will probably make it a bit more complicated to run Enigmail. Now do as you wish, but you’ve be warned
Before finishing this step, make sure you check out the advanced settings:
- In Key Material, leave the choice on RSA but increase to 3,072 bits. NB: for some reason, Kleopatra doesn’t offer to create 4,096 bits keys. If you really want such a long key, you’ll have to create it from command line by typing
gpg2 --gen-keyand then following instructions. If you want an even longer key, you’ll have to recompile GnuPG – see those instructions.
- In Certificate Usage, leave signing and encryption checked, and authentication as you wish (I left it unchecked). It’s good practice, however, to configure an expiration date. At the moment I set my key to expire at the beginning of February such as validity duration is between 1 and 2 years. That’s probably a bit paranoid though. But still, do set a reasonable expiration date. And before publishing your certificate on key servers, do set up a revocation certificate (cf later steps).
Then hit next to review your settings (check Show all details to see key strength and expiration date).
Then create your key. You’ll be asked to enter a password for your key. This password will be required whenever you want to use your key, e.g. when decrypting a received message or when signing a message to be sent. So make sure you remember it (obviously it’s unrecoverable – lose it and lose all your encrypted e-mails) but that it’s also fairly strong (that’s the last protection if someone happens to steal your private key).
When your key is created, you can now make a backup (DO make a back up now, it’s required to restore your key after testing the revocation certificate!). DO NOT upload your certificate to a directory service yet: we shall create a revocation certificate first. Creating the revocation certificate is the hardest part of this tutorial, simply because it can’t, as far as I know, be done through Kleopatra, so we’ll have to use command line. First, you need to write down your key-ID (that’s pretty obvious to find in Kleopatra). Then open a command prompt (hit [Windows key]+R then type “cmd”) and type:
gpg --output "C:\some\path\myrevocation.asc" --gen-revoke [your key-ID]
For instance I typed:
gpg --output "F:\New_CRC\notes\e-mail CRC\myrevocation.asc" --gen-revoke 08B37F2E
It will ask you to confirm that you want to create a revocation certificate. Obviously, answer “yes”. Then specify a generic reason for the revocation. Since the usual use of the revocation certificate is that the certificate was compromised, you’ll probably want to pick reason number 1. Then, as complementary details I usually enter something like “Key lost or compromised. Revoked using anterior revocation certificate”. Then you’ll be asked for your passphrase. And then voilà, you have your revocation certificate.
Finally, to test the revocation certificate: just import it in Kleopatra (hit “Import Certificates” and choose the file you just created) but make sure you did back up your active certificate first (NB: in Kleopatra menu this means export “secret keys”, NOT “certificates”). Now when you double-click on the certificate, it should have a red line saying it’s been revoked. DO NOT upload it to a remote key server, it would permanently revoke it for anyone trying to grab it from there. Instead, delete it (and confirm), then re-import it (the original backup that I told you twice to do).
Transmitting your key to other people
Here is not the place to discuss details about asymmetrical encryption (the documentation explains this somewhat in details, I think). All you need to know is:
- You have a secret key, which you must not share with anyone and keep safe (that’s what we backed up at first), and a public key, which you must share with anyone willing to send you an encrypted e-mail. So when I mean transmit your key to others, obviously I’m talking about the public key.
- To send an encrypted e-mail to someone, you need their public key; to receive an encrypted e-mail from someone who encrypted this e-mail with your public key, you need your private key.
Public key servers
The easiest way is to export your public key to a key server. Because once your key has been sent it can’t be removed (but can be revoked if you send a revocation certificate), this is something I prefer to do at the very end, after I extensively tested my setup (ie sent and received a test e-mail, see later). But for the sake of consistency I’ll explain here how to do it. Still in Kleopatra:
- Configure key servers: in Settings → Configure Kleopatra, in the first tab (directory services), hit “new” and it should add the already well configured keys.gnupg.net:11371 server. Just hit ok.
- Then in your certificate list, right click on the certificate you want to export and select “Export certificates to server…”
That’s all, your (public!) key is live, and anyone can search your name/your e-mail in this directory, and grab your key (in Kleopatra, hit “Lookup certificates on server”).
A note on revocation: to revoke your key on the key servers, import your revocation certificate into Kleopatra, then export on key server just like the normal key. Note that this can’t be undone: your certificate will be revoked forever (so you’ll have to create a new one).
Sharing a file containing your public key
That’s what I did there. In Kleopatra, right-click on your certificate and choose “Export certificates…” (note: the name you give to the file doesn’t matter, just maybe keep the .asc extension, which means ASCII certificate, ie it will be readable in notepad and such). Then when you share this file with someone, they’ll be able to import your public certificate (in Kleopatra, hit “Import Certificates”), allowing them to send you encrypted e-mails.
Using all this in Thunderbird
Ok, so now you know how to create, share and revoke your own key. You also know how to import other people’s keys. Time to actually use this.
Installation of Enigmail
Install Thunderbird and configure it for your e-mail provider like usual. Once everything is working (sending/receiving “normal” e-mails), download and install the Enigmail extension. Note that even if you’re on nightly you should find a compatible Enigmail nightly on the download page. When you restart Thunderbird, you’ll have a new menu item, OpenPGP. Click it and go to Preferences. If you see a warning about GnuPG not being in the PATH, you can either add it to the PATH manually or override the location in this preference window (gpg.exe is located in the “pub” subfolder where you installed gpg4win, but you may also want to point to gpg2.exe instead). Finally, simply run the Wizard (still in the OpenPGP menu).
Sending test e-mails to Adele
Adele is a mailbot that knows how to use OpenPGP. Its address is email@example.com. Compose a test e-mail, in the menu, check OpenPGP → Attach my public key, and send it to Adele. A few minutes later, you should receive an encrypted e-mail containing Adele’s public key. Note that when you receive a public key in the body of a message, just copy/paste the key (all between and including —–BEGIN PGP PUBLIC KEY BLOCK—– and —–END PGP PUBLIC KEY BLOCK—–) into a text file, then use the import certificate function on this file. Now, compose another test e-mail, but this time encrypt it (check “encrypt message” in the OpenPGP menu) +/- sign it if you want, then send it to Adele. A few minutes later, you should receive an encrypted e-mail looking like:
Hello [your name],
here is the encrypted reply to your email.
I quote your original message to prove that I could decrypt it.
[quote of your e-mail]
Well, that’s pretty much it. If everything’s working fine, time to send your public key to key servers if you feel like it.
Just an alternative syntax I found in my draft folder and which I didn’t have the heart to discard (as well as it’s source with interesting remarks about the usefulness of preparing a revocation certificate):
gpg --gen-revoke A0F3BF69 > patheticcockroach_revoke.asc