Skip to content

Sending and receiving encrypted e-mails (on Windows)

A Gpg4win tutorial, or how to get Gpg4win (GnuPG, etc) and Thunderbird to work together.

With Echelon and such, or more simply, with webmails such as Gmail, you never know how many people (or at least, how many bots) are going to read your private e-mails. You’ll probably think it doesn’t matter that much, yet my personal stand on this is to at least try to make their job a bit harder sometimes. A great way to do this is to encrypt your e-mails. And by encrypt, I don’t mean just using SSL when fetching your e-mail from your POP server or browsing the HTTPS flavor of Gmail, I mean really encrypt, with PGP, or of course GnuPG. At the end of this tutorial, you’ll (hopefully) be able to read my OpenPGP public key and use it to send me an encrypted e-mail.

Getting the tools

You just need 2 things:

  • ThunderBird (plus the Enigmail extension, which is an interface between Thunderbird and the encryption software)
  • Gpg4win, which is a big package containing all the tools to create and manage your keys, as well as to perform the encryption. It also has a pretty large and well-written documentation, that you may find interesting if you need more details than what’s in the tutorial.

Installing Gpg4win

Just run the installer. As for the components to pick, we’ll only need GnuPG and Kleopatra. You might be interested in GpgOL if you’re planning on using Outlook instead of Thunderbird. Install the others components as you wish. The “Compendium” is how they call the documentation.
During the installation you’ll be asked to define trustable root certificates, for the S/MIME configuration. In this tutorial we won’t be using S/MIME so you can skip this step. Then, ta-da! you’re done for this part.

Generating and configuring your key (in Kleopatra)

Note that I’m pretty sure this step isn’t actually required if you only want to send unsigned encrypted e-mails.
Launch Kleopatra. In the menu, go to File → New certificate. Then select Create a personal OpenPGP key pair. Then enter your name. Note that your real full name is advisable because:

  1. people reading your key might find it fishy if it doesn’t match your name
  2. if you put your key on a key server (cf later), your name will provide a way for other people to search for your key

Then enter the e-mail address with which you’ll be using this key. I’m not sure it really has to match the actual e-mail you’ll be using, still the same as for real name applies, plus specifying a mismatching e-mail will probably make it a bit more complicated to run Enigmail. Now do as you wish, but you’ve be warned 😉
Before finishing this step, make sure you check out the advanced settings:

  • In Key Material, leave the choice on RSA but increase to 3,072 bits. NB: for some reason, Kleopatra doesn’t offer to create 4,096 bits keys. If you really want such a long key, you’ll have to create it from command line by typing gpg2 --gen-key and then following instructions. If you want an even longer key, you’ll have to recompile GnuPG – see those instructions.
  • In Certificate Usage, leave signing and encryption checked, and authentication as you wish (I left it unchecked). It’s good practice, however, to configure an expiration date. At the moment I set my key to expire at the beginning of February such as validity duration is between 1 and 2 years. That’s probably a bit paranoid though. But still, do set a reasonable expiration date. And before publishing your certificate on key servers, do set up a revocation certificate (cf later steps).

Then hit next to review your settings (check Show all details to see key strength and expiration date).

Then create your key. You’ll be asked to enter a password for your key. This password will be required whenever you want to use your key, e.g. when decrypting a received message or when signing a message to be sent. So make sure you remember it (obviously it’s unrecoverable – lose it and lose all your encrypted e-mails) but that it’s also fairly strong (that’s the last protection if someone happens to steal your private key).

When your key is created, you can now make a backup (DO make a back up now, it’s required to restore your key after testing the revocation certificate!). DO NOT upload your certificate to a directory service yet: we shall create a revocation certificate first. Creating the revocation certificate is the hardest part of this tutorial, simply because it can’t, as far as I know, be done through Kleopatra, so we’ll have to use command line. First, you need to write down your key-ID (that’s pretty obvious to find in Kleopatra). Then open a command prompt (hit [Windows key]+R then type “cmd”) and type:
gpg --output "C:\some\path\myrevocation.asc" --gen-revoke [your key-ID]
For instance I typed:
gpg --output "F:\New_CRC\notes\e-mail CRC\myrevocation.asc" --gen-revoke 08B37F2E
It will ask you to confirm that you want to create a revocation certificate. Obviously, answer “yes”. Then specify a generic reason for the revocation. Since the usual use of the revocation certificate is that the certificate was compromised, you’ll probably want to pick reason number 1. Then, as complementary details I usually enter something like “Key lost or compromised. Revoked using anterior revocation certificate”. Then you’ll be asked for your passphrase. And then voilà, you have your revocation certificate.

Finally, to test the revocation certificate: just import it in Kleopatra (hit “Import Certificates” and choose the file you just created) but make sure you did back up your active certificate first (NB: in Kleopatra menu this means export “secret keys”, NOT “certificates”). Now when you double-click on the certificate, it should have a red line saying it’s been revoked. DO NOT upload it to a remote key server, it would permanently revoke it for anyone trying to grab it from there. Instead, delete it (and confirm), then re-import it (the original backup that I told you twice to do).

Transmitting your key to other people

Here is not the place to discuss details about asymmetrical encryption (the documentation explains this somewhat in details, I think). All you need to know is:

  • You have a secret key, which you must not share with anyone and keep safe (that’s what we backed up at first), and a public key, which you must share with anyone willing to send you an encrypted e-mail. So when I mean transmit your key to others, obviously I’m talking about the public key.
  • To send an encrypted e-mail to someone, you need their public key; to receive an encrypted e-mail from someone who encrypted this e-mail with your public key, you need your private key.

Public key servers

The easiest way is to export your public key to a key server. Because once your key has been sent it can’t be removed (but can be revoked if you send a revocation certificate), this is something I prefer to do at the very end, after I extensively tested my setup (ie sent and received a test e-mail, see later). But for the sake of consistency I’ll explain here how to do it. Still in Kleopatra:

  • Configure key servers: in Settings → Configure Kleopatra, in the first tab (directory services), hit “new” and it should add the already well configured server. Just hit ok.
  • Then in your certificate list, right click on the certificate you want to export and select “Export certificates to server…”

That’s all, your (public!) key is live, and anyone can search your name/your e-mail in this directory, and grab your key (in Kleopatra, hit “Lookup certificates on server”).

A note on revocation: to revoke your key on the key servers, import your revocation certificate into Kleopatra, then export on key server just like the normal key. Note that this can’t be undone: your certificate will be revoked forever (so you’ll have to create a new one).

Sharing a file containing your public key

That’s what I did there. In Kleopatra, right-click on your certificate and choose “Export certificates…” (note: the name you give to the file doesn’t matter, just maybe keep the .asc extension, which means ASCII certificate, ie it will be readable in notepad and such). Then when you share this file with someone, they’ll be able to import your public certificate (in Kleopatra, hit “Import Certificates”), allowing them to send you encrypted e-mails.

Using all this in Thunderbird

Ok, so now you know how to create, share and revoke your own key. You also know how to import other people’s keys. Time to actually use this.

Installation of Enigmail

Install Thunderbird and configure it for your e-mail provider like usual. Once everything is working (sending/receiving “normal” e-mails), download and install the Enigmail extension. Note that even if you’re on nightly you should find a compatible Enigmail nightly on the download page. When you restart Thunderbird, you’ll have a new menu item, OpenPGP. Click it and go to Preferences. If you see a warning about GnuPG not being in the PATH, you can either add it to the PATH manually or override the location in this preference window (gpg.exe is located in the “pub” subfolder where you installed gpg4win, but you may also want to point to gpg2.exe instead). Finally, simply run the Wizard (still in the OpenPGP menu).

Sending test e-mails to Adele

Adele is a mailbot that knows how to use OpenPGP. Its address is Compose a test e-mail, in the menu, check OpenPGP → Attach my public key, and send it to Adele. A few minutes later, you should receive an encrypted e-mail containing Adele’s public key. Note that when you receive a public key in the body of a message, just copy/paste the key (all between and including —–BEGIN PGP PUBLIC KEY BLOCK—– and —–END PGP PUBLIC KEY BLOCK—–) into a text file, then use the import certificate function on this file. Now, compose another test e-mail, but this time encrypt it (check “encrypt message” in the OpenPGP menu) +/- sign it if you want, then send it to Adele. A few minutes later, you should receive an encrypted e-mail looking like:

Hello [your name],
here is the encrypted reply to your email.
I quote your original message to prove that I could decrypt it.
[quote of your e-mail]

Well, that’s pretty much it. If everything’s working fine, time to send your public key to key servers if you feel like it.


Just an alternative syntax I found in my draft folder and which I didn’t have the heart to discard (as well as it’s source with interesting remarks about the usefulness of preparing a revocation certificate):
gpg --gen-revoke A0F3BF69 > patheticcockroach_revoke.asc

Posted in privacy, software.

9 Responses

Stay in touch with the conversation, subscribe to the RSS feed for comments on this post.

  1. Kai says

    Thanks for this tutorial. I was wondering how to create a revocation certificate in Kleopatra since it adviced me to do so before uploading my key to the servers. It’s strange that they didn’t have built-in functionality to do this imho.

  2. Yit says

    Thanks as well. I got a handle on most of it, but revocation certificates seem somewhat important. Luckily, it wasn’t too hard thanks to you!

  3. patheticcockroach says

    That’s quite important indeed, there is even reportedly some encryption guru (I don’t remember his name nor the Wikipedia page where I read that) with a non revoked lost key in the wild ^^

  4. Anonymous says

    Thank you so much for the tutorial (especially for the revoke cert part), everything is OK now, thanks again and sorry for my english

  5. Mark W. Schumann says

    Very nicely done. Thanks for the tutorial; it’s really helpful.

  6. patheticcockroach says

    Step-by-step FTW 😉

  7. Big V says


    I would love to try sending you an encrypted e-mail, but there is one tiny problem. I don’t have your e-mail address. Don’t I need that?

  8. patheticcockroach says


    Well, yes you do but the thing is: it’s contained in the OpenPGP key. When you load my key, for instance in Kleopatra (but Enigmail and GnuPG let you do that too), you can see my e-mail. Keys are listed like this:

Some HTML is OK

or, reply to this post via trackback.

Sorry about the CAPTCHA that requires JS. If you really don't want to enable JS and still want to comment, you can send me your comment via e-mail and I'll post it for you.

Please solve the CAPTCHA below in order to fight spamWordPress CAPTCHA