Public Key Cryptography
Complete email security is not impossible. Not only is public key encryption
a perfectly viable solution to email security, it has been around since 1991!
There are no more excuses. We all want a better Internet. Why not start with
one of the oldest, but still the most widely used application.
The foundation of PGP, GnuPG, and modern secure communications in general, is
Public Key Cryptography. The concept is thus: you have two keys
(keys are, for the sake of encryption, super-long passwords). The first key can
only encrypt data, and the second key can only decrypt the data the first key encrypted.
no special hacking allowed, no encrypting with the decryptor key, and certainly
no decrypting with the encryptor key. It's one-way. No turning back.
"One way?! What the hell good is that?!", you might think. Simple. You give
the encryptor key to your friends, they encrypt emails to you, and you, with
your secret decryptor key, are the only one who can read them. It's
one-way, no turning back. How do you encrypt messages to your friends? You get
their public encryptor keys too, and for each of their encryptor keys, only the
corresponding secret key each friend has can read those messages.
Too complicated now? Come on, man. Your software can match keys to email
addresses. You don't even need to type a password to encrypt. And as a bonus,
public keys can also be used for digital signatures. So when you send
an email to your friend, you sign it with your secret key, and using your public
key, your friend can check that your secret key made the signature - this sort
of thing can't be faked. Nevermind how it works, it just works.
First, you need an email client with support for public key encryption. Let me
get the bad news out of the way: forget about Outlook Express. It may
be free, but the only PGP plugin that works with Outlook Express is NOT free.
If you want free, you want ThunderBird anyway. If you have money to blow, blow
it on Microsoft Office, and use the proper Outlook. That is the best I can do.
These are the systems I have personally interacted with, and which I heartily
recommend (note: I do not explicitly recommend Outlook, I just recommend the
plugin, if you are stuck using Outlook.) :
GData's GnuPG plugin for Outlook.
Not too pretty, but it gets the job done, with few hiccups.
The installer puts the plugin in place, and sets up the backend GnuPG key
management Windows interface, complete with native command-line gpg
executables and keyrings.
run the exe, pick the install directory (you will want to preserve this dir,
if you ever expect to reinstall the plugin; this is where your keys will be
stored.) Once installed, run Outlook, open the
Tools | GnuPG key management menu item, and then the
Keys | Generate Key item in the Keyring Editor window. (Use all
the default options, changing settings cause some generated keys to be
unusable.) Select the new private key in the list, click the
Editbutton, Change Trust, and set the
Ownertrust level to trust fully. Accept, close,
and you may close the keyring editor.
If you open the Tools | Options menu, the Encryption
tab is now available. Here you may select default message handling options.
When composing an email, the Tools menu contains
Encrypt and Sign items, and you can attach your default
public key to the email, using the Insert the standard key option.
When receiving encrypted messages, they will be displayed in their encrypted
form in the preview panel. To view the message, you must Open the message,
and select the Tools | Decrypt and verify signature item.
Did I mention that Microsoft sucks? Please consider using a free email client
for personal use. The only reason I found this plugin in the first place, is
that my employers have wide-scale Microsoft solutions deployed, including
Outlook / Exchange for "Office Productivity" (sic). The day OpenOffice has a
complete Exchange-compatible solution completed, this section will disappear.
Here is the author's homepage:
Mozilla with Enigmail
Thanks to Mike "mc_fell" Fell for extensive help on this section.
Mozilla is the top dog of the web right
now. Where have you been?! If you aren't already using Firefox instead of
IE, you are seriously living under a rock. To put it simply, the Mozilla
Foundation is FREAKIN SWEET.
Anyway, if you do use Firefox for web, you should probably be using
Thunderbird for email. Alternatively, you can use the monolithic Mozilla
client, which includes the whole "Web Productivity" suite. But best of all:
they are all cross-platform. Start using Mozilla now, switch to Linux later
... and you won't miss a beat.
zeroeth step : You need GnuPG installed for this plugin to work, in addition
to your email client. In UNIX, this should be a breeze for you (unless you
are not an administrator, but I digress, this is not a UNIX tutorial). You
can get the native win32 GnuPG port from
the GnuPG download page.
(If you are setting this all up from scratch, see the
Mozilla links below.)
Step the first: Download
the extension for your email client ... either Thunderbird or Mozilla.
The page somehow
detects your OS, so for windows just grab the binaries. If you're using
Linux then you may have to build them yourself or something.. I don't know,
follow the instructions.
Step two: Open the email client. Go to Tools | Extensions,
and click Install. Browse to the place where you saved the extensions and
Step three: When you restart the browser, you will have a new
OpenPGP menu in your menu bar and new icons in your tool bars. Also,
there is a new section in the account settings window. Go into the
account settings and select the account that you want to have sending
encrypted mail. Make sure that the enable OpenPGP support checkbox is
Step 3.5 : In the main email client window, select
OpenPGP | Preferences. Tell it where the GnuPG executable
is by browsing
to it.. you just installed it a minute ago. It's probably something like
C:\Program Files\GnuPG\gpg.exe if you're in windows.
Step four: Go to the main email client window and select
OpenPGP | Key Management. Select
Generate | New Key Pair from this window's menu.
Follow through the steps to make your new private and public keys.
Step five: Start emailing. Attach your public key to your email so
other people can send secure email to you. Install and sign other
people's public keys using the key management window. When sending
encrypted mail, make sure that the Use PGP/MIME option is checked.
This makes it easier for the recipient to decrypt the message ... (There's got
to be a way to make this the default behaviour; let me know if you can do
The Mozilla homepage:
(See also The Thunderbird homepage and The Firefox homepage.)
The Enigmail homepage:
Mutt with GnuPG
Yes, there is no link for a plugin here. "But how can this be? Don't you
need some sort of plugin to use encryption?! Think of the children!!"
Stop your snivelling, and behold the power of UNIX. Mutt was designed with
integrated GnuPG functionality. If you are an old hand with pine-style
command-line/console email, you will LOVE this.
Install Mutt and GnuPG. For most people, this is a trivial act. But better
yet, there are Cygwin packages for both Mutt and GnuPG. Thus, this solution
will work in win32 as well. I won't write about how to use these programs
generally - RTFM dammit! But if you have then installed and running, you are
DONE, son! Just check out my .muttrc, and get
- Create a GnuPG keypair - gpg --gen-key (Just follow the
prompts, defaults will do fine.)
- Set the trust on your new key - gpg --edit-key
(Type 'trust', and set your key to 'I trust ultimately' ... you do
trust your main key, don't you?)
- Check that your muttrc has the PGP settings entered, and start Mutt -
- Compose a new email - m - complete the usual fields, and at
the final send screen, select p s to set PGP options to
"Sign", or p b for "Both" (encrypt and sign - preferred).
- To encrypt, you must have the recipient's key in your keyring already.
gpg --import to import with gpg directly, or
open an email with a public key attached, and press Ctrl-K
to extract the key using Mutt.
Note: if you receive emails from senders who are using an older PGP
format, and your version of Mutt is less than 1.5.0 or so (or if you do not
have pgp_auto_decode enabled in your Muttrc), encrypted emails will
not be decrypted by default. You will have to decrypt them manually, with
the Esc-P (check_traditional_pgp) command. Generally it is worth
upgrading for this feature, I have never had such a hassle as this.
The Mutt homepage (beware of wit):
The CygWin homepage (brought to you by RedHat - ride the Penguin) :
The Linux homepage ... just kidding. But these are my Operating Systems of
choice. Use it or lose it :
Now you can import other people keys, and start verifying signatures. More
importantly, you can generate your own public key, spread it around, and enjoy
peace of mind with your own web of secure communications. Just to get the
blood boiling, here is an excerp from the
Cypherpunk Manifesto (Written by Eric
Hughes for the Electronic Frontier Foundation) :
We must defend our own privacy if we expect to have any. We must
come together and create systems which allow anonymous transactions
to take place.
We the Cypherpunks are dedicated to building anonymous systems. We
are defending our privacy with cryptography, with anonymous mail
forwarding systems, with digital signatures, and with electronic
Take back the web!
Feel free to email me if you need any other help.
And don't forget
to grab my key from the a list of keys .
Copyright © 1994 - 2006 UltrX corp. All rights reserved.