Pretty Good Privacy / GNU Privacy Guard

Public Key Cryptography

Complete email security is not impossible. Not only is public key encryption a perfectly viable solution to email security, it has been around since 1991! There are no more excuses. We all want a better Internet. Why not start with one of the oldest, but still the most widely used application.

The foundation of PGP, GnuPG, and modern secure communications in general, is Public Key Cryptography. The concept is thus: you have two keys (keys are, for the sake of encryption, super-long passwords). The first key can only encrypt data, and the second key can only decrypt the data the first key encrypted. no special hacking allowed, no encrypting with the decryptor key, and certainly no decrypting with the encryptor key. It's one-way. No turning back.

"One way?! What the hell good is that?!", you might think. Simple. You give the encryptor key to your friends, they encrypt emails to you, and you, with your secret decryptor key, are the only one who can read them. It's one-way, no turning back. How do you encrypt messages to your friends? You get their public encryptor keys too, and for each of their encryptor keys, only the corresponding secret key each friend has can read those messages.

Too complicated now? Come on, man. Your software can match keys to email addresses. You don't even need to type a password to encrypt. And as a bonus, public keys can also be used for digital signatures. So when you send an email to your friend, you sign it with your secret key, and using your public key, your friend can check that your secret key made the signature - this sort of thing can't be faked. Nevermind how it works, it just works.

First, you need an email client with support for public key encryption. Let me get the bad news out of the way: forget about Outlook Express. It may be free, but the only PGP plugin that works with Outlook Express is NOT free. If you want free, you want ThunderBird anyway. If you have money to blow, blow it on Microsoft Office, and use the proper Outlook. That is the best I can do.

These are the systems I have personally interacted with, and which I heartily recommend (note: I do not explicitly recommend Outlook, I just recommend the plugin, if you are stuck using Outlook.) :

GData's GnuPG plugin for Outlook.

Not too pretty, but it gets the job done, with few hiccups. The installer puts the plugin in place, and sets up the backend GnuPG key management Windows interface, complete with native command-line gpg executables and keyrings.

Download GDATA_plugin_091-eng.exe, run the exe, pick the install directory (you will want to preserve this dir, if you ever expect to reinstall the plugin; this is where your keys will be stored.) Once installed, run Outlook, open the Tools | GnuPG key management menu item, and then the Keys | Generate Key item in the Keyring Editor window. (Use all the default options, changing settings cause some generated keys to be unusable.) Select the new private key in the list, click the Editbutton, Change Trust, and set the Ownertrust level to trust fully. Accept, close, and you may close the keyring editor.

If you open the Tools | Options menu, the Encryption tab is now available. Here you may select default message handling options. When composing an email, the Tools menu contains Encrypt and Sign items, and you can attach your default public key to the email, using the Insert the standard key option. When receiving encrypted messages, they will be displayed in their encrypted form in the preview panel. To view the message, you must Open the message, and select the Tools | Decrypt and verify signature item.

Did I mention that Microsoft sucks? Please consider using a free email client for personal use. The only reason I found this plugin in the first place, is that my employers have wide-scale Microsoft solutions deployed, including Outlook / Exchange for "Office Productivity" (sic). The day OpenOffice has a complete Exchange-compatible solution completed, this section will disappear.

Here is the author's homepage: www3.gdata.de/gpg/gdata.html

Mozilla with Enigmail
Thanks to Mike "mc_fell" Fell for extensive help on this section.

Mozilla is the top dog of the web right now. Where have you been?! If you aren't already using Firefox instead of IE, you are seriously living under a rock. To put it simply, the Mozilla Foundation is FREAKIN SWEET. Anyway, if you do use Firefox for web, you should probably be using Thunderbird for email. Alternatively, you can use the monolithic Mozilla client, which includes the whole "Web Productivity" suite. But best of all: they are all cross-platform. Start using Mozilla now, switch to Linux later ... and you won't miss a beat.

zeroeth step : You need GnuPG installed for this plugin to work, in addition to your email client. In UNIX, this should be a breeze for you (unless you are not an administrator, but I digress, this is not a UNIX tutorial). You can get the native win32 GnuPG port from the GnuPG download page. (If you are setting this all up from scratch, see the Mozilla links below.)

Step the first: Download the extension for your email client ... either Thunderbird or Mozilla. The page somehow detects your OS, so for windows just grab the binaries. If you're using Linux then you may have to build them yourself or something.. I don't know, follow the instructions.

Step two: Open the email client. Go to Tools | Extensions, and click Install. Browse to the place where you saved the extensions and select it.

Step three: When you restart the browser, you will have a new OpenPGP menu in your menu bar and new icons in your tool bars. Also, there is a new section in the account settings window. Go into the account settings and select the account that you want to have sending encrypted mail. Make sure that the enable OpenPGP support checkbox is selected.

Step 3.5 : In the main email client window, select OpenPGP | Preferences. Tell it where the GnuPG executable is by browsing to it.. you just installed it a minute ago. It's probably something like C:\Program Files\GnuPG\gpg.exe if you're in windows.

Step four: Go to the main email client window and select OpenPGP | Key Management. Select Generate | New Key Pair from this window's menu. Follow through the steps to make your new private and public keys.

Step five: Start emailing. Attach your public key to your email so other people can send secure email to you. Install and sign other people's public keys using the key management window. When sending encrypted mail, make sure that the Use PGP/MIME option is checked. This makes it easier for the recipient to decrypt the message ... (There's got to be a way to make this the default behaviour; let me know if you can do it.)

The Mozilla homepage: www.mozilla.org
(See also The Thunderbird homepage and The Firefox homepage.) The Enigmail homepage: enigmail.mozdev.org

Mutt with GnuPG

Yes, there is no link for a plugin here. "But how can this be? Don't you need some sort of plugin to use encryption?! Think of the children!!" Stop your snivelling, and behold the power of UNIX. Mutt was designed with integrated GnuPG functionality. If you are an old hand with pine-style command-line/console email, you will LOVE this.

Install Mutt and GnuPG. For most people, this is a trivial act. But better yet, there are Cygwin packages for both Mutt and GnuPG. Thus, this solution will work in win32 as well. I won't write about how to use these programs generally - RTFM dammit! But if you have then installed and running, you are DONE, son! Just check out my .muttrc, and get things started.

Quickstart:

Create a GnuPG keypair - gpg --gen-key (Just follow the prompts, defaults will do fine.)
Set the trust on your new key - gpg --edit-key (Type 'trust', and set your key to 'I trust ultimately' ... you do trust your main key, don't you?)
Check that your muttrc has the PGP settings entered, and start Mutt - mutt
Compose a new email - m - complete the usual fields, and at the final send screen, select p s to set PGP options to "Sign", or p b for "Both" (encrypt and sign - preferred).
To encrypt, you must have the recipient's key in your keyring already. gpg --import to import with gpg directly, or open an email with a public key attached, and press Ctrl-K to extract the key using Mutt.

Note: if you receive emails from senders who are using an older PGP format, and your version of Mutt is less than 1.5.0 or so (or if you do not have pgp_auto_decode enabled in your Muttrc), encrypted emails will not be decrypted by default. You will have to decrypt them manually, with the Esc-P (check_traditional_pgp) command. Generally it is worth upgrading for this feature, I have never had such a hassle as this.

The Mutt homepage (beware of wit): www.mutt.org
The CygWin homepage (brought to you by RedHat - ride the Penguin) : www.cygwin.com
The Linux homepage ... just kidding. But these are my Operating Systems of choice. Use it or lose it : www.debian.org www.openbsd.org

Now you can import other people keys, and start verifying signatures. More importantly, you can generate your own public key, spread it around, and enjoy peace of mind with your own web of secure communications. Just to get the blood boiling, here is an excerp from the Cypherpunk Manifesto (Written by Eric Hughes for the Electronic Frontier Foundation) :

We must defend our own privacy if we expect to have any. We must come together and create systems which allow anonymous transactions to take place.

We the Cypherpunks are dedicated to building anonymous systems. We are defending our privacy with cryptography, with anonymous mail forwarding systems, with digital signatures, and with electronic money.

Take back the web!

Feel free to email me if you need any other help.

And don't forget to grab my key from the a list of keys .