GnuPG: Encrypt Your Emails
Introduction
The purpose of this article is to show you how to encrypt your emails. For Mozilla Thunderbird, there is the Enigmail plugin. If you don’t have an email client, don’t want one and prefer webmail… that’s a shame.
But wait! :-) There is a plugin called FireGPG for Mozilla Firefox that allows you to encrypt your emails :-)
To start, you need to install GPG on your computer. GPG (GnuPG) is the Open Source version of PGP which is paid software.
Installation
Start by installing GPG like any other program:
|
|
Generating Your Key
Creating a Key Pair
“Hold on, what’s a key pair?”
Let me give you some basic reminders about public key/private key encryption:
This system relies on two keys. The public key is used to encrypt a message, and the private key is used to decrypt a message that has been encrypted using the public key. In practice, everyone keeps their private key safely at home and gives their public key to all their contacts. So if I want to encrypt my email and send it to John, I need to have John’s public key in my keyring. If I don’t have it, it’s either because John hasn’t given it to me, or simply because John doesn’t use GPG (which is his right), in which case it’s impossible for me to send an encrypted email to John!
So to summarize, if one of my contacts wants to send me an encrypted email, they must first have my public key in their keyring. They will encrypt their email with it, and from then on, the encrypted email can only be decrypted with my private key (not someone else’s private key).
The sender themselves would be unable to decrypt the email they just sent - it’s absolutely irreversible. An email encrypted using a public key can only be decrypted by the private key generated at the same time as the public key. That’s the brief theoretical reminder!
Now for the practical part, open a shell and type:
|
|
Choose the default option:
|
|
Personally, I’m a bit paranoid, so I put 4096, but 2048 is sufficient:
|
|
I don’t want the key to expire so I don’t have to recreate it later, but sometimes it’s better to do so. It depends on your needs.
|
|
Answer these simple questions and wait for your key to be generated. To verify that your key has been properly generated:
|
|
Here we can see that my public key has been created, and has the ID A39D9E94.
Note that the small size of this ID (8 characters) suggests a risk of duplication with another generated public key, so to remove any doubt about key identification (although technically it’s also possible to have a duplicate here), we prefer to use the key’s fingerprint:
|
|
There you go, you can now read your public key fingerprint (1457 2EEC F76C 87CF B4A2 CB24 1405 33C6 A3DF 8093), ending with the 8 digits of your previously seen ID. Note this fingerprint on a piece of paper, we’ll use it later.
Registering with a Key Server
Once your keys are generated, you need to store your public key on a server so that your contacts can find your public key and send you encrypted emails!
To do this, we’ll use the server https://pgp.mit.edu, but there are certainly others. Most of them sync with each other, but not always, so it’s best to always use the same server and tell your contacts which one you use to make sure they can find you.
Another detail, creating a revocation certificate is essential, for example to notify the key server that your public key is no longer valid and that your contacts should stop using it!
Let’s create this revocation certificate:
|
|
There you go, your certificate has been created. Keep the text file carefully, because if someone uses it, they can invalidate your keys by notifying the server they no longer exist, even though that’s false!! We’ll see how to use it later…
To get back to our subject, we need to register on the key server. It’s very simple:
|
|
There you go, your key has been exported to the key server. You can go admire it on pgp.mit.edu by typing your 8-digit ID preceded by ‘0x’ in the String field, or your name, email address, etc. For former president Jacques Chirac:
http://pgp.mit.edu:11371/pks/lookup?op=get&search=0xA4723848
Revoking Your Key on the Key Server
If, as mentioned above, you no longer use your keys for some reason (compromised by someone who has your private key, you lost your password, etc.), you must notify the key server of this revocation!
To do this, use the revocation file you created above, and import it into your keyring with the command:
|
|
Check that your keyring has correctly registered the revocation by listing your keys:
|
|
Your key should now be marked as [revoked]. You can then send it back to the key server to update it:
|
|
There you go, your key is revoked, and therefore unusable. You can now delete your public and private keys from your keyring. Delete the secret key first:
|
|
then the public key(s) attached:
|
|
Usage
Now, use your favorite software to encrypt your emails. Send your public key to your friends as well so they can easily decrypt them :-)
Resources
Last updated 10 Sep 2008, 16:12 CEST.