e-ignite

In order to use OpenPGP email encryption, you need a key pair. Once you have installed Thunderbird, Enigmail and GnuPG you can generate your own key pair. There are two ways – an easy way giving you a basic setup with few options, or a slightly more complex way, giving you many more options.

• The Easy Way

Enigmail offers you a wizard when you initially install it, and this guides you through a key generation phase. If you aborted the wizard, it will not display again, so you will have to manually generate your keys. Don’t worry though – this is simple. Once you have configured your email accounts in Thunderbird (adding usernames and passwords etc), hit OpenPGP > KEY MANAGEMENT. This will give you a window similar to this:

All you have to do is go to GENERATE > NEW KEY PAIR. The following will appear:

Select your chosen email address from the drop-down list at the top, then chose a passphrase (password) – remember that you must remember this. If you forget your passphrase, there is no way to recover it, so you will not be able to read any encrypted email you’ve sent or received using this particular key pair.

Next step is to set the appropriate options for the key. A comment is optional – I normally don’t bother with a comment, but it can help you differentiate (for example) your personal-use key pair from your business-use key pair if you need to. Expiry of the key is also optional – you can set it to expire in any amount of time you wish, or you can select the checkbox so that it never expires.

Before you generate your key, select the “Advanced” tab:

Here, you’ll be able to set up the key in a way you are comfortable with. The default setting is for a DSA/El Gamal key pair with a 1024 bit DSA key for signing and a 2048 bit El Gamal key pair for encryption. There are two drop-down boxes available: one allows you to set the size of your key pair from 1024 bits (least secure) to 4096 bits (most secure) – the other drop-down box (shown expanded in the image above) allows you to change the type of key you use. Your choice of key type is actually quite important as I’ll explain.

With a DSA/El Gamal key pair, the key size you specify will only alter the size of the El Gamal encryption key and not the DSA key. The DSA key is always 1024 bits. By using a DSA key, you are also restricting yourself to a more limited set of Secure Hash Algorithms for signing files and emails – see my tutorial on Choosing the right SHA Settings for further details. Arguably, the El Gamal encryption is as secure as RSA, but takes longer to encrypt and decrypt messages. I personally prefer to use an RSA key pair because it is compatible with a wider range of SHA settings, it’s faster than El Gamal at encryption and decryption, and RSA can be used for both encryption and signing, so you don’t need a separate type of key. The disadvantage to this, however, is that there is some doubt as to the security of a large-bit key used for signing emails and files – more bits may cause a weakness in the hashing. Enigmail only allows you to create RSA keys that are used for both signing and encryption – if you are at all interested in having more options, I suggest that you use the Advanced Method to generate your keys as shown below.Once you have chosen your key settings, you simply have to click “Generate Key” and it will be done. You will be asked if you wish to create a Revocation Certificate – I would recommend that you do this. If you forget your passphrase, a revocation certificate will allow you to revoke the key. If you don’t have these certificates, you will need the passphrase to revoke the key (which isn’t much help if you’ve forgotten it!!!)

Your public and private keys are stored in the GnuPG home directory – on Windows XP and 200, this is usually:

C:\Documents and Settings\[user]\Application Data\GnuPG\

To backup your keys, you should simply copy the contents of this folder and store them securely elsewhere.

• The Advanced Method

So, you want some more advanced options for key generation? I highly recommend this as it gives you more flexibility as to the type of keys you use, the size of both the encryption and signature keys, and your choice of Secure Hash Algorithm.

First thing’s first – we need to use GnuPG with the Command Line. This means making a small change (on Windows systems only) to make the process much simpler. I created a flash animation with an easy step-by-step guide.

Once this is done, hit START > RUN and type “cmd” into the box. Press enter or click OK and this will launch an MS Dos prompt. Type the following into the command prompt exactly as it appears:

gpg –gen-key

This will give you a list of options – for the purposes of this example, I’ll create a 2048 bit RSA signing key with a 4096 bit encryption key.

Type “5” and press enter then select your key size – in this example, I used “2048“. You are then given options for expiry – for a key that’s valid for 2 years, enter “2y“. You’re then asked to confirm the details are correct – if they are, hit “y” then enter.

 

Once your chosen key settings are in, you’ll be asked for your real name, your email address and a comment (which is optional). Please note that GnuPG does not allow short names by default – under “Real Name” you will need to enter text longer than 5 characters. There is, however, a way around this. When you first go to generate the key, hit START > RUN > cmd then enter the following into the command line:

gpg –gen-key –allow-freeform-uid

And this will allow you to use (for example) your first name only if you so wish.

 

You will be given a chance to confirm or change your details. If they are correct, enter “O” for Okay and enter your chosen passphrase when prompted. Again, the passphrase is extremely important – you need to remember this as it is required every time you use the keys to send or receive an encrypted email or file.

Once done, the key will generate – this may take a few moments depending on your hardware. Once it has generated, the screen will show details of your new key:

Read the screen output – in this example, you will see that the key name is 9B48740F – this is shown in the line above the key fingerprint:

pub 2048R/9B48740F

We now need to add your subkey by editing the key you’ve just generated. Type:

gpg –edit-key 9B48740F (replace 9B48740F with your key name)

Now, type addkey and enter your passphrase when prompted.

Now enter your chosen options – I entered “6” for an RSA encryption key, “4096” bits and “2y” for a 2 year expiry:

Once all the details are confirmed, the key will be generated for you. Generation times for the encryption keys are generally longer than signing keys – especially when there is a larger bit-size. It should still only take a minute or so depending on the key size and the hardware used. Once the key is generated, you will get a confirmation message followed by a Command> option. You must type “save” before you close the command prompt.

So that’s it! Easy, wasn’t it? Generally, GnuPG gets press as being “difficult to use” because it’s a command line tool, but for key generation, it’s actually very straightforward. You can now use your advanced encryption and signing key in Thunderbird by going to the OpenPGP menu, selecting KEY MANAGEMENT > FILE > RELOAD KEY CACHE

• Distribute Your Keys

So, the whole point in using encrypted communications is so that you can communicate securely. For others to communicate with you using encrypted email or files, they need your public key. You can do one of a few things.

Firstly, you could send your public key to everyone you know. This is quite a simple way of distributing your keys, although not entirely convenient. Not all your friends or contacts will use cryptography so you may just confuse them. Additionally, it takes a significant amount of time to do yourself. To send your keys by email, go to OpenPGP > KEY MANAGEMENT. Find your key in the list, right-click on it and select Send Public Keys by Email. Add whoever you want to receive the keys in the “to” part of the email and hit send – it’s pretty easy to do, but maybe not ideal.

Secondly, you could upload your public keys to a keyserver (here is an example of a keyserver, where you can search for keys by email address, key name etc.) This way, when someone tries to send you an encrypted email but doesn’t have your public key, they can search for it, download it and use it automatically. This is my recommended option, although you need to appreciate that your full name and email address will be available online.

Finally, here’s an option that’s somewhere in the middle. Why not upload a copy of your public key to your webspace – you can then include a link to it from your website, or in a signature automatically attached to your outgoing email. This still means that only people you have emailed previously will be able to send you encrypted communications, but it also means that you know who has your key.

I hope the above was helpful – any questions / comments? Feel free to leave them below.