OpenPGP - Frequently Asked Questions

e-ignite:  Communicate Securely

This page is a quick FAQ essentially for those of you who have problems with OpenPGP.  There are two questions that are asked repeatedly:

I've forgotten my passphrase - What can I do?
I've lost my OpenPGP Keys - what can I do?
How do I import a public key?
How do I use the gpg command line in Windows?
Can I use OpenPGP with my webmail accounts?
Why do I keep getting an Enigmail HTML Warning?
Why have I got an email with a "Bad Signature"?
Can I use SHA256 with a DSA key?
How do I change the SHA settings on new versions of Enigmail?
How do I change the GnuPG Home Directory?

Forgotten Passphrase:
If you forget your OpenPGP Passphrase, there's not very much that you can do about it. Other than trying any obvious ones you use, try them with a mis-spelling etc, all that there is left to do is to revoke your old keys.  To do this, you'll need to use the revocation certificates that you generated when you first created your keys since revocation requires the passphrase too.
If you don't have these revocation keys? Well, you can't do much about it, I'm afraid.  You will need to contact people that have your public key and let them know you are unable to use your old keys and they have to use your new one. I would suggest that when you generate your new key that you put something in the comment field like "New key replaces 0xABC123DE4" (but use your old key ID obviously!).

Lost Keys:
If you lose the keys, there are a few things that you can do to recover them.  Firstly, check your gnupg home folder for "secring.bak" and "pubring.bak" - these are automatic backups of your private and public keys to be used in case you corrupt your originals. On Windows, the default GnuPG home folder is in "C:\Documents and Settings\<USER>\Application Data\gnupg\"
If the backup files are there, rename the current "secring.gpg" and "pubring.gpg" to "secring.gpg.bak1" and "pubring.gpg.bak1", then rename the .bak files to "secring.gpg" and "pubring.gpg"
This may or may not work, but there's still another potential solution.

If the keys have been accidentally deleted, or if you forgot to back the files up before reformatting your hard drive, there is a small glimmer of hope. Try downloading "PC Inspector File Recovery" - a free deleted/lost file recovery program. You can search for lost and deleted files using this, but recovery is not guaranteed, unfortunately. Just try to find any "*.gpg" files - if you find them, back them up!

Advice for Future Use:
It happens to us all, I'm afraid, sometimes you lose data and you can't recover it and we just need to put these down to experience.  I would highly recommend that you backup both your Private Keyring (secring.gpg) and your revocation certificates in case of disaster.  These really should be protected by some form of encryption if stored electronically - I can highly recommend TrueCrypt which is completely free.  If password protecting the files, use a password that is different from your key's passphrase just in case - this will give you extra protection.  Store the data safely away from your computer, or you could even email it to yourself if you have an online archive (like Gmail). However, this would require a strong password to fully protect you - try not to forget that one!

How do I import a public key?
I've made an extremely easy-to-follow guide - just click here to see it.

How do I use the gpg command line with Windows?
If you want to use GnuPG with the Windows Command Line, there are two methods: The easy way and the hard way.
The easy way is to configure windows as shown here.  This will enable you to open the command line by hitting START > RUN > cmd then just typing the gpg command (for example "gpg --help").
The hard way is that you need to move any file you are working with into the GnuPG directory, then navigate to the particular directory in DOS. This is time-consuming and extremely frustrating if you make a single mistake. So please, take my advice and do it the easy way.  This configuration will take 30 seconds of your time and will save you twice that amount for each command you type.

Can I use OpenPGP with my Webmail Accounts?
Yes, you can.  You can either use a mail client program such as Mozilla Thunderbird or use your webmail provider's online interface.

Why do I keep getting an Enigmail HTML Warning?
If you get a warning from Enigmail about the use of HTML, it's because you are trying to use inline email signing with an HTML email.  When you compose in plain text, the length of each line is pre-defined, and no formatting is present. If you compose in HTML, these restrictions do not apply, and Enigmail has to re-format the email before sending it in plain text with an inline signature.  This will quite often cause the signature verification to fail.

The easiest way to avoid this is to use one particular type of signing.  If you want to use HTML, you should enable PGP/MIME (although there are some restrictions to this - read more). If you want to use Plain Text and inline email signing, compose your emails in plain text only. To do this, either configure Thunderbird to always use Plain Text, or hold down SHIFT when you click compose/write.

Why have I got an email with a "Bad Signature"?
This means that the email may have been altered since it was signed. If you receive a sensetive email with a bad signature, it is recommended that you discard the information in it and contact the original sender. However, an email signature verification can fail because of the way it is composed.  If it's composed in HTML then signed using inline PGP, this can often lead to a "Bad Signature".  See the FAQ: Why do I keep getting an Enigmail HTML Warning? For more info on this.

Can I use SHA256 with a DSA key?
Yes - you can. You need to update GnuPG to the latest version, then follow these simple instructions.

How do I change the SHA settings on new versions of Enigmail?
The newest versions of Enigmail have been designed with the new user in mind - this is to avoid potential confusion and the need to do a load of research before using encrypted email.  One of the options that has been removed from the screen is the ability to change the default SHA settings. The default SHA settings will rely on your gpg.conf file, or if you have not specified an SHA preference it will use the GnuPG defaults.  This behaviour can be changed (for example, if you want Enigmail to use a different SHA setting for Enigmail than in other GnuPG applications that use your gpg.conf preferences), but unfortunately the procedure is a little complex:

Firstly, you need to change your gpg.conf file - this is located in your GnuPG Home Directory.  On Windows 2000 / XP, this is at C:\Documents and Settings\Application Data\gnupg\
Browse to this folder and open gpg.conf with notepad. Underneath the "Comment" line, enter "digest-algo SHA512" (obviously, changing SHA512 to whatever algorithm you would prefer and without the quote marks), save the file and close it.

Next, you need to make a change in Enigmail's settings.  Open Thunderbird, then go to TOOLS > OPTIONS > ADVANCED > CONFIG EDITOR.  This will allow you to edit about:config:


When the above window opens, in the Filter field, type extensions.enigmail. then find the entry marked extensions.enigmail.mimeHashAlgorthim. The default value is 0 which means that GnuPG dictates the SHA settings via the gpg.conf file. If you have not changed the default settings within Enigmail, you do no have to edit this setting. If, however, you previously dictated your SHA settings with an older version of Enigmail, this may not be set to default. If the value here is 3 for example, this will default to SHA256. By changing this value to 0, Enigmail relies on the entries in gpg.conf which is its default behaviour.  Once you have made any necessary changes, simply close about:config and hit OK in the Thunderbird Options screen.  You're now all set to use your preferred Hash Algorithm.

How do I change the GnuPG Home Directory?
In order to change the Home Directory of your GnuPG installation on Windows, you require to alter a registry entry.  The Home Directory is where GnuPG will look for your keyrings (public and private keys) and your GPG.conf file (a file holding personal settings).

- To change the GnuPG home directory, click START > RUN > regedit
- In Regedit, browse to HKEY_CURRENT_USER\Software\GNU\GnuPG
- If an entry called "HomeDir" exists, right-click on it and select modify then enter your chosen path (eg. C:\gnupg\home\)
- If the entry does not exist, select EDIT > NEW > STRING VALUE. Name it "HomeDir", then modify it to include your chosen file path for your Home Directory.

The above is an extremely useful procedure if you plan to store your private keys in an encrypted volume.

Copyright | e-ignite is powered by | About e-ignite