OpenPGP Set-up Information

e-ignite:  Communicate Securely

OpenPGP works using GnuPG - you will need to download this to use OpenPGP email encryption and signing. GnuPG is a command-line program that can be difficult for inexperienced users to grasp.  Fortunately, there are many GnuPG "frontend" programs that add a graphical user interface to it, allowing you to easily incorporate features of OpenPGP to your communications.

I believe the best frontend available is Enigmail, which is a plugin for Mozilla Thunderbird. It is also available for other Mozilla products such as Mozilla Suite and Mozilla Seamonkey - the instructions provided here are very similar for using Enigmail with these two programs. On this page, detailed instructions are provided for the setup and use of Enigmail with Mozilla Thunderbird - both of which are available on multiple platforms including Windows, Mac and Linux.  There are other frontend plugins available for other email clients such as Outlook Express, Outlook, Eudora and Pegasus mail - I have provided links and as much information about these as I can.

Page Contents:
Download and install GnuPG
Download and install Thunderbird and Enigmail
Configure Enigmail and GnuPG
Generate Keys and distribute them
Send and recieve Signed mail
Send and recieve Encrypted mail
PGP/MIME - when to use it

Advanced Settings (use these after you have initially set up OpenPGP Encryption)

Instructions for using GPG with Microsoft Outlook 2003

Download and install GnuPG:
Go to the GnuPG website and download the appropriate version of GnuPG for your system. Install it to a directory such as "C:\Program Files\GnuPG" - the directory doesn't really matter, but you must remember the path you installed it to.

If you intend to use the GnuPG command line at any point, click here to configure GnuPG correctly. These instructions will make use of the command line much easier, but this is not necessary if you intend only to use GnuPG with Enigmail.

Download and install Thunderbird and Enigmail:
If you are not already using Mozilla Thunderbird, I would recommend that you download it.
Once you have downloaded and installed Thunderbird, you can launch the program and import your mail and settings from other mail clients such as Microsoft Outlook Express.  Verify your account settings by checking in TOOLS > ACCOUNT SETTINGS and when you first use an accout to send or recieve email, you'll be asked to enter a password. You can then get Thunderbird to remember your passwords or not using the check box on the password dialog.

Once Thunderbird is installed, go to the Enigmail Downloads page and select the appropriate version.  Right-Click the download link and save the .xpi file somewhere like your desktop.  Once it has fully downloaded, open Thunderbird and go to TOOLS > EXTENSIONS > INSTALL and select the Enigmail .xpi file. You will then have to restart Thunderbird to complete the installation.

If you are not using Thunderbird, see this link for plugins for other email clients.

Configure Enigmail and GnuPG:
Once Enigmail is installed, open Thunderbird and go to the OpenPGP menu. Select PREFERENCES and under "GnuPG Executable Path" put the directory that you've installed GnuPG in (eg. C:\Program Files\GnuPG\gpg.exe).  You can use the Preferences dialog to change some more advanced settings if you like, but you do not necessarily need to alter these - Enigmail is now configured!

Configure GnuPG

You should note that on the most recent versions of Enigmail, several of the options described over the following pages are hidden by default - this is in an attempt to reduce potential confusion for new users. To "un-hide" these settings, simply go to OpenPGP > PREFERENCES and mark SHOW EXPERT SETTINGS.

Generate Keys and distribute them:
In order to use encryption with your email, you need to generate a set of keys - a public and a private key. Your public key is used by others to encrypt email to you and your private key is used to decrypt email from others, sign email to others and encrypt email to others.  This is what is meant by a "key pair".

To generate your keys, open Thunderbird, go to the OpenPGP menu and select KEY MANAGEMENT. In the window that opens, select GENERATE > NEW KEY PAIR.  You now choose which email address you want to create a key for, and select your key's validity and you need to choose a passphrase.  This passphrase will be required for you to sign, encrypt or decrypt messages so do not forget it! There are also more advanced options (under the ADVANCED tab) where you can choose a key size (I recommend that you use 2048bit) and a key type (I recommend that you use RSA, but see the Key Types page for more information). When you are happy with the options you have chosen, select GENERATE KEY and Enigmail will take a few moments to create your key pair. When it is complete, you are able to send and recieve encrypted email.

You will be asked if you want to create a revocation certificate - this would only be used if you lost your private key or forgot your passphrase and had to stop people encrypting email to you that you couldn't read.  If you do create these revocation keys, keep them somewhere safe.

One of the main advantages of OpenPGP encryption is that you do not need to send your public keys to all your contacts manually.  You do not have to submit your keys to a keyserver - you could email your public keys to all your contacts if you like (OpenPGP > KEY MANAGEMENT > [right-click on the key] > SEND PUBLIC KEYS BY EMAIL) but if you submit your key to a keyserver, anyone will be able to retrieve them and send you secure email without having to contact you to get your keys first.  It also means that you can send signed email to someone who doesn't have your key, and they are able to verify if the message has been tampered with since you sent it.

I would recommend that you make use of the keyservers, but this is entirely your decision. If you want to, open the Key Management window, right-click on your key and select UPLOAD PUBLIC KEYS TO KEYSERVER. Enigmail will do this for you - whichever keyserver you send it to, it will be copied across several other keyservers so that your public key is always available if one keyserver goes down or is not accessible for any reason.

Send and recieve signed email:
When you sign an email, you are verifying that you actually sent it and that no-one else has spoofed your email address. A signature also allows you to verify if a message has been tampered with after it was sent. Enigmail puts an information bar above an email with information about a signature on an email -  a "good" signature means the message is valid and has not been altered since it was sent.  A "bad" signature means that the email has been compromised.

To send a signed email, simply type your message in the "Write Mail" dialog, select "Sign Message" from the OpenPGP dialog button in the top right of the composition window.  If you do not have a copy of the recepient's public key, Enigmail will attempt to retrieve it from a keyserver automatically so you should not have to contact the person and ask them to send you their public key.

You may recieve a warning about the use of html, or a box asking you if you want to use PGP/MIME.  Please see the section on PGP/MIME for more information.

Send and recieve encrypted email:
By sending encrypted email, you are creating an email that only the intended recepient can read. Enigmail by default encrypts the message to you and to the recepient so that you are able to read the message in your sent items folder and the recepient is able to read it.  Unless someone has access to your private keys or the recepient's private keys, no-one else will be able to read the contents of the email.

To send an encrypted email, type your message as normal with the "Write Mail" dialog, and select "Encrypt Mail" from the OpenPGP button in the top right of the composition window. If you do not have a copy of the recepient's public key, Enigmail will attempt to retrieve it from a keyserver automatically so you should not have to contact the person and ask them to send you their public key.

You may recieve a warning about the use of html, or a box asking you if you want to use PGP/MIME.  Please see the section on PGP/MIME for more information.

Thunderbird and OpenPGP Encryption

PGP/MIME - when to use it:
PGP/MIME is a method for encryption and signing of email.  It allows you to use text formatting so you can send html emails or sign and encrypt emails with attachments.  If you are simply sending a text email, Enigmail OpenPGP saves the email as an html file, then signs and/or encrypts the file rather than the text. It is an advanced feature and has excellent functionality, however, not all email clients support PGP/MIME.  If your intended recepient uses Enigmail, you are able to send PGP/MIME email to them. Otherwise, you would need to check with them to see if they are able to read PGP/MIME emails.  Normally, Enigmail encrypts plain text emails only, so if you compose an html email (for example, using Bold style, a specified font, a font colour or a font size) then you will get a warning box asking if you want to remove the html formatting or if you want to use PGP/MIME instead. If you do not want to use PGP/MIME, you should compose your emails in plain text only by holding down SHIFT when you click "Write" to compose an email. Converting from html to plain text after composing the mail can cause problems with bad signatures.

Inline PGP is the most universally accepted method to use, however this is changing. As far as I'm aware, the only mainstream mail clients that do not support PGP/MIME are Microsoft Outlook and Outlook Express.  If you sign an email and send it to an Outlook or Outlook Express user, they will receive a blank email with two attachments - the html message and a signature. They will still be able to read the message, but they have to open the attachment as a file because it will not display automatically within the program.  There is an excellent list of email clients that support PGP/MIME and I'd recommend that you have a look at it here. If you and all your contacts use Thunderbird and Enigmail, there is no reason not to use PGP/MIME.

MS Outlook

GPG With Outlook 2003:

It's possible to use GPG with Microsoft Outlook and Microsoft Outlook Express, although this relies on you using seperate plugins with each mail client.  The GPG4WIN project has a plugin available for Microsoft Outlook. Although these plugins offer the same general functionality, they operate in a different way.  Documentation is available for each plugin individually.

It should be noted, however, that the plugins for any email client are simply a front-end tool for GnuPG, so any configuration instructions (such as the command line instructions) apply whether you use Thunderbird and Enigmail, or Outlook / Outlook Express and the appropriate plugin.  It should also be noted that if you change to/from Outlook, it is GnuPG that controls your keys - you therefore do not have to generate new key pairs every time you change mail clients.

Copyright | e-ignite is powered by | About e-ignite