If you think that noone can read your email but you, think again!
Each time you check your email all of the text of your emails is sent
over the internet in plain text. This means that anyone sitting
between you and the person who sent the email can read every word of
it. Do you ever send financial information? Do you ever send
your SSN? With PGP you can eliminate these worries by encrypting
emails so that noone other that your intended receipient can read your
emails.
GnuPG is a free OpenSource implimentation of PGP that you can use on
many OS's including Windows and Linux. If you really want to find
out how it works read the guide
on the GnuPG page. If you want the quick and dirty so that you can
start using it in 5 minutes, read on. Then go read the GnuPG
guide when you have time :-)
In order to use PGP you have to know a bit about public-key
encryption. Each user will have 2 keys: a private key that
you share with noone and a public key that you give out to anyone who
wants to send you PGP emails. If you want to send an email to
someone, you will need their public key. You use their public key
to encrypt the email so that only they can unlock it or decrypt
it. The same holds true if someone wants to send an email to
you. First, they must have your public key. They encrypt
emails they send to you with your public key. When you receive the
email, you will unlock it with your private key and your password.
|
Windows users will want to use WinPT
or Windows Privacy Tools. WinPT comes with GnuPG so all you have
to install is WinPT. The WinPT webpage has great documentation
with screenshots and everything in case I mention something here that
you need more help on.
First, download the WinPT complate package. It will come with all
that you need to use. If you use Outlook Express it will come with
a plugin for you to use.
When you run WinPT for the first time, it will warn you that it could
not find any keyrings. Select "Have WinPT to generate a
keypair." Basically WinPT needs to create the public and private
keys that we talked about in the Introduction. You will need to
enter in the following information:
User name : Michael D
Spiceland
Comment (optional): personal
email
Email address:
whatever@provider.com
Password: choose this
carefully! you cannot retreive it if you loose it and it prevents
people from forging emails from you if your private key ever gets
compromized.
Now you should notice a new icon on the bottom right of your
taskbar. You are ready to use PGP!
Getting Other People's Keys
There are 2 steps in getting someones public key so that you can send
them encrypted emails and files.
- get their public key
- sign it with GnuPG (WinPT)
In order to send an email to someone you will need their public
key. You will use this public key to encrypt the email so that
only they can unlock it. The best and only really safe way to get
their key is if they give it to you personally on a disk. If you
cannot get it from them personally, many people publish their PGP keys
on their websites and email signatures. If that isn't available,
there are public keyservers that you can search by email address such as http://pgp.mit.edu. Whichever
method you use, you should check the fingerprint of the key that you
receive with them to verify that it is really their key. Using
keys without verifying them means that you could be encrypting the email
to someone other than who you ment to send it to. The finger
print will be a long string of letters and numbers that you must compare
for an exact match.
Using WinPT, you can search for and import keys automatically.
Right click on the WinPT taskbar and choose "key manager." Now
click on the keyserver menu. A new dialog will appear.
Select the keyserver you want (I use .us since I am in USA) and make
this one your default by clicking on the "default" button. Now you
can search by email or key ID by entering text in the text box and
clicking "Search." Select the key that you want to add and click
"Receive." You are now ready to send emails to that person.
After receiving their key and checking it for validaty, sign it with
GnuPG. For you Windows users this can be done by right clicking on
the WinPT taskbar icon and choosing "key manager." From within
the key manager you can receive keys or import keys. After you
import it, you should sign it using the key manager. This will
prevent you from getting the message "Key is not trusted! Encrypt
anyways?"
|
Although WinPT comes with an Outlook Express plugin, I did not see any
new options under Outlook Express. Fear not! WinPT has a
generic way of encrypting emails that is simple enough to use with any
email client.
First, type up your email and get it ready to send. When you are
read to encrypt it use this:
SHIFT-CNTL-E
(to encrypt the text in the current window)
It will prompt you to select the key of the person you want to send it
to. Select the person and you are done! Your email is now
encrypted. You can send it on it's way and noone should be
able to see it's contents other than the desired person.
The same technique can be used when receiving an email. When you
get a PGP encrypted email, just hit:
SHIFT-CNTL-D
(to decrypt the text in the current window)
Assuming that it was encrypted with your public key, WinPT will use
your private key to decrypt it.
|
If you are a Linux users, I'd suspect you may enjoy reading the guide
on the GnuPG website. It's much more in depth and a better read
than this document. Nonetheless, your probably itching to start
using GnuPG so I'll give you a rundown.
If you don't already have the 'gpg' executable (just type it on the
command line to check) then download and install GnuPG from www.gnugp.org.
Create your keypairs:
$ gpg
--gen-key
Export your public key, send it to your friends, and upload it to a
public keyserver.
$ gpg
--armor --export user@server.com
To save it to a file:
$ gpg
--armor --export user@server.com > publickey.txt
|
There are 2 steps in getting someones public key so that you can send
them encrypted emails and files.
- get their public key
- sign it with GnuPG (WinPT)
In order to send an email to someone you will need their public
key. You will use this public key to encrypt the email so that
only they can unlock it. The best and only really safe way to get
their key is if they give it to you personally on a disk. If you
cannot get it from them personally, many people publish their PGP keys
on their websites and email signatures. If that isn't available,
there are public keyservers that you can search by email address such as http://pgp.mit.edu. Whichever
method you use, you should check the fingerprint of the key that you
receive with them to verify that it is really their key. Using
keys without verifying them means that you could be encrypting the email
to someone other than who you ment to send it to. The finger
print will be a long string of letters and numbers that you must compare
for an exact match.
To import a friends public key:
$ gpg
--import <filename>
or
$ gpg --import (then cut and paste the text and hit CNTL-D when you are
done)
Now sign the key:
$ gpg --lsign-key <key ID>
or you can switch to interactive mode like this:
$ gpg --edit-key <key ID>
Command> sign
Command> quit
Now you are ready to send emails to anyone who you have the key
of. There are several wonderful programs for Linux that natively
support PGP. With these programs you can quickly click an
"encrypt" button and it will automatically encrypt based on what is in
the "To:" field.
Now go read that guide at www.gnugp.org! After you are
comfortable with the basic operation and sending emails to and from a
few of your trusted friends, it is important to learn about signing the
keys of your friends and getting those updated on the keyservers.
GnuPG refers to this as "web of trust." It's a must read if you
are really relying on GnuPG.
Email us with
corrections, suggestions, etc.
FuzzyMonkey.net
|
