GUIDE

Secure your email with Gpg4win. Part 1: introduction and installation

The best way to keep your private email private is to use PGP encryption. However, the concepts involved are complex and often confusing; a problem compounded by the fact that setting up PGP encrypted email is unintuitive and poorly explained in existing documentation. This ‘how-to’ guide is aimed at making the process clearer, providing step-by-step instructions for setting PGP in Windows.

GnuPG

Gnu Privacy Guard (also known as GnuPG or just GPG) is an open source clone of the highly popular email encryption program Pretty Good Privacy (which is now commercially available from Symantec). Developed by the Free Software Foundation, GnuPG is free, open source and completely compatible with PGP, using a full implementation of the OpenPGP standard (RFC 4880).

PGP_diagram GnuPG works by encrypting messages using asymmetric key pairs generated by individual GnuPG users. These keys can then be exchanged with other users, and users may add a digital signature to verify the identity of sender and the message’s integrity.

If all this sounds complicated, that’s because it is! However, once you get your head around the key concepts, it all becomes much clearer.

With public-key cryptography, each user has a private key, which they keep secret and use to decrypt emails sent to them using their public key. They also have a public key, which they freely distribute so that other people can use it to send them encrypted mail.

  • Private key – kept secret and used to decrypt own mail
  • Public key – distributed so that others can use it  to encrypt mail for sending to you

The GnuPG website provides lots of support, but much of it is highly technical and not newbie-friendly.

Gpg4win

Gpg4win is the Windows version of GnuPG, and is really a suite of utilities held together by a common installer script. The utilities are:

  • Kleopatra – a certificate manager
  • GPA – another certificate manger
  • GpgOL  – a plugin for Outlook
  • GPGEX – an extension for Windows Explorer
  • Claw-Mail – a lightweight email program with GnuPG support built-in
  • Gpg4win Compendium  – a manual

Use GPA to create a key pair

1. Download Gpg4win from the website, and install it (requires a reboot). We’re going to be using GPA and Claw-Mail for this tutorial, so make sure you select them when given the option.

gpg install2. When you first install Gpg4win you are offered very little in the way of clues about how to proceed, so the first thing you should do is generate a key pair. To do this, fire up GPA and it will helpfully offer to generate a private key for you.

gpg2Simply follow the Wizard, inputting your name and email address (which are used to build the key), the password you want to use, and where you want to save the key. It is important to use the same email address that you will be sending your encrypted email from, and the password is important as the recipient will need it to decrypt your files. We are going to save the key in a folder called ‘Encryption keys’.

gpg gpa 2Congratulations! You now have your first key

3. You now need to generate a public key, so that others can decrypt files you that encrypt with your private key. In GPA select the key you have just generated, click on ‘Export’, choose a name for the public key, a folder to save it to, and click ‘Save’.

gpg gpa 3We saved it to our ‘Encryption keys’ folder. If you look in the folder you will now see a key pair – your encrypted key (to be kept secret) and your public key (to share).

key pair4. Share you public key – this can be done by simply emailing it to whoever you want to send encrypted mail to. The recipient should ‘Import’ this key in their instance of GPA (or Import Certificates’ if using Kleopatra). You will also need to provide the intended recipients with password you specified in step 2.

Encrypt your files or folders


You can now encrypt any file or folder, so that it can be sent to a recipient of your choice.

1. To encrypt a file or folder, right click on it, and select ‘Sign and Encrypt’

2. Check that the file save paths are where you want them, and that the ‘Sign and Encrypt (OpenPGP only’) radio button is selected.

   gpg sign 13. Select the recipients you want to encrypt the file for, and ‘Add’ to the list. When you are ready, click ‘Encrypt’. For the purpose of this tutorial, we will send the file to ourselves.

gpg 8If you have more than one identity, you can choose which one you wish to use for signing. For now, just click ‘Sign and Encrypt’. If you choose not to sign in step 2, you won’t see this screen.

gpg signAn encrypted version of the file or folder is created (with the .gpg file extension), which can then be simply emailed to the person you want to have it, or you can decrypt it yourself.

Decrypting a file or folder

1. If an encrypted file is emailed to you, Download it to a convenient location, right-click on the file and select ‘Decrypt and verify’.

gpg 92. You will be asked to enter the passphrase set up by the sender (see step 2 of ‘Use GPA to create a key pair’ above). Remember that will also need to have imported the sender’s public encryption key into your certificate manager (GPG or Kleopatra).

gpg 10

3. A new folder with the suffix .tar_1 (or similar) will be created, with the encrypted files inside.

gpg12Clicking Show Details will give you more information about the certificates validity

We’ve shown you how to install Gpg4win, how to creating key pairs, and use it to encrypt and decrypt files. In its raw form Gpg4win is a little basic, but going through these steps is good way to start understanding PGP encryption.

In the next tutorial in this two part series we will look at integrating Gpg4win with the popular Thunderbird email client, so that you can easily send and receive encrypted emails.


Douglas Crawford I am a freelance writer, technology enthusiast, and lover of life who enjoys spinning words and sharing knowledge for a living. Find me on Google+

Related Coverage


13 responses to “Secure your email with Gpg4win. Part 1: introduction and installation

  1. In your experience, do businesses decrypt emails using Gpg? I want to mostly use this for business, not for personal. I could spend the time to educate for personal mails but would businesses even try to follow the instructions? Would Protonmail make more sense for these situations?

    1. Hi dc,

      The biggest problem with PGP encryption is that, because it is complicated, take-up has never been great (this includes the business world). ProtonMail might make more sense for you, but please be awarer that it is nowhere near as secure as using Gpg as outlined above.

  2. Hi, great tutorial! Thanks you!
    I do have a question. How you keep your private key safe? Is The ‘Encryption keys’ folder encrypted? Do I need to make a backup on a pendrive just in case my computer crash?
    Be well
    Y

    1. Hi Yago,

      Good question! No, the private key is not encrypted, so if you are worried about the physical security of your PC you should use another method to encrypt it. The simplest solution is to store it in a VeraCrypt container, so that it is automatically decrypted for use when the container is mounted. Yup, making a backup is very good idea (and keeping it on an encrypted pen drive is an excellent solution.)

      1. I use cloudfogger a lot, but I don’t trust anybody right now. I want to go encrypted just to get use and learn for the future that I think will be worse than now. Also it is hard to cover all aspects, android, pc, tablet, drive, gmail, protonmail, ghostmail, …….
        Thanks for your kind answer.

        1. Hi Yago,

          With Cloudfogger you should be aware that it is not open source, which means that you are trusting a commercial company to do right by you. I prefer open source solutions such as VeraCrypt.

  3. I don’t have the option/button for “Encryption Folder” appearing as your illustration shows.

    Also, I skimmed over part 2 of the guide, where you recommend Thunderbird email–should that be entered when we first set this part up?

    1. Hi George,

      • I am unclear about what you are referring to – is it step 3 of ‘Encrypt your files or folders’ – ‘Select the recipients you want to encrypt the file for, and ‘Add’ to the list. When you are ready, click ‘Encrypt’? If you are referring to right-clicking on a folder or file and selecting ‘‘Sign and Encrypt’’, you must restart Windows in order for the command to integrate into OS’s right-click menu…
      • In Part 2 I explain in detail how to use Gpg4Win with Thunderbird. In order to do this you must setup Gpg4Win first, so it makes sense (to me anyway) to cover the basics of this complicated piece of software first before looking at how the two are used together…

  4. Your walkthrough is great! Now it makes a lot of sense cos I didn’t install GPA and was not able to find where the public key was.

    1. Hi MWan,

      I’m glad this helped. Gpg4win (and any PGP) can be very intimidating at first…

  5. Hi Pete,

    you wrote:
    “When you first install Gpg4win you are offered very little in the way of clues about how to proceed, so the first thing you should do is generate a key pair. ”
    but that might skip a very important step:

    It’s vital to verify that the downloaded software is indeed the software which originates from gnupg.org (so no man in the middle did exchange the software), i.e. follow the steps described here:

    http://www.gnupg.org/download/integrity_check.html

  6. Hi im new to using pgp keys, i hav made my own private and public keys and i can decrypt msg’s other ppl send to me no problem. So im using apg and im really having problems importing someone elses public key so i can send them a msg encrypted with their public key. Im copying and pasting their public keys in notepad and saving as a txt file ,but when i goto import it ,it doesnt even look for .txt files! Only .asc and some other ones. Is there a way to save the keys as .asc file? Or am i doing something else wrong, iv been trying to make it work for nearly 3 days now. An iv tried portable pgp an i hav the same problems when importing .txt files. Please help.

    Thanks mat

    1. Hi Mat,

      By APG, do you mean Android Privacy Guard? We will quite happily look into using this app as part of a future guide, but are not currently familiar with it. You are probably best visiting the developer’s web site at http://www.thialfihar.org/projects/apg/, where the author appears quite happy to answer queries about the software…

Leave a Reply

Your email address will not be published. Required fields are marked *