VPN deals Advertisement

Secure your email with Gpg4win. Part 1: introduction and installation

The best way to keep your private email private is to use PGP encryption. However, the concepts involved are complex and often confusing; a problem compounded by the fact that setting up PGP encrypted email is unintuitive and poorly explained in existing documentation. This ‘how-to’ guide is aimed at making the process clearer, providing step-by-step instructions for setting PGP in Windows.

What is GnuPG?

Gnu Privacy Guard (also known as GnuPG or just GPG) is an open source clone of the highly popular email encryption program Pretty Good Privacy (which is now commercially available from Symantec). Developed by the Free Software Foundation, GnuPG is free, open source and completely compatible with PGP, using a full implementation of the OpenPGP standard (RFC 4880).

PGP_diagram GnuPG works by encrypting messages using asymmetric key pairs generated by individual GnuPG users. These keys can then be exchanged with other users, and users may add a digital signature to verify the identity of sender and the message’s integrity.

If all this sounds complicated, that’s because it is! However, once you get your head around the key concepts, it all becomes much clearer.

With public-key cryptography, each user has a private key, which they keep secret and use to decrypt emails sent to them using their public key. They also have a public key, which they freely distribute so that other people can use it to send them encrypted mail.

  • Private key – kept secret and used to decrypt own mail
  • Public key – distributed so that others can use it  to encrypt mail for sending to you

The GnuPG website provides lots of support, but much of it is highly technical and not newbie-friendly.

Gpg4win - the Windows Version

Gpg4win is the Windows version of GnuPG, and is really a suite of utilities held together by a common installer script. The utilities are:

  • Kleopatra – a certificate manager
  • GPA – another certificate manger
  • GpgOL  - a plugin for Outlook
  • GPGEX – an extension for Windows Explorer
  • Claw-Mail – a lightweight email program with GnuPG support built-in
  • Gpg4win Compendium  - a manual

Use GPA to create a key pair

1. Download Gpg4win from the website, and install it (requires a reboot). We’re going to be using GPA and Claw-Mail for this tutorial, so make sure you select them when given the option.

gpg install2. When you first install Gpg4win you are offered very little in the way of clues about how to proceed, so the first thing you should do is generate a key pair. To do this, fire up GPA and it will helpfully offer to generate a private key for you.

gpg2Simply follow the Wizard, inputting your name and email address (which are used to build the key), the password you want to use, and where you want to save the key. It is important to use the same email address that you will be sending your encrypted email from, and the password is important as the recipient will need it to decrypt your files. We are going to save the key in a folder called ‘Encryption keys’.

gpg gpa 2Congratulations! You now have your first key

3. You now need to generate a public key, so that others can decrypt files you that encrypt with your private key. In GPA select the key you have just generated, click on ‘Export’, choose a name for the public key, a folder to save it to, and click ‘Save’.

gpg gpa 3We saved it to our ‘Encryption keys’ folder. If you look in the folder you will now see a key pair – your encrypted key (to be kept secret) and your public key (to share).

key pair4. Share you public key – this can be done by simply emailing it to whoever you want to send encrypted mail to. The recipient should ‘Import’ this key in their instance of GPA (or Import Certificates’ if using Kleopatra). You will also need to provide the intended recipients with password you specified in step 2.

Encrypt your files or folders

You can now encrypt any file or folder, so that it can be sent to a recipient of your choice.

1. To encrypt a file or folder, right click on it, and select ‘Sign and Encrypt’

2. Check that the file save paths are where you want them, and that the ‘Sign and Encrypt (OpenPGP only’) radio button is selected.

   gpg sign 13. Select the recipients you want to encrypt the file for, and ‘Add’ to the list. When you are ready, click ‘Encrypt’. For the purpose of this tutorial, we will send the file to ourselves. 

gpg 8If you have more than one identity, you can choose which one you wish to use for signing. For now, just click ‘Sign and Encrypt’. If you choose not to sign in step 2, you won’t see this screen.

gpg signAn encrypted version of the file or folder is created (with the .gpg file extension), which can then be simply emailed to the person you want to have it, or you can decrypt it yourself.

Decrypting a file or folder

1. If an encrypted file is emailed to you, Download it to a convenient location, right-click on the file and select ‘Decrypt and verify’.

gpg 92. You will be asked to enter the passphrase set up by the sender (see step 2 of ‘Use GPA to create a key pair’ above). Remember that will also need to have imported the sender’s public encryption key into your certificate manager (GPG or Kleopatra).

gpg 10

3. A new folder with the suffix .tar_1 (or similar) will be created, with the encrypted files inside.

gpg12Clicking Show Details will give you more information about the certificates validity


We’ve shown you how to install Gpg4win, how to creating key pairs, and use it to encrypt and decrypt files. In its raw form Gpg4win is a little basic, but going through these steps is good way to start understanding PGP encryption.

In the next tutorial in this two part series we will look at integrating Gpg4win with the popular Thunderbird email client, so that you can easily send and receive encrypted emails.

Written by: Douglas Crawford

I am a freelance writer, technology enthusiast, and lover of life who enjoys spinning words and sharing knowledge for a living. You can now follow me on Twitter - @douglasjcrawf.


  1. Bojan
    on December 23, 2017

    Great article. Can you tell me please if it is possible to use search functionality in Outlook to search for an PGP encrypted email? My company plans to use this tool, but it seems to be inconvenient in some situations,as the one I described. Users want to be able to to search emails as usual. Thanks in advance, Bojan

    1. Douglas Crawford replied to Bojan
      on December 28, 2017

      Hi Bojan, Good question, but I'm afraid I don't use Outlook enough to be sure of the answer. A little research suggests that the best solution might be to create a search folder that only holds encrypted mail. More info here.

  2. dc
    on March 20, 2016

    In your experience, do businesses decrypt emails using Gpg? I want to mostly use this for business, not for personal. I could spend the time to educate for personal mails but would businesses even try to follow the instructions? Would Protonmail make more sense for these situations?

    1. Douglas Crawford replied to dc
      on March 21, 2016

      Hi dc, The biggest problem with PGP encryption is that, because it is complicated, take-up has never been great (this includes the business world). ProtonMail might make more sense for you, but please be awarer that it is nowhere near as secure as using Gpg as outlined above.

  3. Yago
    on October 4, 2015

    Hi, great tutorial! Thanks you! I do have a question. How you keep your private key safe? Is The ‘Encryption keys’ folder encrypted? Do I need to make a backup on a pendrive just in case my computer crash? Be well Y

    1. Douglas Crawford replied to Yago
      on October 5, 2015

      Hi Yago, Good question! No, the private key is not encrypted, so if you are worried about the physical security of your PC you should use another method to encrypt it. The simplest solution is to store it in a VeraCrypt container, so that it is automatically decrypted for use when the container is mounted. Yup, making a backup is very good idea (and keeping it on an encrypted pen drive is an excellent solution.)

      1. Yago replied to Douglas Crawford
        on October 7, 2015

        I use cloudfogger a lot, but I don't trust anybody right now. I want to go encrypted just to get use and learn for the future that I think will be worse than now. Also it is hard to cover all aspects, android, pc, tablet, drive, gmail, protonmail, ghostmail, ....... Thanks for your kind answer.

        1. Douglas Crawford replied to Yago
          on October 8, 2015

          Hi Yago, With Cloudfogger you should be aware that it is not open source, which means that you are trusting a commercial company to do right by you. I prefer open source solutions such as VeraCrypt.

  4. George R
    on September 1, 2014

    I don't have the option/button for "Encryption Folder" appearing as your illustration shows. Also, I skimmed over part 2 of the guide, where you recommend Thunderbird email--should that be entered when we first set this part up?

    1. Douglas Crawford replied to George R
      on September 2, 2014

      Hi George, • I am unclear about what you are referring to - is it step 3 of ‘Encrypt your files or folders’ - ‘Select the recipients you want to encrypt the file for, and ‘Add’ to the list. When you are ready, click ‘Encrypt’? If you are referring to right-clicking on a folder or file and selecting ‘‘Sign and Encrypt’’, you must restart Windows in order for the command to integrate into OS’s right-click menu… • In Part 2 I explain in detail how to use Gpg4Win with Thunderbird. In order to do this you must setup Gpg4Win first, so it makes sense (to me anyway) to cover the basics of this complicated piece of software first before looking at how the two are used together…

Write Your Own Comment

Your comment has been sent to the queue. It will appear shortly.

Your comment has been sent to the queue. It will appear shortly.

Your comment has been sent to the queue. It will appear shortly.

  Your comment has been sent to the queue. It will appear shortly.