Wednesday, May 30, 2012

GPG on Windows

This post is for people who are wondering why I have an unreadable block of text in most of my messages.

Also, as fair warning to everyone who may want to contact me later, starting on 7 July, 2012, I will no longer be reading emails that were not signed/encrypted with GPG/PGP. Unless they are from a very specific set of senders. Such as VT's email system for the online class systems (Scholar).




How can I use GPG?
First, what email program do you use? In any case, the first step is always the same: install GPG4Win before doing anything else.

Mozilla Thunderbird
  1. Install Enigmail
  2. Import/create a GPG key
  3. Set the password/passphrase to be something memorable. Longer is better.

Microsoft Outlook (any version) x64
  1. Sorry, you are going to have to get a different version of Outlook or get a free email program

Microsoft Outlook (2007) x32
  1. GPG4Win installed a plugin; there should be a "first run" wizard when you initially start it.
  2. Import/create a GPG key
  3. Set a nice, long, password/passphrase that only you will know.

Evolution (Windows)
  1. Although a primarily Linux email application, this is available for Windows in an experimental version. Some functionality will be broken.
    1. Such as GPG support
  2. You will still need to install GPG4Win even though the email client by default supports GPG without plugins; what happens is that it automatically passes arguments on to the command line version of GPG.
Evolution (Linux)
  1. Most distributions have everything setup so you just have to import/create a key in a system dialog. Evolution is already configured to use it, but you will need to manually check boxes, etc. in order to sign/encrypt your email messages.


What is GPG?
     GPG (GNU Privacy Guard) is a program that uses the PGP (Pretty Good Privacy) algorithms and is mostly compatible with PGP.

What does it do?
     GPG allows users to encrypt/sign messages to send to other users; encryption depends upon the receiver having what is called a "private key" and the sender having the "public key." No one else can read the message without the "private key," not even the sender. Usually, the software that encrypts the message encrypts it twice; once with the receivers public key and once with the senders public key.

How does it work?
     It uses several algorithms, but here is a version in layman's terms, similar to those used in GPG's documentation.
Imagine a safe. Now, imagine that there are two keys, one that everyone can access (the "public key") and one that only you have access to (the "private key"). Now then, the "public" key can only lock the safe (encrypt the message) but can never open it again while the "private" key can unlock the safe and open it. This means, that once encrypted, a message may never be read by anyone but the intended recipient OR someone who has access to their private key.

Is there anything that prevents someone else from using the private key?
     Yes. The "private" key is usually protected by a password or a passphrase. If done correctly, it would take the attacker a long time (several trillion years) even with the fastest (known) computers to break into the private key.
The private key is actually far harder to guess than any passphrase put upon it, since it is, in essence, a passphrase protecting information. However, in order to guess the passphrase protecting the private key, the attacker must first have the private key; they cannot derive the private key from the public key.

Why should you use GPG?
     First off, you never know when you might have to send sensitive information (such as a password to a bank account to a spouse) or receive sensitive information. Second, it will allow you ensure that a message is really from Allan instead of his/her spouse Alexia (joint email accounts). Third, it will establish that you had a reasonable expectation to privacy, if, for whatever reason, you are indicted on information in your email (so long as you encrypted it anyway). Right now, virtually no one has any expectation to privacy in their email messages because they are almost always sent in plain text.



Notice: This information comes primarily from the GPG documentation included in GPG4Win and the GPG website. I just wrote it in my own words. Also, I added some analysis on why you should use GPG along with some of my experiences using it.