This tutorial will show you how I choose to do GPG encrypted email in gmail web interface. I use GPG because it is the open source and free counterpart to the paid PGP program
There are a TON of tutorials on how to use GPG with Thunderbird and a plugin for it called EnigMail. If you get your gmail or webmail through Thunderbird, then one of those tutorials will work for you. I used to use this, when I used a mail client program, like Thunderbird. I have strictly used webmail for a few years now.
It is MUCH safer than a mail clientI make the point of saying this is how I choose to handle GPG in gmail, because it is a choice. There are other options. Do what works for you. If others have or find tools that work well, please share with the site.
The options I have found are limited though. Chrome and Firefox both have plugins, but the plugin for firefox has been discontinued, no longer supported, and gmail support was removed due to bugs. The few plugins I have found for Chrome either do not work and/or are still in beta or alpha with security flaws, like XSS vulns
Google sells a product called Postini that will do encrypted email, so they are not eager or willing to help any competing products or plugins
I use two programs. The first is GNUPG, GNU Privacy Guard, often called just “GPG”
- get it, GPG, it’s PGP backwards. Those folks at GNU are so clever
The second is Cryptophane. A very lightweight, also open-source, GUI front-end for GPG. Without a front-end, you must use command line interface to use GPG. Yes command line always cooler, but at some point you just want to send some email, and take as little time to do it as possible.
You can download the original GPG program, or the newer GPG4Win
Original GPG:
ftp://ftp.gnupg.org/gcrypt/binary/GPG4Win
http://gnupg.org/download/index.en.htmlhttp://gpg4win.org/download.htmlI made an .msi package of the original GPG(1.4.x) to install through Group Policy on windows domains, but you can just run the .msi like a normal program locally too. It is a silent install
ftp://ftp.ininjas.com:9999/pub/users/grinch/gnupg-w32cli-1.4.11.msiIf you are following “The Sandwich Rule” I made this from trusted source GPG and has not been touched or altered by anyone else. That being said, I am not responsible for it. I made it and am offering it, but am not supporting it for all who download it.
Cryptophanes home is located at
http://code.google.com/p/cryptophane/downloads/listYou can download the .exe installer from there. I have made an .msi for this program too. Silent install.
ftp://ftp.ininjas.com:9999/pub/users/grinch/cryptophane-0.7.0.msiSame Sandwich Rule applies, you know who made this, and that it is made from original unaltered source
Get both GPG and Cryptophane installed. If you use the original installers and have trouble getting either installed, contact GPG4Win or Cryptophane for support. I use my own .msi files and don’t have any issues getting them installed. Basically, it is ok if you want to use original files and not trust mine, just don’t come looking for help from me.
Now, lets generate a key pair. Typing “key pair” reminded me that many of you do not know about asymmetric encryption yet. Well, you will have to stay in the dark, for now, this is not one of those tutorials. Maybe a post in How Things Work will be in the future...
Open Cryptophane
Key > Generate Secret Key
Fill in your name, your VALID email. Enter a password to protect this private key from being used by other people.
Check the box for Key Expires, and choose a future date. A year, 3 years, 5 years.
Trust me, I speak from personal experience, you want the key to expire, so that if you lose it, or lose access to it, it will become invalid unless renewed. This way you can generate a new one for that same email, once it does. You also don’t want someone who steals your private key to be able to impersonate you forever. There is key revocation, but that will not be discussed in this tutorial.
While we’re here, lets crank up the key strength to the max possible, change EIGamal to 2048
Click Generate
Back in Cryptophane main screen, you should see your new key
Now we need to upload your public key to the PKI servers, so that others can find your key to encrypt mail to you
Key > Send to Keyserver
Select your key from the list. pgp.mit.edu should already be selected. Click send
I upload my key to all available servers. Cryptophane shows an .au one. There used to be a european one, not sure what happened to it. Repeat the same procedure, this time selecting the other server from the drop-down. Choose your key. Click Send
You are now ready to send and receive PGP/GPG encrypted email!EncryptionNow, let’s send an email. First you need to find the public key of the person you want to send it to.
Key > Search Keyserver
Type in the name or email(email always better results) and click Search
When you find the key, select it, and click Add Selected Keys. After you add a key once, you will not need to do this each email.
I sometimes compose the actual email in gmail so that I get spell-checking and auto-draft save. This is obviously not as secure. If you do this, you will need to copy your completed message to paste into Cryptophane anyway, so most of the time I put my message right in Cryptophane
File > Message
Type or paste your message, then click OK
On the next screen, “Encrypt with Public Key” should already be checked. Choose the recipient’s public key that you downloaded from the key server. Check “Sign with private key” and select your private key. click Process
Enter the password you created when you generated your key pair. Click OK
You should see a Success message. Click OK
The next window shows the output, which has already been copied to the windows clipboard
Paste the block into your email. You can type unencrypted message above the block, and below the block, but not in the block. Click Send
You have just sent an encrypted email!DecryptionOn the other end, or when you get a reply, you will need to decrypt the message.
Highlight the entire block, from BEGIN to END, including all the ---. Ctrl + C to Copy to clipboard
Back in Cryptophane; File > Message
Paste the block. Click OK
Enter your password for your private key. Click OK
You should see a success message, and that the Signature was verified(if they signed it) Click OK
The Output should show the decrypted message
Before anyone asks, doing this on iOS is ALL COMMAND LINE. I saw an Appstore App for $50 that claims it can do encrypted email. Never tried it, $50 is too much to pay for free, open-source technology, imo. If you are jailbroken, like most of us are, you can install gpg. I have not seen any iOS front ends for it. Does not mean they don’t exist, I just have not found any. To use this you need to put your message in a file, use GPG command line to encrypt the file, email the encrypted file. Your recipient must download the attached file and decrypt it to read your message
