in Technology

How to send secure email using PGP

One of the biggest deficiencies in a virtual world is that authenticating a person is very hard. In the real world we can rely on our eyes, photo ID and other things. Neither of these things work directly in the digital world.

So, how can we authenticate users? Using PGP to fill this gap is very common, and this is what I will discuss today. PGP has a stormy history, but I will not go into that here, but instead refer you to the PGP Timeline.

What is needed to send secure email, files or other types of messages to people over the internet? We will use the GnuPG package, which should be easily installed in just about any system, including Windows. In a Ubuntu or other Debian based system, just write apt-get install gnupg and you will be all set.

You should also install seahorse, which is an application for gnome which enables you to easily manage your keys. The application should the be available under Applications -> Accessories -> Encryption keys once you have it installed.

The first task is to create your very own key-pair to enable you to sign your messages and to let others send encrypted messages to you. By choosing Key -> Create new key and then selecting PGP Key, you will be presented with a form where you enter your details. You will then be presented with a password entry for your key, and it is crucial that you select a very long password. It should preferably be longer than 20 characters.

createkey.png

You should create a key which is at least 3072 bits long. This will provide protection for a long time in the future. While you are at it, you might as well use 4096 bits. Note that it will take a while for the key to be generated, so please be patient.

Now that you have your own key-pair, you should first of all export the key by selecting the key and clicking properties. The key must be kept it in a very safe place, such as a safe or in a bank.

You may now select Sync and publish keys in the Remote menu to upload your key to a public key-server, such as pgp.mit.edu. This will enable others to easily get your public key automatically.

If you use your favorite text editor and open ~/.gnupg/gpg.conf and enter the following two lines in the end, GnuPG will try to automatically fetch public key when they are missing:

keyserver hkp://wwwkeys.pgp.net
keyserver-options auto-key-retrieve

To actually use GnuPG now, you will have to configure your email client for this. Evolution has built-in support for PGP and support for Mozilla Thunderbird can be added by installing the enigmail extension. Ubuntu users may install the mozilla-thunderbird-enigmail package.

evolution-gpg.png

Note that it is advisable to check Always encrypt to myself. Without this setting, you will not be able to read encrypted messages you send to other people!

You are now ready to send and receive encrypted and signed mail!

But, you say, how does this key identify me as a person? Well, it doesn’t – yet. To do this, you must sign other people’s keys, and have other people sign your key, meaning that they vouch for your identity.

This is normally done face-to-face or in bigger key-signing events. The general principle is that you will bring the fingerprint of your key, and others must then verify that the key is correct. You must also you a valid photo-ID, and here is the key – by showing your photo-ID, you have tied your PGP-key to you as a person. You can get more information on key-signing events by visiting The Keysigning Party HOWTO.

This means that you must be very thorough with the verification procedure, since it is the ground on where the principles behind the PGP trust model rest. If this is not done correctly, the whole encryption is void, since you really don’t know who the person in the other end really is.

So, to sign someones key, just open the properties for that key and select the Trust tab.

trust-tab.png

Here you should click the top check-box when you have verified the person using photo-ID and checked the fingerprint of the key. Seahorse will automatically synchronize your key with a key-server once you have signed the key. The check-box underneath is where you can select whether to trust the signatures of the person you are signing. If you check this box, you will automatically trust all keys which the person you just verified trusts. Remember that you should not tick this box if you believe that this person does not manage his keys correctly, or has some other reason to distrust his signatures.

Note that all steps mentioned in this article can be done using the command-line tool gpg. If you want to use this way instead, just read The GNU Privacy Handbook or try gpg --help for some general information.

I have now just discussed the basics of PGP, but do not feel afraid to explore the possibilities. A good place to start is The GNU Privacy Handbook where you can read more about PGP and more specific GnuPG. If you have decided to try PGP, you are welcome to send me a signed and encrypted test message. My key-ID is 0x98CEC53A and it can be found on most key-servers. To find people using PGP in your neighborhood, log-on to Biglumber and do a quick search.

Privacy is becoming more and more important in the world. I hope that you will try this out and spread it to your friends and family. In the end, we should all hope for a safer, more secure and open society.