Projects‎ > ‎

Strong Public Key Encryption for the Rest of Us

This document attempts to convey the motivation and use of strong public key encryption. Readers should be able to install encryption software, generate their own key pair and know how to encrypt and decrypt files.

Motivation

Lorem Ipsum ...

Installing GPG4Win

GPG4Win is the Gnu implementation of PGP encryption technology bundled in a simple Windows installer. First, visit http://www.gpg4win.com/ to download the installer. On the gpg4win homepage, there is a big green button to download the latest version. Click it and choose to save the file.

  Gpg4win download screenshot
After saving the installer, open Windows Explorer to the saved location and launch the installer by double-clicking the icon. If you are using Windows 7 or Windows Vista, the User Account Control may warn that your about to run a file downloaded from the internet: Allow it by clicking Yes.

Step by step through the installer

Note: If you get lost in the following blurb of steps, have a look at the Illustrated step by step installer appendix.

  1. Select your preferred language on the first screen of the installer and click OK.
  2. Click Next on the Welcome step.
  3. Click Next to accept the license agreement.
  4. Uncheck the GpgOL checkbox. This provides an Outlook plugin to use with GPG, but will not be covered in this article.
  5. Click Next to accept the default install location.
  6. Select the Start Menu option and click Next.
  7. Click Next to accept the default Start Menu folder.
  8. The installer will copy and install the necessary files. This will take a few moments.
  9. Check the box to skip root certificate setup. This is necessary for X.509 certificates, but not PGP encryption. It is rather technical and not discussed further in this article.
  10. Uncheck the readme option and click Finish.

Running GPG and Creating Your Own Keys

Note: Again, there are illustrated steps in the appendix.

After installing Gpg4win, there will be a new application folder in the start menu to run the GNU Privacy Assistant or GPA. GPA is the graphical interface to the GPG utilities. To open GPA, click Start, All Programs, Gpg4win, GPA. The first time GPG is launched after it has been installed, it will prompt for creation of an encryption key-pair. When creating the encryption keys, the program will prompt for a name and email address to put on the key-pair. 

Some thought may be applied to the credentials submitted as the name and email address. This will be used to identify the key owner in public key registries as well as signed and encrypted files. If the purpose of the key is to identify yourself, put your real information. If it is to identify a different personality, as is the case in the associated illustrations, than use the information of that personality. Be ware that when you post the public key portion to a key registry, this information will be publicly visible and is necessary for others to verify your signed files.

As mentioned in the Motivational, public key encryption works by having two parts: the public and private keys. If the private key is lost you will no longer be able to sign files or decrypt files which have been encrypted for your use. If your private key is compromised or stolen, others can use it to steal your digital identity. Be sure to select the option to create a backup of your private key and protect the private key file as you would a real world ID or credit card.

To help minimize the risk of a stolen private key it can be protected using a passphrase. This is HIGHLY recommended and should not be considered optional. The passphrase should not be easily guessable yet unforgettable to the owner. Nobody can recover a forgotten passphrase and the key-pair will become useless.

Once the key-pair has been created, an expiration date should be set to force the key to eventually be changed. While keys are much more secure than typical passwords, proper security procedures mandate that credentials change over time. Given enough time and resources an attacker can overcome any level of security. To set an expiration date, highlight the key in the main grid of the GPA window and click the Edit button in the toolbar. Notice from the edit window the key's passphrase can be changed as well. Select the option to set the expiration date and choose a date. Typically 1 to 2 years as sufficient. If the key is for a high profile personality, such as human rights activist in a fascist country than the expiration should be significantly shorter. After the key has expired, it can still be used to decrypt and verify signatures created prior to the expiration.

Finally, once the key has been fully set it up it is time to publish the public key so others can verify the owner by signing the public key and the general public can find it and verify that it belongs to the personality it claims. To publish the public key, highlight the key then click the Server menu and select Send Keys. By default, GPA uses the key registry at keys.gnupg.net. This can be changed in the Preferences by checking "Show advanced options."

Tip: You may create additional keys by going to the Keys menu and selecting the "New key..." menu item. From there the steps are the same as above.

Encrypting and Decrypting Files


Signing and Verifying Signed Text


Certifying Other's Keys


Appendix: Illustrations

Illustrated step by step installer

  • Select your preferred language on the first screen of the installer and click OK.
  • Click Next on the Welcome step.
  • Click Next to accept the license agreement.
  • Uncheck the GpgOL checkbox. This provides an Outlook plugin to use with GPG, but will not be covered in this article.
  • Click Next to accept the default install location.
  • Select the Start Menu option and click Next.
  • Click Next to accept the default Start Menu folder.
  • The installer will copy and install the necessary files. This will take a few moments.
     
  • Check the box to skip root certificate setup. This is necessary for X.509 certificates, but not PGP encryption. It is rather technical and not discussed further in this article.
  • Uncheck the readme option and click Finish.
  • Illustrated running gpg and creating your own key

    1. Click your Start Menu, select All Programs, Gpg4win, GPA.
    2. If no private keys are managed by GNU Privacy Assistant, it will prompt to create a new key. Click Gererate key now.
    3. Enter your name when prompted. This will be used to identify this key as yours.
    4. Enter your email address. This is used to associate your key to your identity. This should be the email address with which you will be sending and receiving encrypted and signed files.
    5. Choose the option to create a backup copy and click Forward.
    6. You will be prompted to enter a passphrase. Enter a password you will remember and click OK. Do this again when prompted to confirm your password. This is your secret password to use your private key. If you lose or forget your passphrase, you will never be able to use this key-pair again, and will need to create a new key-pair.
    7. A screen will appear indicating that the key is being generated and shortly after you will be prompted to save the private key. Choose a safe place to keep your private key, such as a USB drive. This should be protected like you would protect a credit or social security card. You will be notified that the key was saved. If you are using a 64-bit version of Windows, the program will crash as well. This is not critical, and relaunching GPA as in step 1 of this section will show the key has been created successfully.
         
    8. We will now set an expiration date on the key. A new key can be made before the expiration of this key, to keep your security fresh. If you ever lose your private key, you will want the old public key to expire so nobody can try to use it. To set an expiration, click your key entry in the grid, then click Edit.
       
    9. On the Edit Key window, click the Change expiration button. Also, notice you can change the passphrase from this window as well. On the Change expiry date window, select a date in the future. 1-2 years is usually a good range. After you click OK, you will be prompted for your passphrase as the keys are updated with the new expiration date.
       
    10. Finally, the key can be published to a key registry. From the main GPA window, highlight the key and click the Server menu then "Send Keys..."
        

    Appendix: Sources

    Comments