Introduction to GPG

GNU Privacy Guard (GnuPG or GPG) is a free alternative to PGP cryptographic software used to send secure messages, messages like files (PDFs, Word docs, XLS files, and HTML files) or standard, plain text e-mails, between parties. Who would you send a secure message to? Someone who you trust, who also trusts you, where “trust” means that you either know one another or have confidence in someone who knows both of you.

Why would you use GPG? GPG allows you to encrypt messages that are intended for a specific recipient (or multiple recipients), so that only the named parties can read whatever it is you’ve sent. It’s very James Bond.

No computer system has cracked the protection provided by the GPG encryption algorithm, so, even if your message were intercepted, it couldn’t be effectively decoded and read. One should note that while SSL encryption might protect a message in transit to its destination, messages are saved in human readable formats when they are stored on email servers. GPG encryption makes it so that even the stored messages are unreadable to anyone else.

Core Concepts

Here’s how it works. Each user maintains two key rings. One key ring is private, in the sense that you retain your own digital identity and/or identities. You may have several identities but, usually, you will have just one private key. (What kind of identities? Different e-mail addresses: business, personal, etc. If you’re a double agent, you would have an identity for each side you’re playing on.)

The counterpart of private keys are, of course, public keys. Each private key is matched with a public one that you can share with whomever. Before you can send out a message, the recipients have to send you a public key, in turn. You add their public key to your key ring, and then you are able to encrypt and sign a message intended for them.

Only users with a private key that matches the public key can decrypt a message, so, for this to work, you have to protect your private key. Forgeries can happen if someone sits at your computer using your user account.

Note: While keys are associated with an e-mail address, messages don’t have to be e-mailed. The e-mail address is just a means to help identify users/distinguish one user from another. It's a good mechanism because e-mail addresses are basically unique.

For a more in-depth look into any of the core concepts of the GPG methodologies, see the GPG handbook. But, as a caveat, the handbook will contain some higher-tech examples of how to interact with the GPG system. You don't need to understand the system to that degree to use the front-end tools that I suggest in this article.

Creating an Identity

As part of the installation process, you’ll have to create a digital identity on your computer. The two main components of this identity are your name and e-mail address. I suggest using your real first and last name. There is little value in assuming an alias in this scenario. If your group uses code names or aliases, then, by all means, use one. Otherwise, the backbone of the concept of secure messaging is, after all, trust. Not only will your direct friends be using your public key, but also possibly their friends, and everyone, in your group, ought to be able to trust that you are who you say you are. (See the Trust section of this article.)

As far as choosing an e-mail address goes, you could technically choose any old e-mail address, but you should probably choose go with the one that you actually want your secure messages to be delivered to, since some of the tools in the GPG software packages outlined here require a key pair’s e-mail address that matches the e-mail which you receive encrypted messages on.

After you choose an e-mail, you’ll be prompted to set a passphrase, a security measure that prevents access to the private key, even on your own computer. There is no limit to the length of the passphrase. Of course, the more complex the passphrase, the better.

Mac Installation

First Install GPG Tools, a software package that makes it easy to interact with encryption, signatures, and identities of people you trust. In the current version of the tools package, there's a bug that can be fixed by additionally installing this version of GPG Services. Follow the basic installation procedure that the wizard provides (this is a mpkg installation and not an application that you drag to your Applications folder).

Upon installing the initial GPG Tools package, the Keychain Access application automatically starts and prompts you to generate a new key pair. Set a key length of 4096 and an expiration date in the relative future. I recommend a year. Set a passphrase, this is the "password" that you will enter to encrypt and decrypt messages using your key pair.

Now get a coffee and wait. This phase of the process takes a few minutes as the key generation needs to make some extreme calculations in order to generate a key just for you.

After both GPG Tools, and the updated GPG Services are installed, you'll need to do some quick fixes via the Terminal. Copy and paste each of the following commands, one at a time into the Terminal window and then hit the enter key. If the prompt returns back to the $ symbol with no message, then it worked.

defaults write org.gpgtools.gpgservices UseASCIIOutput -bool YES  
/System/Library/CoreServices/pbs -flush
/System/Library/CoreServices/pbs

The above modifications come from this forum post. These make your file encryptions into the ASCII format instead of the binary format, so you can copy and paste them easier. I sought this fix when I had trouble attaching binary attachments to Thunderbird.

Also, another software package that compliments GPG Tools is Growl.

Congratulations, you've installed everything you need to get started with secure messaging on the Mac!

Windows Installation

You'll need some GPG software on your Windows computer, so I suggest Gpg4win.

On pages 31 to 40 of the Gpg4Win PDF, you can follow the installation steps. Note: this PDF is also included in the installation too, it's called the compendium and you can find it in the start menu folder for Gpg4win. Also, you should know that I'm referencing page numbers from the 3.0.0-beta1 version of the compendium document.

The Gpg4win download contains the encryption software and key management program (called Kleopatra) so you can manage your identities and identities of others to whom you will write secure messages.

On page 42, the documentation will demonstrate how to open Kleopatra and generate your first key pair. Choose the OpenPGP key pair. Click Advanced Settings on the Enter Details step and set an expiration date of the keys. I suggest one year from today.

Continuing with the compendium documentation, set a passphrase as shown.

After the key is generated, with you help of typing random characters of course, you click the Finish button. Congrats, you're now ready to trade keys and then write encrypted messages!

Import your Friend's Public Key

You need your friend's public key in order to write him/her a message. There is never danger in a sharing a public key, as it's not secret. In fact, the whole system works better the more widely distributed your public key is.

Supposing a friend has given you their public key, which is ultimately a text file that probably has a .asc filename extension, drag the file into the keychain management program. Your friend can give you the key either in person with a USB drive or virtually over the Internet (through email, instant message, or other medium of sending files or text).

Windows: Within Kleopatra, after you drag their public key into the main part of the window, a menu will appear, at which point you will choose Import Certificates. Under the Imported Certificates tab, right click the newly imported key and choose Certify Certificate. You should verify the fingerprint by reading it to your friend and matching it to their key's fingerprint. Check the appropriate boxes and Next, Certify, and Finish.

Mac: With GPG Keychain Access, you also drag the public key into the main part of the window to import it.

Another way to describe the process of importing someone's public key to your system is to say "add their key to your keyring".

Export your Public Key

Windows: On Kleopatra, find your public/private key pair within the My Certificates tab, right click, and choose Export Certificates. Save the public key somewhere, probably your Desktop. Now you can share this file with your friends.

Mac: Using GPG Keychain Access on the Mac, similarly you right click your identity, and choose Export. Save this file somewhere convenient so you can give it to a friend. Ensure that the ASCII format option is chosen. This format is easier to copy/paste or attach to an email to distribute.

Encrypt a Message

If you don't already have a good plain text editor on your Mac or Windows, then I suggest Sublime for Mac, Sublime for Windows instead of TextEdit (Mac) or Notepad (Windows). Sublime is awesome for programmers but there's no reason non-programmers cannot use it. It's a no-nonsense editor that will let you save text files without having to worry about rich text interfering with your document creation or compatibility with Microsoft Word. With Sublime, you can write a simple text file, just as a normal email might be written. Save your message as a .txt file to help indicate that it's a plain text file.

Write your message then save it somewhere obvious, such as your Desktop. Let's call it message.txt in this example.

Windows: Right click message.txt and select Sign and encrypt. Choose Sign and Encrypt (OpenPGP only) and check Text output (ASCII armor). Click the Next button. Select the recipients that will be able to read the message, and add them to the lower box. These people will be able to decrypt your message. Click Next. Choose your private identity as the author (though at this point you probably only have one identity). Finally, click Sign & Encrypt. Enter your passphrase and then click Finish.

Mac: Right click messages.txt, select Services and then OpenPGP: Encrypt File. Choose those individuals that will be able to decrypt the message, choose a secret key to sign it with. If you only have one identity, then it might already be chosen. Check the Sign box, and only keep Add to Recipients if you want to be able to decrypt the message yourself, that is to say, later on when inspecting your sent messages, you'll be able to decrypt the file. Most often, I prefer to uncheck this feature to make the message that much more secure. Enter your passphrase. You should see a confirmation message that it was encrypted successfully.

Now, message.txt.asc appears alongside the original message.txt. Create an email to the recipient(s), and attach the message.txt.asc file, not the message.txt file of course as that one is not encrypted! Enter your passphrase. If you're extra paranoid about your message, delete the original message.txt and you're quite safe assuming that no one will intercept it the unencrypted copy.

Decrypt a Message

Save the encrypted attachment to your computer, probably to your Desktop.

Windows: Right click the file, select Decrypt and verify, then the Decrypt/Verify button. Enter your passphrase. Did you get a message stating Not enough information to check signature validity? That's because you forgot to certify their public key. See the import section of this article. Otherwise, the message will read The signature is valid. Congratulations, now you've decrypted your first message and it will appear alongside the encrypted file (if you accepted the default option in the dialog window)!

Mac: Right click messages.txt, select Services and then OpenPGP: Decrypt File. Enter your passphrase. Congratulations, you've decrypted a message! The file should appear in the same folder where the encrypted version is.

Trust

There must be a basic level of trust when exchanging keys. The GPG software helps you assign levels of how much you trust someone. It will even help you determine how much you should trust someone's key that you haven't met. In this way, the digital trust mirrors the trust that is inherent in groups from the standpoint of sociology.

Starting with the people you know and trust the most, probably family and close friends, you can begin exchanging public keys with them and choosing that you completely trust them. It is best to exchange public keys in person, using a more closed medium like a local network or USB drive to copy and import the public keys among computers.