This tutorial is written for novice users who find it hard to your PGP (Pretty Good Privacy) for signing and encrypting your emails and files.

Why signing emails / encrypting files?

When you receive an email from a particular user, there is no assurance that the email actually originated from that users. There are various types of spoofing attacks where the attacker can spoof the identity of the user and send emails pretending (impersonating) that he is the actual user.

In these cases signing the email can help. (Please note that signing is different from adding a ‘signature’ at the end of the email).

This is how the system works:

A user generates two keys – a public key and a private key (with a pass-phrase – like a password)

1. He displays his public key in his website (visible to all)
2. He sends an email and signs it using his private key and pass-phrase
3. The recipient downloads the public key and matches it with the email received. If it matches, the mail is genuine

This edition of techblog is about the key generation and encryption (/signing)

Sometimes, you may want to encrypt your files so that only a particular user can read it. In this case, you will encrypt the file with that recipient’s public key so that he can open it only using his (recipient’s) private key.

PGP is a very good tool for key generation. And we will be using PGP for this tutorial.

Using PGP

PGP comes with almost all the version of GNU/Linux distributions. But if you are in windows try goggling the phrase ‘PGP for Windows’.

GNU privacy assitant (GPA) is another tool which you can use for the management of your key rings. You can install GPA using your install command (you may double click if you are in Windows!)

This is what I did in my debian based system:

Once installed you will have the window to see your personal keys.

You can create a new key by selecting New from the File menu

It will guide you through the options. You may indicate that you want to generate a PGP key

Then, it will allow you enter the details like you name, email etc

If you are using GPA, then during the first start-up time itself it will ask you to generate a new key.

You ca enter the details just as you did before.

Then the software will generate the key automatically for you

Once a key has been generated you will be able to view / edit the details.

You need to select a passphrase which is very strong (say, longer than 12 characters, combination of both cases and alpha numeric). If you select a weak passphrase there you are spoiling the whole purpose of signing an email!

You can also view the details of the key and see its Fingerprint. It also allows you to ‘export’ your keys. Please note that GPA allows you to backup the keys during key generation  stage. You can now publish your public key in your website or blog.

Irrespective of all the key generation tools used, all tools will be able to find the keys generated by the other tool!

How to sign / encrypt?

There are different ways for doing this.

If you are using an email client like Mozilla Thunderbird, then Enigmail is the one you are looking for. Enigmail is an OpenPGP plugin for Thunderbird. If you are in Ubuntu then you can install it by issuing:

sudo apt-get install enigmail

GPA (GNU Privacy Assistant) , which we discussed earlier, is also also able to do this.

If you are in GNOME environment, then you may try Seahorse.

If you want to use it from the browser, then you can try FirePGP ; provided you are using Firefox.

Kgpg and kleopatra are two other solutions you can use if you using KDE environment.

Since all these are having good graphical user interface (GUI), you will not find it hard to use!

Windows?

Well, Windows and security will never go hand-in-hand.

But if you are in Windows, then you may try using GnuPG for Windows or PGPi (or try switching to Linux!)