Encrypting email with GnuPG

Three-Step Process

Communicating an encrypted email via OpenPGP/GnuPG requires the following prerequisites for the sender as well as the recipient:

• Generating a key pair
• Exchanging public keys
• Importing the partner's public key in your keyring

As a Thunderbird user, you should install the Enigmail [2] extension via the add-on manager (Tools | Add-ons | Search add-ons). The menu list then includes the OpenPGP entry that controls all encryption and signing functions.

The PGP function is already built into KMail, and you get to it with Tools | Certificate management. Both programs provide a GUI for the console commands described as follows.

The gpg --gen-key command generates a new key pair. The program prompts for a key type and length, with the currently recommended values being RSA/RSA 2048-bit for compatibility and security reasons. Then, you need to set the key's validity period. Beginners should not use the default 0 = key does not expire value, because, once published, a forgotten private key value can no longer be retrieved from key servers.

Next, you need to enter the name, email address, an optional comment, and a password, which is required for use of the key. Keep in mind when entering the password that it can be more easily cracked than a 2048-bit RSA encrypted one.

The program then generates a secret key based on a 2048-bit random number sequence. To ensure attacker unpredictability when generating the secret key, GnuPG figures in external events, such as mouse movements and keyboard input, so the use of mouse and keyboard accelerates the process.

The key pair is generally available in less than a minute. GnuPG then adds the key pair to your keyring, which becomes available for Thunderbird, KMail, and all other mail programs that GnuPG uses for encryption.

Exported Goods

Check that your keyring actually contains the generated keys. The gpg --list-secret-keys or gpg -K command lists the private key, while gpg --list-keys or gpg -k lists the public key. To make the public key exchangeable, first export it to a local file, as follows:

$ gpg -a --export <ID> > my_pubkey.asc

The -a option specifies the ASCII format, making it easier to exchange via email. When a remote partner requests your PGP key, send it to her so that she's capable of sending you encrypted messages.

To allow others to send you encrypted mail without a key request, you can publish the key to a key server, as follows:

$ gpg --keyserver hkp://keys.gnupg.net --send-keys <id>

If you're wondering about hkp://, that's not a typo; it stands for the HTTP key server protocol. A number of key servers are available – the most popular of which even synchronize among themselves.