Monday, June 12, 2006

Getting started with GPG4Win

EMail-Security using GnuPG for Windows - GPG4Win offers better integration of GnuPG into Windows them past products (such as using WinPT with the command-line version of GnuPG). That means that the user experience is a lot nicer and it doesn't seem as clunky.

You can download GPG4Win here. The current version is: 1.0.2

Notes:

  • GPGol (the MS Outlook plugin) only works with Microsoft Outlook 2003 (or later?), so if you are using older versions of MSOutlook be sure to *not* install this
  • You probably won't need to install Sylpheed-Claws either, unless you are looking for a new e-mail program
  • I prefer WinPT over GPA, but your tastes may be different

Installation:

  1. Download and run the gpg4win-1.0.2.exe file
  2. When you reach the "Choose Components" screen, you should deselect GPGol, GPA and Sypheed. And unless you speak German, you should deselect the Novice Manual and Advanced Manual components. So for most users you will only be installing: GnuPG, WinPT and GPGee.
  3. Click "Next" and proceed.
  4. At the "Install Options", I recommend only installing links to the "Start Menu" (and not the Desktop or Quick Launch bar).
  5. Finally, proceed forward (using the "Next") button until you reach the "Install" button.
  6. Clicking on "Install" will begin the installation.
  7. After installation finishes, you can click on "Next" and "Finish" to exit the installation wizard.

Getting started

  1. Go to "Start" --> "Programs" --> GnuPG for Windows --> WinPT
  2. That will start the WinPT application.
  3. If you have pre-existing GnuPG keyrings, you should probably select the import option (Copy GnuPG keyrings from another location). But you can also import existing keys at a later time.
  4. For now, we will create a GnuPG key pair
  5. Click on the "Expert" button
  6. Key type: DSA and ELG (default)
  7. Subkey size in bits: 2048 (you may wish to use 3072 or 4096)
  8. Real name: (enter the name that you wish to associate with this key) This name will appear alongside your key on public keyservers.
  9. Comment (optional): (typically a company name) Note that comments are public information and will appear alongside your key on the keyserver. Most people put their company name in this field, while others enter their website address (i.e. "www.tgharold.com").
  10. Email address: (enter the e-mail address associated with the key) Again, this is public information that will be on the keyservers to allow people to find your public key.
  11. Expire Date: Uncheck "Never" and enter an expiration date of a few years (I'd recommend 2 or 3 years).
  12. Click the "Start" button
  13. Enter the passphrase that you wish to use when protecting this key. I would recommend a rather strong one made up of numerous randomly picked words, letters, numbers and symbols. I will talk about protecting this passphrase later on.
  14. Repeat your passphrase in the new window. This is done to ensure that you didn't mistype it the first time.
  15. The progress dialog will now appear as GnuPG creates the keys for you. This can take a while as GnuPG needs to obtain random data from the system. You can speed the process up by typing nonsense into a document and moving the mouse in an erratic manner.
  16. When GnuPG finishes, it will pop up a window that says "Key Generation Completed"
  17. You will be offered the chance to backup your keyring. Click "Yes" and choose a location. I would recommend a USB key or a floppy disk as a backup target.
  18. The key has been created and is now listed in the WinPT Key Manager

Configuring WinPT Options

  1. Right-click on the WinPT icon in the System Tray
  2. Select Preferences --> WinPT
  3. Any options that I do not mention are optional and can be set to anything you desire. (Meaning that I don't have a specific recommendation for that option.)
  4. CHECK - Do not use any temporary files
  5. CHECK - Use clipboard viewer to display the plaintext
  6. Cache passphrase for N minutes should be set to a value that you are comfortable with. If you set your machine to automatically lock after 5 minutes, you could cache the passphrase for longer. But if you don't automatically lock your workstation whenever you are away from the machine you should choose a shorter timeout period.
  7. CHECK - Automatic keyring backup
  8. SELECT "Backup to" and choose a folder location that is on a drive other then C: (such as a USB key drive or a TrueCrypt volume)

Configuring GnuPG Options

  1. Right-click on the WinPT icon in the System Tray
  2. Select Preferences --> GPG
  3. There's nothing in particular that I feel needs to be changed here, but it does let you add a comment line for ASCII armored files.

Importing old keys into WinPT

  1. Right-click on the WinPT icon in the System Tray
  2. Select "Key Manager"
  3. Under the "Key" menu, select "Import"
  4. Browse to your old secring.gpg file
  5. Highlight the keys that you want to import and click "Import"
  6. For each key that you've imported, you will need to set the "trust" level of the key. Note that you can only set "owner/trust" values for keys that have not expired (see the "Validity" column in the key manager).
  7. Right-click the key and choose "Properties"
  8. If you are able to change the trust level, the "Change" button next to the "Ownertrust" field will be enabled. Click on "Change" and set your trust level for a particular key.
  9. Note: Trust values are important. Never set a trust level higher then you feel comfortable with. Verify that you have the right key and that you have validated the fingerprint of the key through a secure channel.
  10. 2nd Note: WinPT does sometimes crash after importing large quantities of keys. And you sometimes have to exit the Key Manager before you can see newly imported keys.

Final notes:

  • I would recommend not using the "encrypt current window" functionality of WinPT. It is not working properly for me at the moment. However, the encrypt/decrypt clipboard functionality works fine.
  • Make sure that you backup your secret key files

Backing up your secret key and passphrase on paper

  1. In the WinPT Key Manager, highlight your key
  2. From the menu, choose "Key" then "Export Secret Key"
  3. Export this key to a secure location (such as a USB key drive, a floppy disk, or a encrypted volume / folder)
  4. Open the .ASC file in Notepad
  5. Change the font size using "Format, Font...". I would suggest a font of "Courier New" in a 11 or 12 point font.
  6. Print out a copy of your private key block. That way, in a worst-case scenario, you could hand-enter (or OCR) it back into a new machine.
  7. Jot a note to yourself at the bottom of the page to remind yourself what the passphrase is for this secret key. You may wish to be explicit or simply leave yourself vague hints.
  8. Fold the paper up and place it into a "security" envelope. Security envelopes have printing on the inside of the envelope which is designed to prevent the contents of the letter from being read without opening the envelope. For additional security, you may wish to wrap a 2nd sheet of paper around your original sheet.
  9. You may also include the floppy diskette containing the secret key inside of the envelope.
  10. Seal the envelope
  11. Write something memorable (signature, today's date, a song that is playing on the radio) along the sealed flap. That will give you a chance to detect tampering if the attacker does not reseal the envelope in a way that the markings still line up.
  12. For additional security, place clear tape over the flap edge (and over your writing). That makes it more difficult to open without destroying your writing.
  13. Jot a note to yourself on the outside of the envelope (today's date, the e-mail address of the key)
  14. Place the envelope in a secure location (such as a bank vault, document safe), preferably at a location that is physically distant from your computer. You should keep this envelope as secure as you would your will or other important financial papers.
Posted by Thomas at 10:47
Labels: , , ,

No comments:

Post a Comment