My GPG Key

Preamble

Given the NSA have pretty much been proven to be listening in to everyone’s conversations, I’d like to start sending encrypted emails whenever possible. This is partly for my own privacy concerns, and partly because I believe that decreasing the signal-to-noise ratio for spying agencies is a good thing.

My GPG key follows at the end of this post, but here’s a primer on a reasonable way to get up and running with sending and receiving encrypted messages. I’m going to assume you’re using Windows and Chrome or Firefox. If you’re on a tablet or other device, there may be other apps that will help.

The idea is to be able to manage keys, and encrypt and decrypt messages. This works by having your own private key which is you never share with anyone, and a public key which you share with the world so that they can send you messages that you can only decrypt with your own private key. In a perfect world, all email clients and browsers would support this natively, but unfortunately this is not the case. We have to make do with some clunky open source software user interfaces (the underlying software is fantastic, programmers just can’t write UIs) and a browser extension that has its work cut out.

Nevertheless, here’s my experience – gained from both using it myself (after switching from the command-line) and talking a non-technical user through the process of sending me an encrypted email.

Getting started with GPG on Windows and your browser

The easiest way I’ve found to manage keys on Windows and the web (which is where the majority of my email is) is using Gnu Privacy Guard, (Gpg4win) and the WebPG browser extension for Chrome or Firefox. I’m using Chrome.

You need both. The version of GPG installed on your computer will actually host the keys and do the encryption/decryption for you. This is very important as you don’t actually want to hand over your keys to anyone else.

To get started, you’ll want to:

  • Download and install Gpg4win. You’ll likely not need to use it, and it’s not very user friendly – but it needs to be there for the browser extension to work.
  • Install WebPG. I used the webpg-chrome extension from the Chrome store.
  • Restart Chrome

You should now have a blueish icon at the right of your address bar like shown. Click it, and select Options
gpg1

You’ll probably want to turn on Enable Inline formatting of PGP Messages and Keys (for now) – it can get in the way when you are not trying to use encryption, but when you are it is the easiest way of doing things.

Note: I don’t use gmail so haven’t tried the experimental gmail interface. Feel free to try it and report back.

When you’re done, click Finished and then Refresh this page to get the extra options.

Creating your private key

On the WebPG icon, click Key Manager. It shows Private Keys, which are the keys you will use to encrypt your messages to send to to other people (you probably only want one of these) – and Public Keys, which are keys your computer knows about that it can encrypt messages to. Sort of like your contacts list. You’ll have a few of these.

Start by generating your private key. Click the Generate New Key button.
gpg2

You should provide your full name and email address. You do not need to enter a comment. You should enter a password to provide an extra level of security in case somebody else gets hold of this key, or tries to use your computer while you are away from it. You will not be able to decrypt any messages without it.

Once you have done this, click Create
gpg3

Your key is normally disabled by default after it is created, you should click the “disabled” text to enable it, and then finished. Once clicked, it should show Enabled and then , to show that it’s now usable:
gpg4

You now have a key that you can use to encrypt messages, and receive messages from other people.

Sending your public key to other people

Before someone can send you an encrypted message, they need your public key. The easiest way to do this is to expand your key details using the little arrow, and then click export this key.
gpg5

Another window will pop up with your public key (it looks like a load of random text with an obvious header and footer) and a copy button. Press that, and paste it into your favourite communication mechanism (email, facebook, your blog, etc.) to let people know how to send encrypted messages to you. (Mine is pasted below!)
gpg6

Getting someone’s public key

If you’ve enabled the options above, whenever you see someone’s public key on a web page or email in your browser, it should look get enhanced by the browser plugin to make it easily-importable instead of looking like some ugly ASCII text. The key should have an import button, and should look something like:
gpg7

Clicking the import button should import the key into your public key into your list of public keys. You can now encrypt messages for this address.

It is very important that you are using the key for important communication, that verify that the person you think sent you the key actually sent it to you, and not somebody pretending to be them. The best way to do this is to contact them via a trusted method (e.g. the telephone) and read out the key fingerprint to each other. This can be found on the key options, near where you found the “export this key” button.

Encrypting a message

In theory, the WebPG plugin adds a menu to the top of every input box to allow you to encrypt the contents. In practice, this does not really work as most sites use javascript or contenteditable divs, which prevent this from working. There is a text box near the bottom of this page (just above the comments) which is a plain text box with nothing fancy going on. You can use this, if your normal program fails.

Assuming you have the WebPG plugin menu (see the image below) on the box you are writing into, you just need to write your message, and then click the button, followed by encrypt.
gpg8

You’ll then be asked for a recipient, based on the public keys in your keyring. Only the recipient you choose will be able to decrypt the message.
gpg9

The message content should then appear encrypted.
gpg10

You can also encrypt and sign a message. If the recipient knows your public key, this verifies that the message comes from you.

If the WebPG plugin menu did not appear in the place you wanted it (for example, you are sending a Facebook message or using Hotmail, etc.) and you are using the box below, you should then copy the encrypted content from the box into the message, and send it. VERY IMPORTANT NOTE: The content you copy and paste should not be readable to you. It should look like ASCII junk with a header and footer. If it’s readable to you, it’s not encrypted properly.

You have now encrypted a message that only the intended recipient can read.

Reading an encrypted message

Again, if the WebPG client works with your messaging system and you have the ‘inline formatting’ option turned on, you should see an option to decrypt a message whenever somebody sends you one. If you just see a bunch of ASCII text with a header and footer (which is often the case, at least for Zimbra, my email client) then you will want to paste it into the box below with the WebPG menu:
gpg11

Using the WebPG menu, select ‘decrypt’. The message does not have to be from someone you know, but it will have to be sent to your private key. You can only verify that the person who says they sent it to you did actually do that, if they signed it (see above), so bear that in mind when sending sensitive information.
gpg12

You will be asked for the password you used when you created your private key. You do remember your password, don’t you? ;-)

Once you have entered your password, the decrypted message is displayed. Congratulations!
gpg13

My Public GPG key

-----BEGIN PGP PUBLIC KEY BLOCK-----
Version: GnuPG v2.0.17 (MingW32)

mQENBFIZMIkBCAC1spCVxtpCHS5mWeOMumJe9t2QUr/hx1/P+8LSlKyDfgOwBnBD
b+3NzyL4BTIzeycsA/0C0rHPYQmDnx6YVjUA4qefiTGZkqPO/CynO04u8toW3MfU
CYzJGiFE7M+Kqy/UDhivRnbF09ABobZyWP2HvqubfzZi2eB8QLipjxoK7QcN36qd
il3+ZS0wQztOzZ7pkIu3HwSb0IKhcnwXhr/TmRi0s6mx8+HVh0tISsOH90UDL57G
QWVdppZeUJnZ+5tKrWACa5hBjeT9xkEyOAlKaJiHY0mK/ZZfFc705AqNx/1DwdgP
dX16XnGNfvYyoYSwkrTSyMDyzVUA5n1iLRPnABEBAAG0LFNpbW9uIERldGhlcmlk
Z2UgPHNpbW9uQGhpZ2hseWlsbG9naWNhbC5vcmc+iQE4BBMBAgAiBQJSGTCJAhsD
BgsJCAcDAgYVCAIJCgsEFgIDAQIeAQIXgAAKCRApNTKiAwAOx92mB/9QeaaXWhuQ
ISxyIY4Gft/oitzouPst4yLQk4J2Lg7R5f5WD5ZRgcv1mvrvrFNS5g+1UkVXBiqf
xAKoXnBk+MOWrmXMaUZY3ttOxmlsdsNKCFloK9lHOkKJfZMhaNbTpGLKNf6BikJs
79M4t/QYeL9HttkdY3P5FC3QM6+eoChnQnx2aSU2Cq5bXcVujoqAyeRvXTCFoy/g
i0hazhDcpw6qj1+WJzAG9RHSGagLq5/gAfhjo1Db+o5mP3dCNawLZTqYm/svOWqb
myHKL1hjohA9l+QqKWakoaFVIujfR4HFqqLS5Q+TZ4WhoAjpIlHq+MnebFZqpgur
yjrdO4zJQrHCuQENBFIZMIkBCADcr4dMSqe0guwoO3D5DuDXq0rppj9hwZqoJ8hL
IwwuFKH54rSzSB20dyjwlweBB0IKkmmwIxI5/Gq/SdjmCp761NpP6A481+6TVPZA
GNEL6JPNZn1dGiMTOcp2aJJ13KoL0ssht1VEBVZpevmNWDIaBiPp/z76wONz4VFG
aARYbmh0kIg4W8GMEJzRX9YBt4BDOcVcXIUYz1MRY9QlO9mg5Svs5AHGMqqcZam3
WxSWrrdyymK4wqJMMnS3fIC1VWzaJww1/A1b2zf0x7x6MEET88kDwi3q0TbZMiTV
NxdYCsG7PSqWZT5ckjbjttX4B4BnlvtF74ylrqRNMqiMMw9TABEBAAGJAR8EGAEC
AAkFAlIZMIkCGwwACgkQKTUyogMADsf3rAf+Mp/7d+zFcd/6638caua8k8ju+fte
qZwGH9x0DIiudKEoRAyOxvuf/1jtRWXvREcxBAv7D6ADVtMbatBMsPadPTgt6oPH
J8/bP6CbPNsh69cQ3L/nhuYnw9SIoIFtldoqk6Ixqeao1BE6g4XVQRfv01eb+o8w
z69TD4qG6C6oKc16uUla56+l3HRRl0vTN2qMFrEzjNiu4M8874Rg06NqN3Ppvv0x
2eMNfR33rId+NojYjG1NXR+0qpZ1eiWYsNZGIsYChKSnOBShr8QkbOImuwuNDohl
IzAGd7kqtBhrdy7T2gBEuu/39h4ZbIloXdPqtlM4qtANDBmEketPWWMhXA==
=XQ9I
-----END PGP PUBLIC KEY BLOCK-----

 
 
 
 
 

A plain text box for using the WebPG plugin, if your messaging client doesn’t like it

If you’re using WebPG, it’s likely your mail client kills the integration it tries to use. You can use this textarea here to copy and paste things: