Tags

, , , , , , , , , ,

I’ve covered this before, but wanted to redo it as an easier to follow step-by-step guide (with better quality screenshots).

GPG is most commonly used as an email client plugin, but most people use webmail for their personal emails, and most webmail services don’t support PGP encryption.
This post will demonstrate an alternative, where email is composed in a text editor, encrypted, and the ciphertext pasted into a webmail interface. I’ll also show how to do the reverse, so you can also receive PGP-encrypted emails to your webmail address and decrypt them.

While there are graphical interfaces for using GPG, this guide will demonstrate the command line usage, as it will be the same for everyone with GPG installed. Plus, using the command line is a healthy habit to cultivate.

2. Creating Keys
Firstly, you’ll require a ‘key pair’ – your public and private keys, associated with your email address. The point of this is people can exchange encrypted messages without ever sending a secret key – encrypted messages and public keys are communicated openly, but only the recipient has the private key to decrypt. It’s also extremely difficult for a third-party to derive one from the other, if the key sizes are sufficiently large.
So, here the public key is what you make public, and the private key is what you keep secret. The public key encrypts, and the private key decrypts.
The command used for generating the keys is:
$gpg --gen-key

If it works, the following menu appears:

gpg-create-key

My personal preference is to stick with defaults, using RSA with a 2048-bit key. RSA 512 is relatively easy to break, and I suspect RSA 1024 is breakable with custom hardware within a reasonable amount of time (i.e. within months). Conversely, it’s also safe, because the speculation is on resources required to decrypt one individual ciphertext, and the attackers wouldn’t bother unless it was really worth the effort.

Anyway, moving on, the GPG program will generate the keys, using /dev/random as the entropy source (or whatever the equivalent is for Windows NT). The ‘entropy pool’ is populated with values derived from hardware events, so this involves doing pseudo-random stuff with the mouse and keyboard while the keys are generated.

gpg-keys-generated

3. Compose and encrypt email
With the key pair generated, it’s possible to demonstrate the actual encryption and decryption processes. I composed an email message with a standard text editor, saved it as ‘test-email.txt’, then used the following command:
$gpg -e -a [filename].txt

GPG will prompt for the recipient(s) email address, find the relevant public key in its database, then encrypt the plaintext message.

gpg-encrypting-text

The ciphertext is written to another file ([filename].asc). Copy and paste the file’s content into the webmail interface as the message body.

gpg-webmail-client

4. Decrypting email
The process is simply reversed to decrypt. This time, we receive the GPG-encrypted ciphertext, paste into a text editor and save the file as ‘filename.asc’.

When running the following command, GPG should automatically detect the encryption used, fetch the relevant private key and decrypt.

gpg-decrypt-email

5. Importing public keys
Lastly, in order to encrypt emails for other recipients, their public keys must be added to the GPG agent’s database. Like the encrypted email, the public key will be a large block of ASCII ciphertext. Copy and paste this into a file, and save it as ‘[filename].gpg’.

Next, use the ‘gpg --import -a [filename]‘ command to import the contents of the file. The new entry should appear when using ‘gpg --list-keys‘.

gpg-import-list-key

One issue to be aware of: Exercise caution when exporting private keys for backup. The GPG password is not the encryption key, and only protects the application’s key storage function. Once the private key exported to another storage device, it is entirely unprotected, and might be copied and used by others.

Advertisements