When we last left our fearless hero, we had discussed a way to secure our information after it has left our network: PGP. Now that we understand where PGP fits into the world of encryption, we are ready to put it into practice. There are a few commercial implementations of PGP, but we are going to discuss the Open Source implementation of PGP called GNU Privacy Guard (usually abbreviated GnuPG or GPG). We advocate the use of Open Source software for sensitive applications, such as encryption, because the code is scrutinized by a larger number of people who are not afraid to make extremely public announcements when a security-related problem is found. Anyone who was affected by the recent Debian OpenSSL problem is familiar with the Open Source community’s willingness to admit mistakes rather than try to bury them from the public. Some of you reading this might think that GnuPG is only available for Linux, but fear not, GnuPG has been ported to both Windows and Mac OS X, so everyone can easily take advantage of this software.

Because the most popular workstation platform is still Windows, this how-to will be written from a Windows Vista system. Those of you following along on either Linux or Mac OS X can easily adapt the procedures. The gpg4win software installs the core GnuPG program as well as a GUI for key management called WinPT. gpg4win also includes plugins for Outlook and Windows Explorer so that the encryption functions can be easily accessed from a familiar interface. GPA is another graphical key manager that is included. I personally have found WinPT to be easier to deal with, so that is the one I am going to discuss.

When you run WinPT for the first time, it will ask you to generate a new keypair or import an existing one. Select the option to generate a new keypair. You will then need to include your real name and email address. Please enter this information carefully as you will need to start the process over if you make a mistake. Once entered, you will then need to enter a passphrase. This passphrase is the heart of the security of your secret key. It should be a long and complicated set of characters, but one that is not easy to forget. Common ways of coming up with secure but easy-to-remember passwords are using favorite lines from a movie or song with random punctuation thrown in or piecing together words from different pages of a favorite book. Whatever method you choose, make sure someone that knows you well is not going to be able to guess your passphrase. After the passphrase is entered, the system will generate your key. This could take some time, so be patient while it finishes.

Once key generation is completed, you are ready to use WinPT. Right-click on the system tray icon and select Key Manager. In the Key Manager, you will see your new key ready to be used. The key type is listed as “pub/sec” because you have both the secret and public portions of your own key. Keys that belong to other people will be listed as “pub” only. In order to be able to encrypt an email to someone, the next step is to import the intended recipient’s public key. As a test, I would like you to download the Hurricane Labs public key file from our website. In the Key Manager, select the Key menu, then select Import via HTTP. The Key Manager will download the file and import the public keys of everyone here at Hurricane Labs into the system. Once the process is complete, go back to the Key menu and select Reload Key Cache to repopulate the window with the new keys.

Now that you have the keys, it is a good idea to verify that the key is the correct one. This is done using what is called the key fingerprint. In order to view the key’s fingerprint, right-click on the key (we can use my key as an example) and select Properties at the bottom. The key fingerprint is displayed in the window that pops up. If you happen to have my business card, you can verify the key fingerprint against the key printed at the bottom (Note: some versions of my card had a typo and 47B9 was printed as 4789). In case you do not have my card, here is my fingerprint: 92E8 47B9 A2F0 4703 1AEA A776 14B9 AB63 71A2 9AB7. If you see that the fingerprints match, you can then sign my key with your new key, which in essence means that you vouch for the authenticity of my PGP key. It will also allow your PGP software to trust my key enough to encrypt to it without any warning dialog boxes. Right-click on my key and select Sign. You will want to ensure that you disable the checkbox for Sign local only. The entire idea behind PGP is that there is a web of trust based on these signatures. If the signatures are made non-exportable, then that web will never be built, making PGP mostly useless from an authentication standpoint. Once the signing is complete, return to the Properties of the key and set the trust from None to I trust fully. Keys should only be marked with full trust if you have verified the key fingerprint in some kind of out-of-band manner, such as my business card, this article, or even a telephone call as we will discuss later.

Now that we have verified the key, we can send email encrypted to the intended recipient. If you are using Outlook, the gpg4win package has installed a plugin that will integrate encryption into the Tools menu. If you are using Thunderbird, please install the Enigmail extension to Thunderbird to get support for GnuPG. If you are using another email client, please check with the vendor or search on the web for information about support for PGP/GPG encryption. Because most Windows users are using Outlook, we will focus on the GPG Outlook plugin in this article. After writing your message, go to the Tools menu and select both encrypt and sign this message. When you click Send, the plugin will ask for your secret key’s passphrase. The message will then be encrypted to the recipient’s public key and signed by your secret key. The signing process helps the recipient verify who sent the original message.

If you have no other way to establish that you have the correct key, it is usually a good idea to trade public keys via normal email channels, then telephone the other person to verify key fingerprints. To export your public key to send to someone, right-click on your own key in the Key Manager and select the Key menu at the top, then select Export. Do not select Export Secret Key unless you are making a backup for yourself. The file can then be saved and emailed or transmitted in some way to the other party. If you are following along with this tutorial and setting up PGP encryption for yourself, please feel free to send your key to me so we can trade encrypted emails as a test.

This is only an introduction to using GnuPG in a Windows environment, which should get you started using PGP as part of your regular toolbox in securing your data both on and off of your network. PGP is not the silver bullet for ending all possible information leaks, but it will help you do what none of the other popular encryption technologies can even pretend to do: protect your data sitting on someone else’s computer. The Achilles’ Heel of all encryption products is still human error. Once that encrypted data is on someone else’s system, you are trusting that person to not decrypt it and send it on or store it in an insecure fashion. Unfortunately, there is not yet software to correct human behavior, but as soon as there is, I will be writing an article on how to use it.