Getting Started With PGP

GETTING STARTED WITH PGP

Mark Swearingen
mark@ephesus.com

Created Thursday 2000 January 27

Here is a step-by-step guide that will get you started using PGP. (This is written for Microsoft Windows 95/98/NT users, but the general steps are applicable to others as well.)

You may wish to print out this guide in order to follow along as you perform each of the steps.

Understand the basics of encryption. If you haven't done so already, you might first wish to get an overall understanding of encryption concepts by reading my essays What Is Encryption? and Why Use Encryption?

Download PGP. There is a freeware version of PGP available for personal use. My page Where to Download PGP lists the domestic and international web sites from which you may legally obtain a free copy of the program. You will have to choose the correct version for your operating system. When you click on the final link to download the self-installing executable file, you will be prompted to specify a directory in which to save it. I recommend that you create a directory namedC:\Install\PGP for this purpose.

Install PGP. After you have downloaded the self-installing executable file, use File Manager or Windows Explorer to find the directory where you saved it. Double-click the file to begin the installation process. You will be prompted to specify a directory in which to install the PGP program. I recommendC:\Programs\PGP, or you may use the directory that the installation program suggests.

After installing PGP, you will have a new folder under your Start -> Programs menu named Pretty Good Privacy. You will also have a new PGPtray icon at the bottom-right corner of your taskbar, next to the clock. You may wish to skim through the user's guide or the help topics to get an idea of how the program works.

Download and install an e-mail program with a PGP plug-in. There are "plug-ins" available for PGP which allow it to integrate seamlessly with most standard e-mail programs. Although it is possible to use PGP with web-based e-mail, it is more complicated, since it requires cutting and pasting messages by hand in order to encrypt and decrypt them.

Therefore, if you are currently using a web-based e-mail system such as Hotmail or Yahoo, I would recommend switching to a locally-installed e-mail program such as Eudora, Pegasus or Outlook Express. The difference is that with a web-based system, all your e-mail is stored on the web server and you have access to it only when you are connected to the Internet; whereas with an e-mail program that is locally installed on your computer's hard disk (sometimes called an e-mail "client" program), your messages are also stored on your hard disk. You still must login to your ISP to retrieve any new messages you may have received, but once you do, they remain on your hard disk until you delete them. This means that you may read messages and compose replies even while you are off-line, and also that you can use PGP with a convenient e-mail plug-in.

There are a number of e-mail programs you can download from the web, many of them for free. If you don't already have one, I recommend Eudora Light. Or you can browse the lists of e-mail clients indexed at Yahoo or TUCOWS (The Ultimate Collection Of Winsock Software). For maximum portability, I recommend choosing a program that works with Windows NT, since these will also work with Windows 95/98/2000. Make sure, of course, that there is a PGP plug-in available for it! Whichever e-mail client you choose, you will have to download and install it just as you did with PGP in the previous two steps.

Create a directory to store your keyring files. Your "keyring" files contain all of the public and private keys you have created or received from other people. By default PGP stores these files in the PGP program directory. However, for security and ease of backup, it is preferable to store these files in a subdirectory of your own.

If you have a second disk drive that you use for storing your personal files, you might create a directory based on your username, such asD:\Users\Amy\Keys\or you may create a similar directory on yourC:drive if you have only one disk.

Then use File Manager or Windows Explorer to copy the original keyring filesPubRing.pkrandSecRing.skrfrom the PGP program directory to your own personalKeysdirectory. Do the same with the fileRandSeed.bin

I also recommend that you rename the two keyring files in your own personal directory so that they are uniquely identified as yours, for example:PubRing.Swearingen.pkrandSecRing.Swearingen.skr

Configure PGP. From the Start -> Programs -> Pretty Good Privacy folder, run the PGPkeys program. There are certain program settings which you may customize by choosing Edit -> Preferences... from the program menu. I recommend the following settings. (In what follows, [x] indicates that a checkbox should be turned on.)

On the General tab:

[x] Always encrypt to default key. This will make it so that you can later decrypt your own messages that you encrypt and send. Keep in mind that when you encrypt a message to a public key, only the holder of the corresponding private key can decrypt the message. That means that if you encrypt a message only to your recipient's public key, you yourself will not be able to decrypt the message later! Therefore, you should always encrypt to your own public key as well as to the public keys of each intended recipient.

[x] Cache decryption passphrases for [01:00:00] (1 hour)
[x] Cache signing passphrases for [01:00:00] (1 hour)

This means that if it has been 1 hour or less since the last time you signed or decrypted a message, you will not have to type your passphrase again.

NOTE! I recommend this only if you are using Windows NT and have a password-protected screen saver that is automatically activated after a few minutes of inactivity. To configure your screen saver, right-click on a blank area of the screen and select Properties -> Screen Saver. Make sure the Password protected checkbox is turned on. I recommend a Wait time of 2-7 minutes.

If you do not have Windows NT or you do not use a password-protected screen saver, then I suggest caching your passphrases for only 00:02:00 (2 minutes).

On the Files tab:

Change the path and file specifications for the public keyring file, the private keyring file and the random seed file so that each one points to the appropriate file that you copied to your own personal directory in the preceding step.

On the Email tab:

[x] Word wrap clear-signed messages at column [77]. It is better to have PGP word-wrap your messages instead of letting your mail program do it, because if your mail program wraps the text after PGP has signed or encrypted it, then it may not be possible to decrypt or verify the resulting message. Therefore, you should also turn off the word wrap in the configuration parameters for your mail program. (In Eudora this is done through Tools -> Options -> Sending Mail -> Word wrap.)

[x] Sign new messages by default. Even if you do not encrypt a message, you can still attach a digital signature to the plain-text message, which can be used to determine whether or not your message was altered in transit. I recommend signing all e-mail messages you send as a matter of policy, even when writing to people who do not use PGP and who therefore cannot readily verify your digital signature. Signing all your messages would allow you to demonstrate conclusively, if need be, that a message was or was not altered by someone after you sent it. Appending a digital signature is also a way of informing people that you use PGP, and it can help raise the general level of awareness about encryption technology.

Generate an encryption key. One of the first things you will want to do after you have installed and configured PGP is to create for yourself a key pair, consisting of a public key and a private key, which you will need in order to encrypt and decrypt e-mail messages or files on your computer.

From the PGPkeys program menu select Keys -> New Key... to start the "Key Generation Wizard." You will be prompted to enter your name and e-mail address.

On the next dialog box you will be asked for key size. In general, I recommend making your key as long as the software will allow. However, if you have an older computer, it may take many hours or even days to generate such a key. In that case, you may wish to try a key length of 1,024 bits. RSA Security Inc. recommends a minimum key length of 768 bits.

Next you will be asked to specify an expiration date. I recommend setting your key to expire in about 2-3 years and creating a new key with a new passphrase at that time. That way if your private key or your passphrase is ever cracked in the future, the security breach will be limited to the period of time during which you used the cracked key. When generating a new private key, you should also use a different passphrase. On the other hand, if you wish to avoid the hassle of creating a new key every few years, you may set the key so that it never expires.

Now you must enter a "passphrase." This is one of the most critical steps in guarding the security of your signed and encrypted data. If you use a phrase consisting of English words, I recommend that you have at least 11 words in your phrase for adequate security. Alternatively, you could make up a string of at least 23 mixed characters consisting of digits, symbols and UPPER- and lower-case letters. For more detail please see my Passphrase Recommendations.

Retrieve other peoples' public keys. Before you can send someone an encrypted message, they must have PGP, and you must have their public key. To get the public key of someone with whom you wish to correspond, see my page How To Retrieve PGP Public Keys. If I'm the person you want to correspond with, please see Mark Swearingen's Public Keys.

Post your own public key. In order to make it easy for other people to get a copy of your public key, I recommend that you post your key to the PGP public key server. In PGP for Windows, first highlight your key, then from the menu select Keys -> Send Key to Server and choose the default server listed first. (You must be connected to the Internet when you do this.) Alternatively, you can post your key using the e-mail interface explained in my page How To Retrieve PGP Public Keys.

Verify key fingerprints. It is important to confirm the authenticity of the keys you exchange. This needs to be done only once with each of your correspondents before you begin using their key. This procedure is explained in more detail in my page on Verifying Key Fingerprints.

Sign/encrypt messages. If you are using Eudora with the PGP plug-in, you will find three new buttons at the top of the "compose message" window, which appears whenever you are creating a new message or replying to a message. These new buttons are: Launch PGPkeys, Use PGP/MIME, Encrypt Message, and Sign Message. (If you hover your mouse briefly over each button, its "Tool Tip" text will appear.)

The PGP/MIME, Encrypt and Sign buttons can be turned on or off for each message you send. Whenever a new message is created, these buttons are initially set according to their defaults, which may be changed through PGP -> Preferences -> Email. (As mentioned above, I recommend digitally signing all your e-mail and setting this to be the default.) The setting of these buttons matters only at the time you actually send (or queue) your message. Until then they may be turned on or off without effect. Note that if you save a draft version of your message and exit from Eudora, the buttons will return to their default position the next time you start the program. Therefore, you should be careful to note their position immediately before you actually send each message.

If the Sign button is pressed at the time you send your message, you will be asked to enter your passphrase, and PGP will append a digital signature to your message before sending it. If you send another signed message within the cache time, you will not have to type your passphrase again.

If the Encrypt button is pressed at the time you send your message, you may be asked to choose which public keys in your keyring the message is to be encrypted to. (In some cases your mail program may figure this out based on the message recipients without asking you to select their keys.) It is not necessary to enter your passphrase when you encrypt a message, because you are using the public keys of your recipient(s), perhaps including your own public key, but you are not using your private key for this operation.

Decrypt/verify messages. If you are using Eudora with the PGP plug-in, you will find three new buttons at the top of the display window whenever you are viewing a message you have received: Decrypt/Verify Message, Extract Key and Launch PGPkeys. (If you hover your mouse briefly over each button, its "Tool Tip" text will appear.)

The Decrypt/Verify button can be pressed any time you are viewing a message that has been signed or encrypted with PGP.

If the message you are viewing has been signed, then PGP will look for the signer's public key on your keyring in order to verify the signature.

If the message has been encrypted to your public key, then you will be asked to enter the passphrase for your private key in order to decrypt it. If you decrypt another message within the cache time, you will not have to type your passphrase again.

NOTE! When you decrypt or verify a message, PGP actually edits the contents of the message display window. After either of these operations, you will note that the Edit message button in Eudora is depressed. When you close the message window or exit Eudora, you will be asked whether you want to save the changes to the message. For complete security of your encrypted e-mail, I recommend that you do not save these changes after viewing a message, but rather that you keep your encrypted and signed messages stored as you received them. This means you would have to decrypt the message each time you wish to view it.

Congratulations! That was a lot of work, but you may now send and receive digitally signed and encrypted e-mail, protecting yourself and those you communicate with from snooping, tampering, fraud and forgery.

Welcome to PGP!