Created Thursday 2000 January 27
Here is a step-by-step guide that will
get you started using PGP.
(This is written for Microsoft Windows 95/98/NT users, but the
general steps are applicable to others as well.)|
You may wish to print out this guide in order to follow along as you perform each of the steps.
After installing PGP, you will have a new folder under your Start -> Programs menu named Pretty Good Privacy. You will also have a new PGPtray icon at the bottom-right corner of your taskbar, next to the clock. You may wish to skim through the user's guide or the help topics to get an idea of how the program works.
Therefore, if you are currently using a web-based e-mail system such as Hotmail or Yahoo, I would recommend switching to a locally-installed e-mail program such as Eudora, Pegasus or Outlook Express. The difference is that with a web-based system, all your e-mail is stored on the web server and you have access to it only when you are connected to the Internet; whereas with an e-mail program that is locally installed on your computer's hard disk (sometimes called an e-mail "client" program), your messages are also stored on your hard disk. You still must login to your ISP to retrieve any new messages you may have received, but once you do, they remain on your hard disk until you delete them. This means that you may read messages and compose replies even while you are off-line, and also that you can use PGP with a convenient e-mail plug-in.
There are a number of e-mail programs you can download from the web, many of them for free. If you don't already have one, I recommend Eudora Light. Or you can browse the lists of e-mail clients indexed at Yahoo or TUCOWS (The Ultimate Collection Of Winsock Software). For maximum portability, I recommend choosing a program that works with Windows NT, since these will also work with Windows 95/98/2000. Make sure, of course, that there is a PGP plug-in available for it! Whichever e-mail client you choose, you will have to download and install it just as you did with PGP in the previous two steps.
If you have a second disk drive that you use for storing your personal files, you might create a directory based on your username, such as
Then use File Manager or Windows Explorer to copy the original keyring files
I also recommend that you rename the two keyring files in your own personal directory so that they are uniquely identified as yours, for example:
On the General tab:
[x] Always encrypt to default key. This will make it so that you can later decrypt your own messages that you encrypt and send. Keep in mind that when you encrypt a message to a public key, only the holder of the corresponding private key can decrypt the message. That means that if you encrypt a message only to your recipient's public key, you yourself will not be able to decrypt the message later! Therefore, you should always encrypt to your own public key as well as to the public keys of each intended recipient.
[x] Cache decryption passphrases for [01:00:00] (1 hour)
[x] Cache signing passphrases for [01:00:00] (1 hour)
This means that if it has been 1 hour or less since the last time you signed or decrypted a message, you will not have to type your passphrase again.
NOTE! I recommend this only if you are using Windows NT and have a password-protected screen saver that is automatically activated after a few minutes of inactivity. To configure your screen saver, right-click on a blank area of the screen and select Properties -> Screen Saver. Make sure the Password protected checkbox is turned on. I recommend a Wait time of 2-7 minutes.
If you do not have Windows NT or you do not use a password-protected screen saver, then I suggest caching your passphrases for only 00:02:00 (2 minutes).
On the Files tab:
Change the path and file specifications for the public keyring file, the private keyring file and the random seed file so that each one points to the appropriate file that you copied to your own personal directory in the preceding step.
On the Email tab:
[x] Word wrap clear-signed messages at column . It is better to have PGP word-wrap your messages instead of letting your mail program do it, because if your mail program wraps the text after PGP has signed or encrypted it, then it may not be possible to decrypt or verify the resulting message. Therefore, you should also turn off the word wrap in the configuration parameters for your mail program. (In Eudora this is done through Tools -> Options -> Sending Mail -> Word wrap.)
[x] Sign new messages by default. Even if you do not encrypt a message, you can still attach a digital signature to the plain-text message, which can be used to determine whether or not your message was altered in transit. I recommend signing all e-mail messages you send as a matter of policy, even when writing to people who do not use PGP and who therefore cannot readily verify your digital signature. Signing all your messages would allow you to demonstrate conclusively, if need be, that a message was or was not altered by someone after you sent it. Appending a digital signature is also a way of informing people that you use PGP, and it can help raise the general level of awareness about encryption technology.
From the PGPkeys program menu select Keys -> New Key... to start the "Key Generation Wizard." You will be prompted to enter your name and e-mail address.
On the next dialog box you will be asked for key size. In general, I recommend making your key as long as the software will allow. However, if you have an older computer, it may take many hours or even days to generate such a key. In that case, you may wish to try a key length of 1,024 bits. RSA Security Inc. recommends a minimum key length of 768 bits.
Next you will be asked to specify an expiration date. I recommend setting your key to expire in about 2-3 years and creating a new key with a new passphrase at that time. That way if your private key or your passphrase is ever cracked in the future, the security breach will be limited to the period of time during which you used the cracked key. When generating a new private key, you should also use a different passphrase. On the other hand, if you wish to avoid the hassle of creating a new key every few years, you may set the key so that it never expires.
Now you must enter a "passphrase." This is one of the most critical steps in guarding the security of your signed and encrypted data. If you use a phrase consisting of English words, I recommend that you have at least 11 words in your phrase for adequate security. Alternatively, you could make up a string of at least 23 mixed characters consisting of digits, symbols and UPPER- and lower-case letters. For more detail please see my Passphrase Recommendations.
The PGP/MIME, Encrypt and Sign buttons can be turned on or off for each message you send. Whenever a new message is created, these buttons are initially set according to their defaults, which may be changed through PGP -> Preferences -> Email. (As mentioned above, I recommend digitally signing all your e-mail and setting this to be the default.) The setting of these buttons matters only at the time you actually send (or queue) your message. Until then they may be turned on or off without effect. Note that if you save a draft version of your message and exit from Eudora, the buttons will return to their default position the next time you start the program. Therefore, you should be careful to note their position immediately before you actually send each message.
If the Sign button is pressed at the time you send your message, you will be asked to enter your passphrase, and PGP will append a digital signature to your message before sending it. If you send another signed message within the cache time, you will not have to type your passphrase again.
If the Encrypt button is pressed at the time you send your message, you may be asked to choose which public keys in your keyring the message is to be encrypted to. (In some cases your mail program may figure this out based on the message recipients without asking you to select their keys.) It is not necessary to enter your passphrase when you encrypt a message, because you are using the public keys of your recipient(s), perhaps including your own public key, but you are not using your private key for this operation.
The Decrypt/Verify button can be pressed any time you are viewing a message that has been signed or encrypted with PGP.
If the message you are viewing has been signed, then PGP will look for the signer's public key on your keyring in order to verify the signature.
If the message has been encrypted to your public key, then you will be asked to enter the passphrase for your private key in order to decrypt it. If you decrypt another message within the cache time, you will not have to type your passphrase again.
NOTE! When you decrypt or verify a message, PGP actually edits the contents of the message display window. After either of these operations, you will note that the Edit message button in Eudora is depressed. When you close the message window or exit Eudora, you will be asked whether you want to save the changes to the message. For complete security of your encrypted e-mail, I recommend that you do not save these changes after viewing a message, but rather that you keep your encrypted and signed messages stored as you received them. This means you would have to decrypt the message each time you wish to view it.
Welcome to PGP!