E-mailing is like a postcard: anyone who passes on the e-mail can easily view the e-mail. With pgp you make it a lot safer and you can encrypt the e-mail in a special folder, so that not everyone can read along.
With pgp you encrypt your e-mail messages. In this masterclass we will show you what pgp is exactly, how it works and how to set it up in your favorite mail clients, such as Mozilla Thunderbird or Microsoft Office Outlook. However, Pgp is not limited to local mail clients: you can also use it in the browser and on your mobile, but for that you need separate solutions and that is some extra work.
What is needed?
Getting started with pgp requires dedication. As you will see in this master class, you have to go through quite a few steps. And not only you, also the person with whom you want to send encrypted e-mails. If the recipient doesn't use pgp, you can't send them an encrypted email, because the email is encrypted with the recipient's public key. In that case it is missing. You also have to install and configure a plug-in or extension for pgp support separately for each platform.
01 What is pgp?
Pgp stands for 'pretty good privacy' and offers privacy and authentication for digital communication. Pgp is not only used for e-mail: you can apply it to all kinds of digital communication, such as chatting or files. PGP encryption works with a combination of techniques, namely both asymmetric and symmetric encryption. Asymmetric encryption works with a public key and a private key. If someone wants to send you a message, they need your public key. This public key normally encrypts the content.
Then the content can only be viewed by the person who has the private key that belongs to the public key, so that is you. Each public key is associated with an email address or username. Asymmetric encryption is not as efficient for large text. That's why pgp also uses symmetric encryption. Symmetric encryption is simply encrypting a piece of text with one password. That password is called the session key in pgp and it is encrypted with the asymmetric encryption. Your mail client then decrypts the session key with your private key first, and then decrypts the content of the email with the session key.
02 Windows
In Windows you can easily get started with Gpg4Win. You download the program from www.gpg4win.org. Press the big green button, click $0 if you don't want to donate anything then click Download. Run the downloaded file and follow the installation steps, which are self-explanatory. The standard components that come installed are fine. We are now going to create our key pair first, by opening Kleopatra from the start menu. click on File / New Certificate. The certificate wizard opens. click on Create a personal OpenPGP key pair. Then enter your name and the e-mail address for which you want to use pgp. click on Next / Create Key.
Then enter a passphrase in, this is simply a password that protects the private key. This prevents anyone who has access to your PC from seeing your private key. Provide a strong and secure password. Then enter your passphrase again to confirm and click OK. In the white area you can type arbitrary text, which makes the key even more random. click on Finish to close the window. Now to send your certificate so that someone else can actually send you encrypted email, export your certificate (your public key) and attach it to an email. You can export your public key via File / Export Certificates. Then paste the asc file into an email.
03 Certificate Revocation
It is important to have a so-called revocation certificate ready. The moment someone steals your identity and gets their hands on your private key and public key, that person can impersonate you. Likewise, if you don't remember the passphrase for your private key, it's best to revoke your key too. It is very difficult to delete a key in OpenPGP. You use a revocation certificate for that. If your certificate is stolen, upload that revocation certificate to the OpenPGP server after which your public key can no longer be used to encrypt emails. To get started, open the Windows Command Prompt. Then run the following command:
gpg --output revoke.asc --gen-revoke key-id
then replace key id with the ID of your certificate. You can find it by right-clicking on your certificate in Kleopatra and then choosing Certificate Details. Then copy the value at Key ID. Press Y in Command Prompt to confirm your choice. Give a reason, you can simply do this 0 select, press Enter with additional comments. Then you will be asked for your passphrase because you need to gain access to your private key. The revocation file is now in the folder C:\Users\[username] called revoke.asc. Keep it in a safe place in case you ever need it.
It is important to have a so-called revocation certificate ready. 04 Distribute certificate
So, one of the ways to distribute your certificate is to manually email it to everyone. So you can for example add your asc file in every mail or you can copy the text directly from the asc file and put it in your signature, because it is simply a text file. There is another way to distribute your certificate: you can upload it to an OpenPGP server.
That way everyone can find your certificate and send it encrypted e-mail. Moreover, you do not have to send your public key to everyone yourself, because it is easy to find online. Anyone can set up an OpenPGP server, which is good, because you want your public key to be distributed as much as possible. You must indicate yourself where you upload it. Select your certificate and click File / Export Certificates to Server. A message will appear stating that you have not configured any OpenPGP servers yet. click on Continue to the default server, keys.gnupg.net, to use. Then click again Continue and upload your certificate.
Mail providers
If all this is too much trouble for you, you can also look into an encrypted mail provider. One of those providers is, for example, ProtonMail, a mail provider that has built-in pgp. The Swiss company has both a free and paid variant and even ProtonMail itself cannot view your e-mail. An alternative is Hushmail. For that you pay fifty dollars a year, then you get 10 GB of storage and access to all apps, so you can also access them on your mobile. Hushmail also offers built-in OpenPGP protection.
At ProtonMail you set a password for the e-mail. The recipient will then receive an e-mail with a link, where the password can be entered, after which the e-mail becomes visible. With Hushmail you ask the recipient a question that you both know the answer to. This will encrypt your email.
05 Decrypt received email
Now suppose that someone sends you an encrypted e-mail message, then you want to be able to decrypt that e-mail. Gpg4Win installs the GpgOL extension for Outlook by default, which works with Outlook 2003 up to and including version 2016. If you receive an encrypted e-mail, you can easily read it by opening the e-mail in a separate window. Then click in the Ribbon GpgOL and click Decrypt. The email will be decrypted for you by Kleopatra.
