69. Everybody's got secrets:
Encrypting your email with GPG,
Part One of Two
By Andrew D. Wright
We all have secrets. Sometimes you need to email something secret -
sensitive business information, bank account number to the kids, love
note, etc. - and email is insecure. Welcome to the hidden world of
cryptography.
In this two part column, we'll show you how to set up secure email using
the free Open Source software Gnu Privacy Guard (GPG) to create a Public
Key and a Secret Key for you. Someone sending you a message would encrypt
or scramble it using your Public Key, which you give to them by sending it
to them, putting it on a website or using GPG to send your Public Key to a
keyserver, where it can be searched for by everyone.
Your Secret Key is the only thing that can decrypt or unscramble anything
encrypted with your Public Key. You keep this key safe and do not give it
out to anyone. What we are calling keys are in fact long, randomly
generated numbers. The only known way to break the code is to try guessing
every possible combination of numbers until the right one is found. This
is virtually impossible to do with any known present-day computer
technology.
Installing GPG is easy. Go to the GPG download page and get the program.
Windows users select the Windows binary. It has a graphical interface and
straightforward installation. GPG is a command line program. Once GPG is
installed, add a line in C:\AUTOEXEC.BAT to make a path to the GPG program
directory:
PATH=C:\PROGRA~1\GNU\GNUPG;
Save, reboot and you'll be able to use GPG from any command window or DOS
prompt. To start, check that GPG has been installed correctly. Open a
Command Prompt or MS-DOS Prompt and type:
gpg --version
then hit Enter. Note the space and the two dashes before the command to
GPG. You'll see information about the program appear. To generate your
keys, type:
gpg --gen-key
When asked what type of key you want, select 1 for the default choice and
hit Enter.
For key size, hit Enter for default 2048 bit. 4096 is even better but will
take longer to generate. Select the expiry time for your key and confirm
it with y for yes. The expiry time is how long this key is good for.
For User ID, the example given is misleading. When the real name prompt
comes up, just type in your own real name with no quotes then hit Enter.
When prompted for your email address, put it in without angle brackets. A
third prompt for a comment is where you can add a nickname or description.
These three pieces of information are used to generate the User ID for
your keys. You're given an opportunity to change any of these details
before they are made final. Look carefully to make sure there are no
errors then hit o for ok to proceed and hit Enter.
Finally it will ask for a pass phrase to protect your Secret Key. Choose
this very carefully and use letters, numbers and symbol keys to make it as
secure as possible. It should be as long as is practical for you to
remember and use. You will need this pass phrase to use your Secret Key
and if you lose it you can never access your encrypted data.
GPG will now generate random keys for you. While each of your keys is
being generated, you should move the mouse and hit different keys on your
keyboard to create as much randomness as possible. Generating a random
number for your keys can take up to several minutes so pace yourself with
the movements or you'll run out of steam too soon.
Next column we'll show you how to use GPG
and how to set it up so it can
encrypt and decrypt email messages with a push of a button.
GPG download (free)
http://www.gnupg.org/
The Mousepad runs every two weeks. It's a service of Chebucto Community
Net, a community-owned Internet provider. If you have a question about
computing, email mousepad@chebucto.ns.ca. If we use your question in
a column, we'll send you a free mousepad.
Originally published 2 October 2005
