Help Key: How to protect your webmail with GnuPG and FireGPG

Encryption scares a lot of people – me included – because it’s based on really complicated mathematics. Thankfully, the state of encryption software has advanced sufficiently in the last couple of years that it’s pretty easy for laypeople like us to take advantage of the protection it offers. Just like you don’t shop online without a secured HTTPS connection, you really ought not engage in private conversations online without encrypting your messages. When you encrypt your messages, you don’t need to worry so much about a college kid hacking into your Yahoo! account when you’re appointed to some high office: sure, they might get into your account, but the contents of your messages are still protected. And in this age of cloud computing, when we’re never entirely sure where any particular bit of our data might be, nor who might have access to it, encryption starts to look even more attractive.

I recommend GnuPG, the GNU Privacy Guard, the free (as in speech) implementation of the Pretty Good Privacy standard developed by Phil Zimmerman, and the FireGPG add-on for Mozilla Firefox. The great thing about this combo is that it works on GNU/Linux, Mac OSX and Windows. GnuPG uses a public key infrastructure, which takes two keys to properly encrypt anything. One key is public, which you give to everyone and anyone. The other key is private, which you must absolutely keep protected: if your private key is ever compromised, then your encrypted messages might as well be posted to Wikileaks for the world to see. Folks use your public key to encrypt a message that only you can decrypt. You use your private key to do that decrypting.

You can also use your private key to mathematically prove that you generated a message that was encrypted to someone else. Your private key is used to make something that only your public key can verify, and thus the recipient, who has a copy of your public key, knows that you sent it. There’s a whole “web of trust” involved in GnuPG’s public key infrastructure which I’m not going to cover now. You should definitely read up on the matter, though, to know how to maximimze your use of the tool.

First, download and install GnuPG. It’s a command-line tool, and a shortcoming of the installer is that it doesn’t add the GnuPG directory to your path, so you should do that now: right click My Computer, click Properties, select Advanced, click the “Environment Variables” button, highlight the PATH variable, click the Edit button, and add at the end something like this: “C:\Program Files (x86)\GNU\GnuPG”. If you’re using a 32-bit version of Windows, don’t include the ” (x86)” portion. Click OK. Let’s make sure that was done correctly: start a command prompt (Start -> Run -> “cmd”) and type “gpg –help”. GnuPG should spit out a lot of text explaining how to use its various features.

Now that GnuPG is installed, you need to generate private and public keys. This is easy. As mentioned above, your private key truly is the key to your encryption kingdom, and needs to be protected. GnuPG helps by encrypting your private key with a passphrase of your choosing. Whenever the private key is accessed, you’ll be prompted to unlock it by typing in your passphrase. You must absolutely not use as your passphrase any password you use anywhere else. I generally recommend that folks use a sentence, rather than a password: sentences are reasonably complex, in that they start with a capital letter, have lower case letters, and end in punctuation. If you can toss in a digit or two into that sentence somewhere, you have a pretty complex password. John Biggs would probably use a haiku, and that’s fine, too. Please don’t use a line from your favorite song, or poem, or television sitcom. Please don’t use a phrase you’re fond of saying out loud. Your passphrase really does need to be something absolutely private.

So, on to generating keys! From the command line, type “gpg --gen-key“. Select the default value of “DSA and Elgamal”. Next select how many bits you want in your key. The more bits there are, in theory, the more effort will be required to crack your key. The default value is 2048, and that seems pretty reasonable to me. Bigger keys means more work for your CPU, and although that’s not a big deal in this age of quad-core desktop PCs, I haven’t had anyone explain to me that a 4096 bit key is demonstrably better than a 2048 bit key. As an extra level of protection, you can set an expiration date for your key. This has a couple of nice benefits, and some real gotchas to keep in mind. An expired key is, effectively, worthless. Anything encrypted with that expired key becomes unlockable after the expiration date. This might be fine if you’re encrypting incriminating evidence, but it might be a real pain if you’re encrypting information you might want to later decrypt — say, an email you need to reference some years down the road. I generally elect not to assign an expiration date on my keys, but your circumstances might suggest otherwise. Next you need to enter some identifying information about the owner of this key (that is, you). Specifically you need to supply a name and an email address, and optionally a comment. Next you’re prompted for the passphrase for your private key. Remember, pick a good, strong passphrase. When everything is done, GnuPG will execute a complex mathematical operation looking for gigantic prime numbers. This will take a short while. When it’s all done, you’ll see the details of your key printed.

So now you have a public and a private key pair. On Windows XP, the files live in “C:\Documents and Settings\username\Application Data\gnupg”, and in Vista they should live in C:\Users\username\gnupg. You should back up your private key to a CD or USB stick, seal it in an envelope, and then deposit it into your safe deposit box. If you lose your private key, you will be unable to decrypt anything sent to you. You should keep your private key safe, and private. As is often the case with computer security, physical access trumps most software protection measures. If your computer is stolen, your private key should be considered compromised: an attacker has all the time in the world to now execute brute force attacks against the passphrase protecting your private key. If you want to be extra sneaky with your private key, you can relocate the GnuPG directory (I recommend C:\Windows\Help — who looks in there for anything?), and reference the new location from the registry or even from the command line. That, plus the strong passphrase you selected for your private key, should help protect it, but in reality a lost or stolen private key should be considered compromised, and revoked.

With your private key safe, and your computer under your control, you’re ready to start sending and receiving encrypted emails. To receive encrypted emails, you need to get your public key to those folks who send you email; and to send encrypted emails you need to get the public keys from your recipients. Ideally, the key exchange should take place in person, so that you know that the key you receive really does belong to that individual: it’s actually pretty easy to perform a man-in-the-middle attack on public key transfers, such that you think you’re getting a friend’s public key but in reality you end up getting Joe Hacker’s public key. Then, whenever you go to encrypt something to your friend, it gets encrypted to Joe Hacker’s public key: your friend can’t decrypt it and Joe Hacker can. You can post your public key on your website, or simply email it to your intended recipients, which is probably good enough to get you started. You can also use keyservers like to look for someone’s key.

GnuPG is a command line program, which means that you need to type a bunch of commands to import new public keys, or manually feed it a text file to encrypt or decrypt. That gets pretty old pretty quickly. This is where FireGPG comes in. Install the add-on to your Firefox installation, and it’ll allow you to do most of your GnuPG tasks from a comfortable point-and-click GUI. FireGPG has a few options to set, most of which you won’t need to adjust.

Now that you have FireGPG installed, you can send yourself a test encrypted message. Using any webmail – GMail, Yahoo, Hotmail, whatever – prepare your message as you normally do. When you’re done composing the body of your message, highlight the whole thing (control + A) and right-click the selection. From the FireGPG menu, select “Encrypt”.

A window will pop up listing all of the public keys you have. Since you’re just getting started, the only public key in the list should be your own. Select your key and click OK.

Notice how the body of your message has been replaced by an indecipherable block of letters and numbers!

It’s important that you only encrypt your message when you’re actually done composing it, because it’s hard to fix a typo in that block of ciphertext.

Click send, and then check your mail. Open up the encrypted message that should now be sitting in your Inbox.

Highlight the text, right click it, select the FireGPG menu, and click Decrypt.

You’re now prompted for your private key’s passphrase.

Key it in, and click OK. A new window pops up with the plaintext contents of the message you just sent.

Congratulations: you’ve just encrypted and decrypted your first message! Remember, encryption is not a cure-all for privacy, and it requires a fair bit of diligence on your part to make it work correctly: you need to keep your private key secure, you need to verify the identity of the people who’s public keys you acquire, and you still need to use common sense when sending something that could be damaging to your future career plans.