Open source software security

PGP on Windows Tutorial

30 November -0001
March 13, 2002

This is a simple article I wrote for a client giving a step by step how-to for use of PGP tools. Drop me a mail if you have any questions.

To install PGP on a Windows PC, first download the program from any one of its locations. PGP freeware can be downloaded from: http://www.pgpi.org/products/pgp/versions/freeware/. Simply click on the version of PGP you wish to install, or alternatively I have PGP FreeWare Version 7 (old) for Windows in my downloads directory.

Select 'save the file to disk' to begin the download.

The easiest location to save the install program to is your 'Desktop'.

Follow the instructions for downloading the .zip file. Once the file is dowloaded simply click on the downloaded file to decompress the archive.

Using WinZip is excellent for this task (Winzip can be downloaded from http://www.winzip.com) Once the file is unzipped double click the '.exe' file, this will launch an install wizard that will guide you through the rest of the process.

The first step to using PGP is to develop a key pair. The install wizard will prompt you to create a new key pair and prompt you for a location to save your pair. Either save the key pair in your PGP folder (default in your C: drive) or in your 'My Documents' folder.

A key pair is a set of keys used for encrypting and decrypting documents. You have a public key and a private key. Think of the public key as instructions for encrypting documents so that your private key can decrypt them. Think of your private key as a German speaking person and your public key as a German-English dictionary. Anyone who wants to send you encrypted messages will need your public key, so they can translate thier documents into the German that your private key can understand. Thus, if you want people to send you encrypted documents, they MUST have *your* public key, and vice versa. NEVER give away your private key (as your private key is the secret one, although even if someone else gets your key they will still need your passphrase to use it ;).

Your public key is generated from your private key (and your passphrase to make it unique). If you should loose your public key, you can easily generate a new one, although you will have to redistribute your new public key to people so they can send you encrypted messages.

Your private key is dependant on a pass phrase so choose a good one. Your pass phrase should be a password or phrase that only you know. They should never be based on your name, any other password, or anything that can be attributed to you personally (birth date, social security number, etc.) and should include letters, numbers and at least one symbol (!,?,}, etc.).

Do NOT write your pass phrase down.

Once you have PGP installed you will see a PGP tools icon in your taskbar at the lower right hand corner of your screen in the system tray (it looks like a padlock). You can click or right click on this icon to launch your PGP tools (to manage keys, etc.)

You will need to use your PGP tools when someone sends you thier public key (which you will use to encrypt messages to that person). The public key will usually come to you as an e-mail attachment. You can usually simply double click on the key and PGP tools will fire automatically. Sometimes, however, you may have to save the key to your computer and 'Import' it to your PGP keyring from PGP tools. When you add a new public key (someone else's) to your keyring you'll have to verify that the key is valid so PGP knows it can use the key. This process is called 'Signing' and you have to open your PGP tools (right click on the padlock in your system trak and select 'PGP Keys'), view your keyring and you'll see a list of keys. Each one should have a little plus sign next to it which you can click to expand the details of the key. To sign a key, select the key you want (click it), then right click the key to get a pop-up menu and select 'sign'. Once the key is signed you can use it!

To use your PGP tools simply click on the PGP icon. PGPtools has all the options you should need.

To send an encrypted e-mail:

First send the e-mails recipient a copy of your PGP public key as an attachment. Click on your PGPkeys button on the PGPtools. This should show you a list of all the keys you currently have in your 'keyring'.

Screenshot of PGP keyring

If you can't find your key or have not created one you can select 'Generate new Keypair' from the PGPkeys options. Make sure to save your public key where you can find it. If you can't find your public key simply right click on your key in PGPkeys and select 'export', then export your key to a new location, unless you select 'include Private key(s)' you will only export your public key.

Screenshot of exporting keys

Once your recipient has your public key you can encrypt an e-mail in one of two ways. You can either compose a document, encrypt it and add it as an attachment to your e-mail, or if you have a compatible e-mail client you can use the plug in.

To encrypt a document, simply right click on the document, select PGP and then encrypt (as shown above). This will allow you to encrypt the document. Make sure to check the 'Wipe Original' option to remove any traces of the unencrypted document. To decrypt an encrypted document simply double click it and you will be prompted to enter the pass phrase (which can be customized for each document you encrypt). Wiping the original is important since simply deleting the file won't remove the digital traces from your hard drive.

To encrypt an e-mail using Outlook or Outlook express, simply compose the e-mail, then click the 'Encrypt before sending' button, then send the message as normal. After selecting this option you will be prompted to choose the public key with which you intend to encrypt your message. You must use the public key of the recipient (the one they send/sent you) otherwise they will not be able to decrypt the message. Windows will remember your selection and future messages to the recipient shouldn't prompt you for the recipients public key.

When you recieve an encrypted message, to decrypt it simply double click on the message or attachment. Assuming the message is properly encrypted using your public key, you will be prompted for your pass phrase. After entering your pass phrase the message or file will automatically be decrypted. If you have trouble decrypting a message verify with the sender that they actually used your public key and not someone else's by mistake.