A guide to setting up a Windows computer to use PGP.
These instructions assume that you're using Outlook Express. If you want to use Thunderbird, please visit gpg-windows.html
PGP stands for Pretty Good Privacy and is the most secure and reliable program for encryption and for digital signatures.
A PGP Key has two parts - the Public Key and the Private Key. The Public Key is uploaded onto the internet and is freely available to anyone. The Private Key is strictly confidential to the user.
When you send an encrypted message, you download the recipient's Public Key and use it to encode your message. The recipient can then reply by downloading your Public Key. The Windows program does this automatically for you. Either way, the Private Key stored in your computer decrypts the message so it can be read on the screen.
One word of advice. During the final part of the PGP Installation, you will be asked by the Wizard to enter a "Pass Phrase". The choice of your phrase is extremely important. This is used to unlock your secret key whenever PGP needs it, and to re-encrypt immediately after use. This is by far the weakest link in PGP and if anyone guesses it and gains entry to yout secret key, you lose all security. You use your Pass Phrase each time you encrypt or decrypt and it is something that has to be remembered. If you are not concerned about someone else "attacking" your computer, then settle on a mix of at least eight letters and characters that you can remember. If you are concerned about your computer's security, I can send you more specific advise about choosing a Pass Phrase.
Because Microsoft incorrectly assume that everyone uses their Outlook Express software, they have defined the default preferences to be rather wasteful in resources. So that emails can look nice to other Outlook users, they send a duplicate copy of each email message as an HTML attachment; so each message is sent twice, resulting in more expensive phone calls. Further, you have to make sure that Outlook is not sending emails in Base64 or some other coding, as this will affect the pgp encryption and decryption. So, follow these steps one by one:
The installation of PGP is via a download from the web. It is very simple and a Wizard takes you through all the stages. However, you have to know what options to configure on your machine, so follow these steps exactly and you'll have PGP running very quickly without any problems.
Make sure you have a zip utility loaded on your computer such as WinZip. If it's not there, you can download it free of charge from the web, or go to http://ipsoft.cjb.net and download "Power Archiver". You need this because the pgp download is in the form of a "zipped program"
PGP is now installed on your computer. The next stage is the generation and installation of your PGP Key
Start-Program-PGP-PGP Keys and follow the Generation Wizard, but note the following
The computer will then generate your numbers. When complete, click "NEXT".
Make sure "Send my key to the root server now" is not ticked, go to NEXT and then FINISH.
A window will come up called "PGPKeys" showing your new key. Click the right hand mouse button over your key and select "EXPORT". Click the box "Include Private Keys" and save the file to the Desktop so it is always accessable.
Now, this is very important. Put a formatted floppy disk in and copy the key file onto it. On most Windows programs, you'll be given this option. It means that whatever happens to the computer, you will always have a copy of your Private Key. <KEEP THIS DISK SOMEWHERE SAFE>
That's it!! Now you have PGP installed and you've got a PGP Key and you're ready to encrypt and decrypt emails. Before carrying on, it's a good idea to tidy the desktop, so you can move your PGP Zipfile and your zip utility to somewhere like My Documents.
Now you have PGP installed, the computer generates an icon on your system tray on the bottom right hand side. It looks like a padlock. All the functions of PGP - encrypting, decrypting, making and verifying signatures - are controlled from this icon. We'll go through each relevant function.
I am very dubious about uploading and downloading public keys from the web. I strongly encourage everyone to exchange public keys by email attachment, so after the sections on "UPLOADING YOUR PUBLIC KEY" and DOWNLOADING PUBLC KEYS", I have included a section on exchanging public keys by email. For those who insist on uploading and downloading public keys:
This is the step that was deferred on installation so you can carry it out here. Connect to the Web and click the right hand mouse button over the PGP icon. Select PGP Keys. Your PGP Key window comes up with several keys, and yours is in bold print. The other keys are those people who were associated with the writing and distribution of PGP. Put the mouse over your key and click the right hand button. Select "Send to" and then "Domain Server". Sit back and watch your Public Key being uploaded automatically.
As soon as possible, you have to notify each party when you have uploaded your Public Key. Simply start PGP Keys after connecting to the Web and select "Server" from the top of the PGP Keys window, and then select "Search". Type in the email address of whoevers Public Key you are trying to locate, hit the "GO" button and their key will appear in the main search window. Select import to local key ring, and that's it!! Close the search window and look in the main PGP Keys List. You'll see the one you have downloaded and you can use this at any time. This is repeated for each party you want to be in contact with using encypted mail.
The problem with using the web to download public keys is that the particular key might be redundant. It is a simple operation to exchange public keys by email and is recommended strongly as against downloading from the web.
This is what it is all about and where our whole direction is going to. At all times, we're going to use one command on the PGP Tray Icon - the 'Current Window' command. If you click the right hand mouse button over the icon and go to "Current Window", you'll see four commands come up - 'Decrypt & Verify', 'Encrypt & Sign', 'Sign' and 'Encrypt'
PGP displays decrypted text in a special viewer window rather than pasting it into the document the encrypted text came from. To save a plain text (decrypted) copy of the message, hit the copy to clipboard button and paste the text into any text editor, such as Notepad and save it as a text file.
There is so much more, but this is all we need to exchange information. Within an Organisation, PGP can be used very effectively for file security, but I don't think this is our area. If anyone wants to go further with PGP, I refer them to the excellent website of Dr Nat Queen of the University of Birmingham U.K. at http://web.bham.ac.uk/N.M.Queen/pgp/pgp.html
Very grateful thanks are offered to David Kanareck for helping to compile the information provided on this page.
| |||||||||||||||||||||||||