Reliably encrypting emails using GnuPG

Slashdot it! Delicious Share on Facebook Tweet! Digg!

Private Key

GnuPG has several graphical front ends, although no single official program exists that provides the same interface for all operating systems and desktops. However, you can use the gpg program on the command line to generate key pairs for GnuPG.

I'll use this technique throughout to describe things as generically as possible. To create a key pair, you need to open a terminal window and use the --gen-key option, as follows:

$ gpg --gen-key

The default response to the question in the first dialog, DSA and RSA (default) , is normally the best one, so you just need to press Return (Figure 1). Next, enter the cryptographic length of the new GPG key, which literally defines the number of characters of the key. Basically, the longer the key, the longer it takes to crack it, so higher values provide better security.

Figure 1: Generating a GPG key first involves selecting a key type.

Critics might say that longer keys take longer to sign and encrypt the messages, but modern CPU powerhouses make the argument moot. Also, think in terms of the future; what is well encrypted today might be easy to crack tomorrow. Thus, a key length of 4096 bits is recommended (Figure 2).

Figure 2: A key length of 4096 bits might be safe for years.

The next dialog requests how long you want the key to be valid. At first glance, setting it to Infinity might seem like a good idea. Think, however, that at times it might be best to have the key expire automatically. If the private part of the key is lost and you don't have a handy certificate to revoke it (more on this later), the key would circulate indefinitely over the Net. With an expiration date, it would disappear automatically from the database. A safe bet is an expiration of 1y (one year). Using the private key you can always extend the key validity later on.

You next enter your personal data, your name and email address, and possible comments and aliases. You must then do the most important thing, which is to enter the passphrase that protects the key. The usual rules apply: not your wife's name, kid's birthday, or your pet's name. Combinations of thematically disparate words work the best in that they produce longer pass phrases. The example from "xkcd" comics [1] of correct horse battery stable is, therefore, a good one.

GPG then generates a new key. The algorithm uses a lot of entropy for random number generation. To get the best entropy, open a browser and watch a video or move the mouse around.

After a few minutes, GPG exits and the new GPG key is on your hard drive. Before you exit the terminal jot down the key ID. You'll find it on the line pub after 4096R/ ; in my case, it was 6001B852 (see Figure 3).

Figure 3: As soon as GPG has enough entropy, it generates the key on your hard drive.

To make it possible for others to send you email, load the public part of the key with the --send-keys option (Listing 1, first line) on a GPG key server. If you want a specific key server, add the option --keyserver (on the second line).

Listing 1

Uploading Your ID to a Key Server

$ gpg --send-keys Key-ID
$ gpg --send-keys Key-ID --keyserver Key-Server

You can find a reliable key server at MIT at . The key servers sync data at short intervals anyway, so using a particular server isn't really necessary.

Enigmail for Thunderbird

To use the newly created GPG key, get your Thunderbird email client ready by installing the Enigmail [2] GnuPG plugin. Either drag-and-drop the XPI file to the Addon Manager or download Enigmail directly from the extension manager, much like with Firefox (Figure 4). Some distributions also have Enigmail in their repositories.

Figure 4: You can get Enigmail for Thunderbird directly from the mail client's Addon Manager.

Enigmail is quite effective right out of the box and handles the GnuPG encryption more or less automatically. You can easily accept the default settings of the setup wizard. If you have a private GnuPG key, Enigmail assumes that it belongs to you.

You simply connect the entered GnuPG key with an existing Thunderbird identity. Open Edit | Account Settings from the menu and select the account used for the PGP. Pick OpenPGP Security and add a check mark to the Enable OpenPGP support (Enigmail) for this identity option.

You then determine in Message Composition Default Options whether you want mails in this account signed and/or encrypted. Alternatively, you can determine this for each message you send by clicking the Enigmail button (Figure 5).

Figure 5: Enigmail is active after being set up in Thunderbird and lets you determine with each message sent whether you want it encrypted.

Buy this article as PDF

Express-Checkout as PDF

Pages: 5

Price $0.99
(incl. VAT)

Buy Ubuntu User

Get it on Google Play

US / Canada

Get it on Google Play

UK / Australia

Related content

  • Encrypting email with GnuPG

    US intelligence agencies tap into billions of call data and electronic messages monthly – reason enough to consider encrypting your email traffic.

  • Q&A with Ubuntu contributor Mike Basinger


  • An overview of the IMAP client Trojitá

    Trojitá is new to the scene of email clients, but it already stands out for its intuitive interface and speed. Even so, this client is still missing some essential functions.

  • Pyspread – The Spreadsheet with a Python connection

    You can find plenty of spreadsheets offering a multitude of features. The Python-based Pyspread demonstrates that a sophisticated spreadsheet application can also be newcomer-friendly.

  • Welcome

    The title of this issue's Editorial section is a shameless rip-off of a section that used to run in Omni, the influential and very cool 80s magazine of "Science Fiction, Fact, and Fantasy." The section in Omni talked about advances in science and technology and where they would lead us. The title played on the actual verbal tense – the word "will" was used a lot in the articles, and the fact that, well, it was about the future.