Start Using PGP on Windows

The Easy Way


What you need

The most common reason people give for not using PGP encryption is that it is too hard. My goal today is to show you that no, it is not too hard. Further, you can be set up and encrypting all the things in less than 15 minutes. Some may ask why I am even bothering with a post like this. My answer is rather simple; current guides to this process tend to over-complicate the process and effectively scare off more possible users than they create. Using encryption should not be scary. We all talk about how important it is yet we do not bother to simplify it so that the everyday person can in fact, use it.

To get started you will need to download and install two things, three if you count the plugin for the email client.

★ Gpg4win You will want the download that includes Kleopatra to allow for 4096 key sizes.

★ Thunderbird After installing Thunderbird, go ahead and configure it with your email account. It walks you through this process and I will not include it here. If you run into problems, all email providers will have a guide to manually configuring a third party mail client. However, Thunderbird will most likely be able to do this for you if you are using a public mail server.

★ Enigmail is installed to Thunderbird from the Add-Ons menu. Typically it appears on the main page, if it does not just search for it and add it to Thunderbird. It will have a set up wizard menu, just cancel out of that, we will set this up after we generate your key.

The Set Up

Okay, so now we have all the things installed, let's begin the set up. THIS is this hump that I hear most people complain about. It is also the largest chunk of time you will spend remember the 15 minute time frame though so just relax, you've got this.

new cert gen

Open Kleopatra and click "File" and then "New Certificate"

new cert gen

Select "Create a personal OpenPGP key pair"

new cert gen

Enter the name that you want to be displayed for this key, the email address the key will be associated with and (if you want) a comment. This information will be publicly available once you publish the key to a key server. Click on "Advanced Settings."

new cert gen

By using the drop down menus change your RSA key size to 4096 bits. Select a key expiration date and click "OK." Typically I will do either 6 months or a year depending on the type of email I am setting up the key for. If you are generating a one-time use key, you can set it up to expire in 24 hours. Generally you will not be publishing keys of this type.

new cert gen

Next you will review the information that you have entered is valid. Be sure to click the box to "show all details". Once you have confirmed the information to be correct simply click "Create Key". If you made a mistake click on "Cancel" and correct the errors.

new cert gen

Next, two boxes will appear. In the first you will select a strong passphrase for this key. I recommend no less than 15 characters with an assortment of random uppercase letters, lowercase letters, numbers and symbols. But please go wild, the more random and longer, the better. Make sure you keep up with this passphrase as you will need it EVERY SINGLE TIME YOU USE THIS KEY. There is a time limit to this step so have your passphrase selected prior to beginning. You will confirm the passphrase again. Then the second box comes into play. This creates more randomization for your key. It does not matter what you type here just type as much as you can.

new cert gen

Guess what? You just created your first PGP key. Now you have the options of creating a backup of your key, sending it by email or uploading it to a directory. When you create a backup of your key, you will want to store this offline and in a secure location. I would recommend a small USB drive that you assign a password to and store in a hidden location. You do not want the internet to obtain access to your private key. Now you can click "Finish".

new cert gen

Notice now that Kleopatra has populated with your key information. Take note of the section Key-ID, this is what you will provide to others for them to easily pull your key from any key server.

new cert gen

Now we need to configure Thunderbird to use the specific key for the email address. Right click on the email account and select "Settings".

new cert gen

Click on "OpenPGP Security", click on "Enable OpenPGP support (Enigmail) for this identity" and then click on "Select Key" to open the menu. Highlight your key and then click "Select Key" again. If your key is not showing here have no fear, simply click on "Refresh Key List". Sometimes it does lag.

new cert gen

Ensure that you have all of the Default Options selected, you can also choose to sign non-encrypted messages to help people verify your identity, as well as electing to encrypt your saved drafts. Once finished, click "OK".

Now you are fully configured to begin using PGP encryption on all email as well as encrypt your local documents with your key. There is one more thing to do in the set up process; decide if you want to publish your key on a server to make it easy for someone to find your key. You can select any key sever to publish to and your key will propagate to all existing key servers. Another option would be to use Keybase which uses your social media account as a way to verify your identity to others. If you do not do either of these, you will need to send each person individually your PUBLIC key prior to being able to use encrypted communications with them. This can easily be done from within Thunderbird by sending the other person an attachment of your public key.

new cert gen

The Use

Alright you PGP ninjas, you are now ready to use your PGP key like a boss. This is the easy part. Remember, all those settings inside of Thunderbird? Well they automated your mail encryption. Only thing you have to worry about now is your passphrase, just enter it when prompted. If you want to send an unencrypted message to someone, simply toggle it off at the top of the email you are composing as demonstrated in the image for sending your key by email. To get someone's key you can have them send it to you, save and import it into Kleopatra by clicking on "File" and "Import Certificates" then selecting the new key or you can right click on the now local .asc file and use the "more GpgEX" option to import the key. You can alternatively select "Lookup Certificates on Server" from the File menu in Kleopatra and use their key ID number or you can copy and paste their public key by using the "Clipboard" feature in Kleopatra. The latter option comes in use particularly when using Keybase to obtain their key and store it locally to use your mail client.

To encrypt, decrypt, or verify local files simply right click on the file to bring up the context menu and hover over "more GpgEX options" to select the task you wish to complete. The key thing to remember when encrypting a file you want to send to another person is to select both their key and yours so that you both are able to decrypt it.

I told you it was going to be easy. Now go forth and encrypt all the things!

If you want to test it out, run into issues during your set up, or simply have a question about the process please feel free to shoot me an email. Be sure to include your key so I can decrypt it. You can locate my key on keybase. I will continue to add to this guide as needed.

★ I did not forget about a Linux tutorial. I chose to do the Windows guide first as it is the dominant OS among normal end-users and well, I had just blown my Windows install away and reinstalled. I will be working on a Linux based PGP set up tutorial in the near future that will include both; GUI and command line.

Social Media