Summary
With the GNU Privacy Guard (
GnuPG) and a good mail client software like
Mozilla (web+email) or
Mozilla Thunderbird (just email), you can have really
secure email conversations, using excellent and free software. Plain emails have indeed two big problems: they are neither
authenticated (you can pretend you are anybody when you send a mail, which is used by spammers and viruses), nor
encrypted (anybody on the path your email takes, from you to your correspondent, can read it). With GnuPG-powered email signature and encryption, you can be sure the messages are from the person they claim to be, and be sure only the ones you want will have access to your emails!
Installing GnuPG and
Enigmail (plugin which enables Mozilla mail clients to secure mail with GnuPG) is a matter of minutes, let's see how to do it: jump to the
Windows™ part if you are using this operating system, or to the
GNU/Linux™ and others Unix-like part if you are using a GNU/Linux distribution or another
Unix-like OS.
Table of Contents
News about this page
November 28, 2004
A few more updates: fixed links, explained better new Enigmail functions, etc.
November 14, 2004
Updates, and two pieces of good news:
- In the latest Enigmail version (0.89), you don't have to use the GnuPG command line interface anymore! The developers have indeed added a graphical interface to view, sign, and configure the trust on all your public and private keys (see below for new screenshots, or see them directly from this image on).
Note about upgrading Enigmail on Mozilla Thunderbird: if you already have Enigmail installed, but its version number is below 0.89 (e.g. 0.86), you will have to remove Enigmail and/or Enigmime first, then uninstall Thunderbird (not your profile, but the program installation tree), before reinstalling Thunderbird (≥
0.9) and Enigmail, as explained in
the November Enigmail newsletter (under Warning for Thunderbird users).
- Since Enigmime is no longer necessary (i.e. there is only one
.xpi to install now), the installation instructions have been simplified even more!
September 20, 2004
Some more updates, e.g. to recommend Mozilla 1.7.3 (the only version without known security bugs at the moment) over other Mozilla versions, or Thunderbird 0.8 (idem), or to update a french link. Speaking of updates, small TODO: tell people they should be able to update Enigmail through their extension manager, now that Thunderbird 0.8 finally seems to have it working :-)
May 18, 2004
More details about how you will be able to test, and learn better, all this stuff,
signing or encrypting a test mail for me. How to
encrypt for someone is now explained better, since it was not obvious before that you have to import,
and sign, this someone's key.
May 12, 2004
Small updates in the download part again, since Thunderbird 0.6 and Enigmail 0.84.0 are out.
April 23, 2004
Enigmail download page updated (now there is only one page for both Mozilla mail and Mozilla Thunderbird mail clients).
April 19, 2004
I realized I was not explicit enough in my
"where do we go from here" instructions: many of you sent me signed mail, without realizing I needed your
public key to verify it :-) I therefore added a note to this part, to explain why and how to let me (and others) know your public key.
April 05, 2004
New category of external links added, for the moment focused on keyservers, signatures between keys and trust paths between keys (
other useful links).
March 26, 2004
This may be the first version of a complete secure email tutorial; let's call it 1.0 then :)
March 22, 2004
I learnt from
Enigmail mailing-list that
0.83.2 (or 0.83.
3 for MacOSX or FreeBSD, but not 0.83.
5) was the right Enigmime version for Thunderbird 0.5 at the moment. One occurrence of this version number was corrected, although you can't make any mistake if you follow the instructions on the download page anyway.
March 14, 2004
March 6, 2004
Added a bunch of links, and information about Windows™ and GNU/Linux GnuPG keys management graphical front-ends, and GnuPG
CLI.
March 5, 2004
More screenshots, links and information, including basic install info in the GNU/Linux part.
March 4, 2004
Added some screenshots through a
gallery.
March 3, 2004
First version of this document (for Windows™, and link to a GNU/Linux more complete documentation).
If you have Microsoft Windows™
- You will need Mozilla version 1.6 (preferably 1.7.3 or above) or Mozilla Thunderbird 0.4 (preferably 0.9 or above) to use the latest, coolest Enigmail versions. If you don't have one of these email clients yet, you can download them (for free of course) through the links written at the beginning of this paragraph, or try to follow the rest of this tutorial getting an older Enigmail for Mozilla 1.4.x or Netscape 7.1 ; but then my indications and screenshots may slightly differ from what you will find.
- Then go to the Enigmail download page, which will try to detect the OS and web browser version you are using. Depending on the mail client you will be using, do:
- For Mozilla mail client, you just have to click on the
Install button under the Express install title (if you are visiting this page with Mozilla web browser).
- For Mozilla Thunderbird mail client, go to the middle of the Downloads table, and download (right clicking on the link, then saving in
C:\Program Files for example) the only file in the Thunderbird 0.9 row: v0.89.0.xpi (or higher). Then, open Thunderbird, go to Tools (menu bar) / Options / Extensions and click on Install New Extension to install this file. Look at the few dialog boxes and press the buttons you need to. You have now to close Thunderbird...
- Now you can start (again) your mail client, and it will be ready for Enigmail and GnuPG! We can now advance to the configuration phase...
optional: Install WinPT or GPGshell key management front-ends
Note: Enigmail will handle
key pair generation, and pretty much every
email-related functions you will need, plus now (since Enigmail
v0.89.0 it even handles
key management tasks like
key signing! If you need even more functionalities (like non-email based signature / encryption / signatures verification) I recommend
the direct GnuPG interface presented below, though WinPT or GPGshell work OK on Windows™ (and can encrypt, decrypt, sign and verify the clipboard or current window content, which is useful for webmail interfaces like
Hotmail or
Gmail). Skip to the
Enigmail part if you trust me, or keep reading this part if you really think you need it :) .
The
WinPT package includes:
- GnuPG 1.2.1 (let's hope they will implement the latest stable version, soon; but it will probably work in combination with Enigmail: I received indeed a positive report of Enigmail working with GnuPG 1.2.2...)
- WinPT tray, an application which stays in the Windows™ tray, and allows you to sign/encrypt files or even your clipboard easily,
- A graphical key manager, accessible via WinPT tray,
- Plugins for the mail readers Eudora and Outlook Express, and for the Windows™ explorer,
- A seemingly good 42 pages documentation.
GPGshell is another Windows™ GnuPG
GUI software which does interfaces with one of the latest GnuPG version, 1.2.5, but unfortunately it is not open-source. You can give it a try though, if you can't or don't want to use
GnuPG command line for operations like
key signing.
If you have GNU/Linux™ (or another Unix-like OS)
Note for non-GNU/Linux users: there seems to be versions of Enigmail for Solaris, Mac OS X, NetBSD, FreeBSD and OpenBSD (which you can see clicking on
Show all operating systems on the
Enigmail download page, so I assume it works on those systems at least for some people ;-) Unfortunately I cannot test Enigmail (and Mozilla!) on them myself, so you are welcome to send me any good or bad report about it.
Since the installation method depends on your GNU/Linux distribution, I won't list every way to install the three components we need here (GnuPG, which is probably already installed + Mozilla Seamonkey or Mozilla Thunderbird + Enigmail). But you are already using GNU/Linux, so I assume you will find a way to install those 3 pieces of software :)
If you are using
Debian, my favorite Linux distribution, I can already tell you
apt-get install mozilla-thunderbird-enigmail will be enough to install GnuPG, Mozilla Thunderbird and its Enigmail plugin :)
Once you have installed Enigmail and Mozilla Seamonkey or Thunderbird, you can continue to follow this guide.
optional: Install a graphical key management front-end
I tend to think it's not necessary especially since Enigmail now handles key signing and management, and also since you who should be used to type instructions in command-line under GNU/Linux ;-) , but it's true there are some nice
GUIs out there if you prefer that to
the gpg interface:
- KGPG if you are a KDE fan,
- Seahorse if you are a Gnome addict,
- GPA if you want to try this front-end hosted by GnuPG.org and aiming to be the standard one on GNU/Linux.
In both cases: Configure GnuPG and Enigmail through the simple Enigmail graphical interface
Now you have access to GnuPG-powered secure email functions and configuration through the Enigmail menu in your mail client.
Let's put this into practice! (
note: the following screenshots have been done with Thunderbird; please tell me if Mozilla GUI differs sensibly on some points)
- In the Enigmail menu, go to "Preferences".
Click on the image to see it in full-size
- With the help of the Browse button, put the path to
gpg (C:\gnupg\gpg.exe on Windows™ or /usr/bin/gpg on GNU/Linux).
Click on the image to see it in full-size
- Default options are OK, you can close the Preferences dialog now.
- Then, in Enigmail menu, click on "Generate Key".
Click on the image to see it in full-size
- The configuration is extremely simple: a dialog box will let you choose between your different mail accounts for your identity, so you won't have to type your name and email yourself. Note: don't worry if you have several email addresses: you can add several identities, or "User IDs", to your key pair, with
gpg --edit-key emailOfYourMainIdentity, then adduid, in command line.
- So the only thing you need to fill now is a passphrase. Be careful with it! You want to make it hard enough so nobody will be able to guess it (more than 7 mixed characters without any dictionary word in it is a good start), but remember you will lose access to every encrypted mail you have received and kept in encrypted format if you lose it!
Click on the image to see it in full-size
Let's roll! (or sign and encrypt our first messages)
Now you can sign (with the pen icon or the OpenPGP toolbar button or a keyboard shortcut) or encrypt (with the lock icon or the OpenPGP toolbar button or a keyboard shortcut) your messages through the new icons present in the bottom right corner of your messages! You can see this buttons in the following screenshot:
Click on the image to see it in full-size
Finally, you can look at the following images sequence to view and hopefully see better how signing, encrypting, verifying and decrypting messages happens.
Click on the image to see it in full-size
Where do we go from here
You have just learnt pretty much all there is to know to send and receive secure emails through Enigmail! The only thing missing now is
building your "web of trust", which can be managed by Enigmail too since it now integrates a key manager. Here are the steps to start to build and use this
web of trust:
- Let's get back to basics for 10 minutes: it will probably do you good to read right now the glossary, even if you gave it some short looks before.
- Then find some people to start communicating securely with! You can either:
- send this tutorial address (or one of the links below) to your friends and help them start too, or
- simply send me a mail, encrypted and/or signed as you want, and I'll send you a secure response.
Note about signature, and encrypted responses: I will of course sign my reply to you, but I will only be able to encrypt it too if I have your public key! For me to have your public key, you may send it to a keyserver (using the new Enigmail key manager (see screenshot) or typing in command line gpg --send-key yourNameOrYourEmail), or insert it in your message (with the Insert public key Enigmail menu command, for example, to which corresponds the Import public key menu command). Without your public key, don't forget I won't be able to check your signature nor send you encrypted mail :-)
If you want to send me something encrypted: as you will learn to remember, you can only send me something encrypted if you already know my public key. Moreover, Enigmail won't let you encrypt stuff for anybody if you have not already signed their public key: there is indeed not much security if you encrypt something for a key you do not trust at all, so you must sign the key of the person you want to send encrypted mail to (Note: you may however circumvent this security feature if you check Always trust user ID in the Sending page of Enigmail preferences). So there should be two steps:
- getting my public key:
- if you ask me to send you a signed mail, you will be able to import my key through the Enigmail menu;
- but if you want to encrypt now your mail to me, then get my public key from one of the following methods:
- signing it: you don't have to tell others you trust my public key (as long as we did not meet :) , so you can make a non-exportable signature of my key with the method you prefer:
- checking the Locally (non-exportable) check-box if you use the Enigmail manager key signing dialog:
Click on the image to see it in full-size
- or typing in command-line
gpg --lsign-key 0xE328FFF0 (l stands here for local).
- Of course, if you have another GUI front-end to
gpg that Enigmail key manager, there should be ways to search, import and sign keys without needing this sooo-complicated command line too :)
Finally you will be able to encrypt your mail, as illustrated by the following screenshot:
Click on the image to see it in full-size
- and/or check out your friends on a keyserver web interface, or via
gpg --search-keys nameOrEmailOfYourCorrespondent, or via their web page if they have one... to see if they already have a PGP key!
- Then, on the practical side, you'll just have to learn to search, sign, and get keys from keyservers, through a GUI if you have decided to use one or through the GnuPG command line interface, which is presented just now:
Short guide to GnuPG binary (= command line interface)
Note: This paragraph is not strictly necessary since Enigmail is now capable of signing keys, importing them from files, and setting your trust on them :-)
First, if you are using Windows™, you won't have access to GnuPG typing just
gpg in command line until you put the directory where you install
gpg.exe in your
PATH environment variable. That is explained in
this installation page, if you don't already know how to do this.
Then, to discover GnuPG commands, you have at least two options:
gpg --help or the
manual page, accessible via
man gpg in GNU/Linux or
online in Windows™ and GNU/Linux. The first commands you will need is
gpg --sign-key nameOrIdOfSomePublicKey if you want to
sign any correspondent key (or they won't be certified and will keep appearing as "UNTRUSTED" in Enigmail), or simply
gpg --edit-key idOrNameOrPartOfEmail which is a front-end to many commands related to the keys of your 'keyring'. Type
help in the
gpg --edit-key mode to know the available commands.
Note: if you are using Windows™, you may want to create a text file named
gpg.conf in the GnuPG directory (
C:\gnupg if you followed this tutorial), containing simply "
keyserver x-hkp://random.sks.keyserver.penguin.de". On GNU/Linux, this file may exist in the
.gnupg subdirectory of your home, but the
keyserver keyword may be followed by other addresses than
random.sks.keyserver.penguin.de. I recommend to put
keyserver x-hkp://random.sks.keyserver.penguin.de in front of the eventual other lines, since random.sks.keyserver.penguin.de is the best
keyserver address I found (
more details about the keyserver network this address points to,
web interface to this keyserver network). In fact, Enigmail itself uses this alias too, when it needs a
keyserver to retrieve (public) keys!
Glossary
- Key Pair
-
A key pair is composed of:
- Your public key, that you can give to anybody (or even publish on a keyserver, see why): it allows people to authenticate you, and send you encrypted, confidential email or files (of course you can also use that for non-confidential messages, just for practice ;-).
- Your private key, that you should never give to anyone: it allows you to sign (or authenticate yourself), and to decrypt the confidential, encrypted mail or files people has sent to you (or that you have encrypted for yourself).
Your public key can come with some information about you, like your name, your email, a comment (like
“Professional key” or
“high-security key, don't use it when you want to reach me when I am travelling”), and even signatures by other people that certify you are you (or at least they think you are :). In fact, this informative text, for example
“John Doe (personal key) <john_doe@someinternetprovider.com>”, is called a
User ID, and if you have several emails you can attach several user IDs to your key pair.
Why and how to publish your (public) key: As soon as you know secure email is good for you (what you probably know now that you've almost reached the end of my page ;-), you
should publish your public key on a
keyserver (with the GnuPG command
gpg --send-key yourName or exporting you public key to a file and sending it to a
keyserver via its web interface); this way it will be easy for people to know they have a way to communicate securely with you, and also it will also be easier for them to
sign your key or verify your signature on others' keys.
In case you want to know, for example for back-up purpose, here are the files that contain respectively your private key, and your public key plus your user IDs and eventual picture, in short your public identity: secring.gpg and pubring.gpg.
- Public key, private key (more theory)
In short, you need to know the public key is used to verify what has been signed by the private key, and to encrypt messages and files only the private key will be able to decrypt. Of course, you must keep your private key to yourself, but since the associated public key cannot be used to guess your private key, you can publish your public key as much as you want.
- Keyserver
-
Most GnuPG or PGP users make their key(s) available (not the private part of course ;-) on a
keyserver, which is an easy way to centralize and find keys. Even if many keyservers exist today (some with more features than others), most of them are synchronized for consistency and redundancy. Some addresses correspond to one keyserver, like
pgp.mit.edu, others point to many synchronized keyservers, like
random.sks.keyserver.penguin.de, and most of them have a
web interface like this one simultaneously with a PGP interface (the one you use through Enigmail or command line instructions like
gpg --search-keys or
gpg --send-keys).
Note: you can have gpg (in command line) use the same keyserver(s) Enigmail uses, adding lines like keyserver x-hkp://random.sks.keyserver.penguin.de in gpg.conf in your GnuPG profile directory. This way, instructions like gpg --send-key your@email will automatically use these recent keyservers.
- Signing a key
When you receive emails or files signed by someone or an organization, nothing tells you they were really signed by the person or the organization designated by the name attached to the key (by the way, when we don't specify it, we talk about the
public part of one's key pair). You also have to establish a key pair is in control of the person you want to send securely files and messages to, because it would not make sense encrypting a message with a public key if this public key is not really your correspondent's! What you
have to do before trusting something is some
authenticity checking like:
- For a person, either:
- If you know him or her personally, just ask his or her key fingerprint over the phone!
- You can of course exchange your fingerprints face to face too.
- Finally, if you don't know them (yet), you can have a first idea of what their true key is if they have a website, and put their key or their fingerprint on it. For example, you will find Philip Zimmermann, PGP original developer, keys and keys fingerprints here.
- For an organization, you can also check their key on their website (examples: Microsoft Security Notification Service key, US-CERT key, Linux kernel key).
- And in both cases, you can check the authenticity of a key through your web of trust (more explanations on this page), that is the trust relationships between you and the public key you are interested in. Example: you trust Bob fully to sign keys, and Bob has signed Alice's key with a complete trust value. You will then consider Alice's key has valid! Another example: you trust Bob and Chris, and both have signed Alice's key with a marginal key value; then you can also consider Alice's key is valid.
Once you have checked the authenticity of a key, preferably in real life (for example meeting or giving a phone call to someone you know and noting down his or her fingerprint, or going to a
key signing and checking person's identity and PGP fingerprints), you can use Enigmail (see
next paragraph) or launch
gpg --sign-key userID to concretize your trust in this identity by
signing his/her public key. Then the key will become valid for you (and for example there won't be anymore a question mark over the 'signed' symbol in Enigmail),
plus you can tell everyone (especially people who trust you) you trust this key by uploading it with your signature back on the
keyserver with
gpg --send-key userID. When people will receive a key through Enigmail or
gpg --search-keys /
gpg --recv-key, or when they will get the latest info on the keys they already know through
gpg --refresh-keys, they will see your signature on it!
If you prefer graphical user interfaces, you can do all that (signing, exporting, importing) through Enigmail functions. For example, here is the
Enigmail manager key signing dialog you can use to sign keys through the
key manager window:
Click on the image to see it in full-size
Further information
More on the protocols
- Wikipedia GnuPG article, which describe this software, the standard it implements, and some GNU/Linux mail clients it's integrated in, like KMail, Evolution, or of course Mozilla mail clients through Enigmail.
- You will find more historical context and details about the OpenPGP principles in the Wikipedia PGP article and its OpenPGP article. By the way, PGP is another implementation of the OpenPGP standards (so GnuPG and PGP can talk to each other !). PGP.com software is more powerful or easier to use on some points, especially if you are using Outlook, Outlook Express, or Eudora... and you can and want to pay for this proprietary solution.
Other guides
- The GNU Privacy Handbook (several formats are available through this gnupg.org page): how to use GnuPG for your secure communication, with a practical, but not too technical, focus. You will find for example some good explanations on how to trust the keys of your keyring, and on what a web of trust is.
- GnuPG Installation and Configuration on Windows: good guide proposed by Enigmail guys.
- Practical Introduction to GPG in Windows: nice guide to learn to use some of the main features of GnuPG on Windows™ (in command line, but don't panic! it's well explained) --even if thanks to Enigmail and this page you won't need all the given commands.
- Serie of five articles on Email Encryption with Thunderbird and Enigmail. It also tells you to install GPGshell for key management on Windows, which may be not necessary. But go there if you really hate command line, or if you want to learn step-by-step to encrypt messages even on you Hotmail account. There is also a positive short comment on WinPT on the same website site.
- Well documented and illustrated GnuPG, Mozilla and Enigmail how-to (watch out: 1.5 megabytes PDF file!)
- Gnu Privacy Guard Mini-Howto (other versions in Dutch, German and in text and postscript here)
- Secure email-clients with PGP/MIME: list of emails clients (on GNU/Linux, Windows and MacOS) and their plugins to support PGP inline and PGP/MIME (there are some information and advantages about this cool last method too)
- Installing and Configuring GnuPG in Redhat 9: good guide, especially on the gpg installation and command line usage part.
Liens en Français (French speaking links)
- Guide très complet expliquant "Comment crypter vos e-mails" : pourquoi chiffrer ses emails, les principes de bases, installer GnuPG (via WinPT) en Français, ou PGP en anglais, Foire Aux Questions, et liens vers différents plugins pour nombre de clients emails, sous GNU/Linux, Windows et MacOS X.
- Guide illustré pour installer GPG et Enigmail (traduit en Français !) avec Mozilla en 12 étapes : plus simple, et appliqué que le précédent, mais fournit moins de choix et d'explications de fond.
- Chiffrer son courriel avec Mozilla Thunderbird et Enigmail : analogue du lien précedent pour Thunderbird cette fois ; avec autant de copies d'écran mais davantage d'explications.
- GnuPG pour Windows™, page avec plein de choses dedans, dont pas mal de screenshots des front-ends GPGshell et WinPT. Sur le même site figurent des explications détaillées pour la génération de clefs GnuPG sous Windows, et sur le chiffrement de disque dur sous Windows (via le logiciel de l'auteur du site, Disk Privacy Guard).
- Présentation de la signature électronique : enjeux, théorie et pratique, guide au format PDF assez complet et bien présenté. Comme son nom l'indique, il se focalise sur l'aspect signature des emails, en abordant aussi l'aspect législatif et le standard X509 ("concurrent" d'OpenPGP).
- À propos de loi, voici la réglementation française en matière de fourniture, d'utilisation et d'importation de moyens de cryptologie en France, et la preuve que vous pouvez utiliser GnuPG, et donc Enigmail, sans aucun problème en France, même avec des clefs symmétriques de plus de 128 bits! (attention : site web souvent offline).
Other userful links
Support information
Questions or comments? Contact the author! (Clément Séveillac (personal email) - PGP key / fingerprint)
