Advanced GPG Email Encryption: Self-Study Guide

So, you’re set up to use GPG email encryption using Thunderbird+Enigmail in one of our trainings or using our online guide. The following exercises will help reinforce key concepts and teach you some advanced tricks.

Importing (and fingerprinting) public keys

Now that you are using GPG email encryption, you will need to receive public keys from your correspondents. To use keys, you first need to import them. In our introductory guide, we show you how to do this when the key is sent to you as an attachment to an email. As a refresher:

[toggle title_open=”How to import a key from an attachment” title_closed=”How to import a key from an attachment” hide=”yes” border=”yes” style=”default” excerpt_length=”0″ read_more_text=”Read More” read_less_text=”Read Less” include_excerpt_html=”no”]The public key will be in an attachment called something like 0x12345678.asc.

Right click the attached file.
Select “Import OpenPGP Key”.

[/toggle]

After importing a key, we encourage you to verify the authenticity of that key by checking the fingerprint:

[toggle title_open=”How to verify the authenticity of a key: fingerprinting” title_closed=”How to verify the authenticity of a key: fingerprinting” hide=”yes” border=”yes” style=”default” excerpt_length=”0″ read_more_text=”Read More” read_less_text=”Read Less” include_excerpt_html=”no”]

You and your friend should both:
- go to the menu: Enigmail -> Key Management.
- Right click your friend’s key.
- Select “Key Properties”.
- Compare the fingerprint that appears.
To keep track that you have done this, you should, from the “Select action …” or “Certify” drop-down menu, choose “Sign Key” and “I have done very careful checking”.

[/toggle]

However, depending on how your correspondent is using PGP, you might receive an email that includes a rather overwhelming-looking thing, looking something like

-----BEGIN PGP PUBLIC KEY BLOCK-----
Version: SKS 1.1.6
Comment: Hostname: pgp.mit.edu

mQINBFY2f7IBEADy4LCnoY9q948eMQlJhak//HP2kiQhED0MJ3DuMn15gcxhzNZCHuMBNlnV
EBQa5S7rZSJq2T3cwE51NBJLyq1qXBFhwnT+mGzdLzcFwe5iB+X3dCKvlOgLUb8SHK0GlY55
Rmt3vY/1dLo31BoPlYMA4Rh/a3iVPfgPxJQondXbIYviGhsEQLgV4QWNdC9hMFfmTyOEHRLa
...
...
...
laZT7bZLPhuwdBMvTa/Yurg0mcJcYRcuYMlfqjMR/BZfi48p99SA8lNMdp20VoJWgh8nh4UL
lxWzC8U1yMHHaANDrfsKbfsssEs+GGtLKabQJwCFWLrS3qvNvJbhvPYFrVgWsgfJb2hcc99+
24HxjcAOzh4ossSScM4=
=3BqU
-----END PGP PUBLIC KEY BLOCK-----

This a PGP public key.

[toggle title_open=”How to import a key from text” title_closed=”How to import a key from text” hide=”yes” border=”yes” style=”default” excerpt_length=”0″ read_more_text=”Read More” read_less_text=”Read Less” include_excerpt_html=”no”]

Highlight the entire key including the lines -----BEGIN PGP PUBLIC KEY BLOCK----- and -----END PGP PUBLIC KEY BLOCK-----
Copy the text.
Go to the menu: Enigmail -> Key Management -> Edit -> Import Keys from Clipboard.

[/toggle]

Key servers: Online Directories of Public Keys

Many people publish their public keys to a key server, which is an online directory of public keys. There are many such directories, but (for the most part), they synchronize their entries with each other, so it (usually) doesn’t matter which one you use. It is a great idea to publish your key to a key server if you want strangers to be able to reach you via encrypted email (for example, if you are a journalist or lawyer or other public figure). You may also want to publish your key to a key server so that people you know can get your key if they lose your key. In these exercises, we show two ways to get a key from a key server and two ways to publish your key to a key server.

[toggle title_open=”How to get a key from a key-server using Enigmail” title_closed=”How to get a key from a key-server using Enigmail” hide=”yes” border=”yes” style=”default” excerpt_length=”0″ read_more_text=”Read More” read_less_text=”Read Less” include_excerpt_html=”no”]

Go to the menu: Enigmail -> Key Management ->Keyserver->Search for Keys.
Type in an email address or partial email address. For example, searching for “cldc” will return all the keys from people in the CLDC office.
Select all the keys that you are wanting to import and hit OK.[/toggle]

[toggle title_open=”How to get a key from a key-server using a browser” title_closed=”How to get a key from a key-server using a browser” hide=”yes” border=”yes” style=”default” excerpt_length=”0″ read_more_text=”Read More” read_less_text=”Read Less” include_excerpt_html=”no”]

Go to a key server, such as MayFirst’s or MIT’s.
In the search bar, type an email address or partial email address. As an example, searching for “cldc” will return all the keys from people in the CLDC office. Each entry will start with something that looks like pub 4096R/F066011C
Clicking on the link from the second number will bring you to a page containing the text of the corresponding public key.
Import this into Enigmail using the same method as in the previous exercise.[/toggle]

[toggle title_open=”How to publish your key to a key-server using Enigmail” title_closed=”How to publish your key to a key-server using Enigmail” hide=”yes” border=”yes” style=”default” excerpt_length=”0″ read_more_text=”Read More” read_less_text=”Read Less” include_excerpt_html=”no”]

Go to the menu: Enigmail -> Key Management.
Highlight your key.
In the menu, Keyserver -> Upload Public Keys.

Note that you can upload other people’s keys too. Please behave responsibly and courteously. Note also that it might take some time for your key to appear on all the synchronized key servers.[/toggle]

[toggle title_open=”How to publish your key to a key-server using a browser” title_closed=”How to publish your key to a key-server using a browser” hide=”yes” border=”yes” style=”default” excerpt_length=”0″ read_more_text=”Read More” read_less_text=”Read Less” include_excerpt_html=”no”]First get the text of your public key from Enigmail:

Go to the menu: Enigmail -> Key Management.
Right click on your key.
Select “Copy Public Keys to Clipboard”.

Then upload the key to a key server:

Go to a key server, such as MayFirst’s or MIT’s.
In the “submit a key” field, paste the text of your public key.

Maintaining your own public key/private key pair

To maintain security, it is important to maintain your own public key/private key pair. Keys are (usually) set to expire, so that you don’t get a message encrypted to a public key of yours that you have long lost. You should keep a backup of your private key in case something happens to your computer. If you get a new email address, you can use the same key and just add an email address to it. We go over this and more in the following exercises.

[toggle title_open=”How to add an email address to your key” title_closed=”How to add an email address to your key” hide=”yes” border=”yes” style=”default” excerpt_length=”0″ read_more_text=”Read More” read_less_text=”Read Less” include_excerpt_html=”no”]

Go to the menu: Enigmail -> Key Management.
Double-click on your key.
Select action -> Manage User IDs -> Add.

[/toggle]

[toggle title_open=”How to change the expiration date on your public key” title_closed=”How to change the expiration date on your public key” hide=”yes” border=”yes” style=”default” excerpt_length=”0″ read_more_text=”Read More” read_less_text=”Read Less” include_excerpt_html=”no”]

Go to the menu: Enigmail -> Key Management.
Double-click on your key.
To the right of expiry, click Change.

[/toggle]

[toggle title_open=”How to back up your public key/private key pair” title_closed=”How to back up your public key/private key pair” hide=”yes” border=”yes” style=”default” excerpt_length=”0″ read_more_text=”Read More” read_less_text=”Read Less” include_excerpt_html=”no”]

Go to the menu: Enigmail -> Key Management.
Right-click on your key.
Select “Export Keys to File”.
Select “Export Secret Keys” and save it somewhere that you can keep safe (such as an encrypted thumb drive/USB stick).

Note: while your key is still protected by your (strong!, right?) passphrase, we recommend encrypting the thumbdrive/USB stick that you keep it on.

[/toggle]

[toggle title_open=”How to change the passphrase protecting your private key” title_closed=”How to change the passphrase protecting your private key” hide=”yes” border=”yes” style=”default” excerpt_length=”0″ read_more_text=”Read More” read_less_text=”Read Less” include_excerpt_html=”no”]