How to Use GPG4Win in Windows to Encrypt Files & Emails
I love cryptography. It is like a great gigantic puzzle for me to solve. However, it is more important than that. It is also how we keep secrets safe. Not just sorta safe either, but really safe.
Until recently, if you wanted to use strong encryption you had to either learn difficult command-line programs, or buy outrageously expensive commercial programs. Sometimes, those outrageously expensive commercial programs were command-line. You can imagine trying to convince someone to implement encrypted e-mail when they can barely use Windows.
Fortunately, this is not a problem anymore. Now with GPG4Win, we can have easy encryption that is also strong.
GPG4Win is the Windows implementation of GPG, or GNU Privacy Guard, a public key encryption system. Public key encryption is great for communications because anyone can send you a message by using your public key for encryption. Likewise, you can do the same with their public keys.
Without going into the details of public key cryptography, this means that messages can be encrypted so that no one can read them without having to worry about the difficulties and perils of key distribution. Or I suppose I should say, worry as much.
GPG4Win is great for the beginner and the advanced user in a Windows environment. The beginner especially so, because using it is so damn easy!
Finally, it is both free and open source. Please donate though if you can. You can download this program here.
I will be using 2.2.0 for my tutorial, but I suggest getting whatever is the most recent stable version. I will also be using Kleopatra, Claws, and the GPG windows explorer add-on. If you have Outlook, you can use that instead, but I won't be covering it.
Once the program is installed, open up Kleopatra. You will probably notice a big screen of menacing tabs, options, and toolbars. Most of this is simple and self-explanatory and we won't be covering it right now. For now, we need to create a key. Without a key, we cannot receive encrypted messages (and without someone else's key, we can't send them). So click on file, new certificate.
Notice you can also import certificates from this menu. Remember that!
Once you click on new certificate, you will be taken into a series of prompts. First you will be asked to select what type of certificate you with to create. There are good reasons for both types, but for now, let's pick OpenPGP.
Next you have to enter in some details about who this key is for (you), what email address it will be used by, and an optional comment.
Once you are done adding in your information, you can press next. Personally I clicked on advanced settings so that I could set my key to expire in one year, but this is optional, not necessary, and I won't cover it. Once you click on next it will ask you to double check your information. Then you will be prompted for a password.
The standard rules for password security apply here. You key is only as safe as your password, and if someone nefarious get a hold of your key, then they can impersonate you or read your encrypted mail. Strong passwords make this harder.
Once you enter your password you will be asked to type into a box while the program generates a new key for you. This is not necessary, but it could help with key security. Once it finishes you will see this
Your key is done and is ready for use. You will need to send your public key to your friends before they can use it. I suggest uploading to the directory service they offer. This makes finding your key easier, though there is a risk that some may use it to spam you. If that worries you too much, you can simply email it to them, or even physically hand it to them. It is your decision.
Once you have a key, you obviously want to use it. For this I suggested the explorer add-on. This add-on will add a context menu option for encryption, and signing your files. For this example, I will just encrypt the file. First, find the file you want to encrypt and right click on it.
Find the More GpgEX options drop down and then select encrypt. Take note of all the options though as they are all useful.
While it is not required, I frequently tell the system to encrypt a file after it compresses it (archives). This is because archives are smaller, which makes plaintext attacks harder. In this context it isn't important, but since this also makes the resultant file smaller, let's do it anyway.
Note that I also told it to remove the original file when I'm done. This is just plain common sense. No one in their right mind will try to break your encrypted file when they can just read the unencrypted one.
Then in the next dialogue select your key you created in the last step and voilà.
Here is your encrypted file ready to be sent along its way on the internet, or just left on your hard drive until you need it again.
I do not have Outlook, so I am using Claws. Fortunately, GPG4Win comes with a plugin for Outlook, so if you do use it you can still use GPG. This tutorial may not be useful for you though. However it couldn't hurt.
When you open Claws for the first time you need to configure it. This will be different depending on your email service. I use Gmail so these setting reflect that.
First, add in your name and email address information.
Then you will need the IMAP or POP information of your email server. The information listed above is for my service. Yours may differ. Once you fill this in for both mail sending and receiving you will be taken into Claws. From here you may wish to configure GPG.
Click on Configuration > Preferences > then plugins > GPG.
I set it to automatically check for signatures. If you don't though, that's fine. You can check them with click of a mouse.
Next, your going to send an encrypted email to yourself. Since you will be the recipient, you will use your key. If you were going to send this to your mother, then you would use her key. So I opened a new message dialog and made a message for myself.
I need to tell claws to encrypt this message before it sends it though. So I click on Options > Privacy System > PGP MIME.
If you think your sender does not support PGP MIME, you can always use PGP Inline, but since PGP MIME is easier for both you and the sender, I suggest it in all other cases.
Once you select your privacy system tell it to sign your message, encrypt it, or both. For this I chose both. When you send the message, it will ask you for your password. This is what my Gmail sent,
Nothing to see here... Just my computer spitting out random bits.
Now once you receive your message, you can read the message as easily as reading any other message, except claws will ask you for the password to your key file. Do you understand why a good password is important?
Notice that this message has informed my signature is good. This means that I am who I say I am. If you did not set Claws to check automatically for you, you can simply click the lock on the bottom and it will check.
I hope you enjoyed this tutorial. With programs as easy as GPG4Win, I no longer believe there is a reason to leave your data readable to everyone with a few thousand dollars worth or equipment and the desire to get your data. Enjoy the brave new world of computing now that your data is safe. No, really safe.