How to: Use PGP for Windows

Pretty Good Privacy (PGP) is a way to protect your email communications from being read by anyone except their intended recipients. It can protect against companies, governments, or criminals spying on your Internet connection, and, to a lesser extent, it can save your email from being read if the computer on which they are stored is stolen or broken into.

It can also be used to prove that an email came from a particular person, instead of being a fake message sent by another sender (it is otherwise very easy for email to be fabricated). Both of these are important defenses if you're being targeted for surveillance or misinformation.

To use PGP, you will need to install some extra software that will work with your current email program. You will also need to create a private key, which you will keep private. The private key is what you will use to decrypt emails sent to you, and to digitally sign emails that you send to show they truly came from you. Finally, you'll learn how to distribute your public key—a small chunk of information that others will need to know before they can send you encrypted mail, and that they can use to verify emails you send.

Getting GPG4Win

You can get GnuPG (also known as GPG) on Windows by downloading the small installer from the GPG4Win download page.

Click on the most recent version of GPG4Win with GnuPG component only (Vanilla or Light) to download the GPG installer.

This version of GPG is available only on a web site that offers “http” downloads, not secure “https” downloads. If you are concerned that you may be targeted for surveillance by an organization that can tamper with your Internet connection, you may want to investigate more drastic solutions, such as downloading and running Tails, a secure operating system that replaces Windows.

Many browsers will ask you to confirm whether you want to download this file. Internet Explorer 11 shows a bar at the bottom of the browser window with an orange border.

For any browser it is best to first save the file before proceeding, so click the “Save” button. By default, most browsers save downloaded files in the Downloads folder.

Getting Enigmail

You can get Enigmail from the Enigmail website.

Many browsers will ask you to confirm if you want to download this file. Internet Explorer 11 shows a bar at the bottom of the browser window with an orange border.

For any browser it is best to first save the file before proceeding, so click the “Save” button. By default, most browsers save downloaded files in the Downloads folder.

After downloading Enigmail, GPG4Win, and Mozilla Thunderbird you should have three new files in your Downloads folder:

Installing Mozilla Thunderbird

Similar to GPG4Win, you install Mozilla Thunderbird by double-clicking the Thunderbird Setup 24.6.0.exe file. As usual, you will be asked if you want to run this file. Click the “Run” button.

You will be asked if you want to allow Mozilla Thunderbird to make a change to your computer by installing software. Click the “Yes” button.

You will see the Mozilla Thunderbird Setup window. Click the “Next” button.

Next, you will get a choice between a Standard setup and a Custom setup. Keep the Standard setup selection and click the “Next” button.

You will be given a summary of where Mozilla Thunderbird's files will be installed. Click the “Install” button.

When the installation process is complete, you will see a final window that enables you to launch Mozilla Thunderbird. Click the “Finish” button.

Adding a mail account to Mozilla Thunderbird

A new window will open.

Enter your name, email address, and the password to your email account. Mozilla doesn't have access to your password or your email account. Click the “Continue” button.

In many cases Mozilla Thunderbird will automatically detect the necessary settings. In some cases Mozilla Thunderbird doesn't have complete information and you'll need to enter it yourself. Here is an example of the instructions Google provides for Gmail:

Incoming Mail (IMAP) Server - Requires SSL

• imap.gmail.com
• Port: 993
• Requires SSL:Yes

Outgoing Mail (SMTP) Server - Requires TLS

• smtp.gmail.com
• Port: 465 or 587
• Requires SSL: Yes
• Requires authentication: Yes
• Use same settings as incoming mail server

Full Name or Display Name: [your name or pseudonym]

Account Name or User Name: your full Gmail address (username@gmail.com). Google Apps users, please enter username@your_domain.com

Email address: your full Gmail address (username@gmail.com) Google Apps users, please enter username@your_domain.com

Password: your Gmail password

If you use two-factor authentication with Google (and depending on your threat model you probably should!) you cannot use your standard Gmail password with Thunderbird. Instead, you will need to create a new application-specific password for Thunderbird to access your Gmail account. See Google's own guide for doing this. 

When all the information is entered correctly, click the “Done” button.

Mozilla Thunderbird will start downloading copies of your email to your computer. Try sending a test email to your friends.

Creating a Public Key and Private Key

Installation and setup of the Enigmail add-on is complete. Now you'll have the option of creating your public and private key pair. This assumes you have not created a private key before.

Click the “Next” button.

Unless you have already configured more than one email account, Enigmail will choose the email account you've already configured. The first thing you'll need to do is come up with a strong passphrase for your private key.

Make sure that you've written down this passphrase on paper until you have memorized it. Keep it somewhere where you can tell if it has been taken or viewed (like your wallet or purse). Just make sure you don't leave this paper lying around.

Click the “Next” button.

Enigmail will display some information about your private key as well as the configuration settings. We recommend creating 4096-bit length keys. Click the “Next” button.

Your key will expire at a certain time; when that happens, other people will stop using it entirely for new emails to you, though you might not get any warning or explanation about why. So, you may want to mark your calendar and pay attention to this issue a month or so before the expiration date.

It's possible to extend the lifetime of an existing key by giving it a new, later expiration date, or it's possible to replace it with a new key by creating a fresh one from scratch. Both processes might require contacting people who email you and making sure that they get the updated key; current software isn't very good at automating this. So make a reminder for yourself; if you don't think you'll be able to manage it, you can consider setting the key so that it never expires, though in that case other people might try to use it when contacting you far in the future even if you no longer have the private key or no longer use PGP.

Enigmail will generate the key and when it is complete, a small window will open asking you to generate a revocation certificate. This revocation certificate is important to have as it allows you to make the private key and public key invalid. It is important to note that merely deleting the private key does not invalidate the public key and may lead to people sending you encrypted mail that you can't decrypt.

Click the “Generate Certificate” button.

A window will open to provide you a place to save the revocation certificate. While you can save the file to your computer, we recommend saving the file on a USB drive that you are using for nothing else and storing the drive in a safe spot. We also recommend removing the revocation certificate from the computer with the keys, just to avoid unintentional revocation.

Even better, save this file on a separate encrypted disk. Choose the location where you are saving this file and click the “Save” button.

Now Enigmail will give you further information about saving the revocation certificate file again. Click the “OK” button.

Finally, you are done with generating the private key and public key. Click the “Finish” button.

Using PGP/MIME

There is a final optional configuration step is to enable PGP/MIME which makes sending encrypted and signed attachments easier.

You can find this setting by clicking on the Menu Button, hovering over Options, then clicking Account Settings. The Account Settings window will open.

When the Account Settings window opens click the OpenPGP Security tab then click the checkbox next to Use PGP/MIME by default. Next click the OK button. Now Enigmail will use PGP/MIME by default.

Using PGP doesn't completely encrypt your email so that the sender and received information is encrypted. Encrypting the sender and receiver information would break email. Using Thunderbird with the Enigmail add-on gives you an easy way to encrypt and decrypt the content of your email.

Finding Other People Who Are Using PGP

1. Getting a public key by email

You might get a public key sent to you as en email attachment.

Double-click on the new message, and it'll open a new tab. Notice the attachment at the bottom of the window. Right-click on the attachment and select “Import OpenPGP Key.” A small window will open giving you the results of the import. Click the OK button.

If you open up the Enigmail key management window again, you can check the result. Your PGP key is in bold because you have both the private key and the public key. The public key you just imported is not bold because it doesn't contain the private key.

2. Getting a public key as a file

It's possible that you get a public key by downloading it from a website or someone might have sent it through chat software. In a case like this, you will assume you downloaded the file to the Downloads folder.

Open the Enigmail Key Manager and click on the “File” menu. Select “Import Keys from File.”

The public key might have very different file name endings such as .asc, .pgp, or .gpg. Select the file and click the “Open” button.

A small window will open, giving you the results of the import. Click the “OK” button.

3. Getting a public key from a key server

Keyservers can be a very useful way of getting public keys. Try looking for a public key. Open up the key manager then click the “Keyserver” menu and select “Search for Keys.”

A small window will pop up with a search field. You can search by a complete email address, a partial email address, or a name. In this case, you will search for certificates containing “eff.org.”

A larger window will pop up with many options. If you scroll down you'll notice some certificates are italicized and grayed out. These are certificates that have either been revoked or expired on their own.

Let's take the public keys of Danny O'Brien for example, he has one expired or revoked certificate and one valid certificate. Select the valid certificate by clicking the box on the left then press the OK button.

In some cases a person may have more than one certificate, all appearing valid. Note that it's possible for anyone to upload a public certificate for anyone else, and that one of these keys may not belong to the person that owns the email address associated with it. In this case, verifying the fingerprint is extremely important.

A small notification window will pop up letting you know if you succeeded:

The Enigmail Key Manager will now show you the added certificates:

Receiving PGP Encrypted Mail

Let's go through what happens when you receive encrypted email. Notice that that Mozilla Thunderbird is letting you know you have new mail. Click on the message.

A small window opens asking you for the password to the PGP key. Remember: Don't enter your email password. Click the “OK” button.

Now the message will show up decrypted

Revoking a PGP Key with a Revocation Certificate

As mentioned before, the PGP keys generated by Enigmail automatically expire after five years. So if you lose all your files you can be sure that people will know to ask you for another key once the key has expired.

Like we mentioned before, you might have a good reason to disable the PGP key before it expires.

Similarly, others might have good reasons to revoke an existing key.

You might get sent revocation certificates from friends as a notice that they want to revoke their key.

In the previous section you might have noticed that Enigmail generates and imports a revocation certificate internally when you use the Enigmail Key Manager to revoke a key. Since you already have a revocation certificate, you will use the one you generated earlier to revoke your own key.

Start with the Enigmail Key Manager and click the “File” menu and select “Import Keys from File.”

A window will open up so you can select the revocation certificate. Click on the file, and click the “Open” button.

You'll get a notification that the certificate was imported successfully and that a key was revoked. Click the “OK” button.

Once you click the “OK” button, you'll be taken back to the Enigmail Key Manager and you see the certificate you revoked greyed out and italicized.

If the key you revoked is your own, and you previously uploaded your public key to the key servers, you will want to re-upload the now-revoked key to the key servers, so that others see not to use it anymore.

Now that you have all the proper tools, try sending your own PGP-encrypted email.