How to: Use PGP for Linux

Pretty Good Privacy (PGP) is a way to protect your email communications from being read by anyone except their intended recipients. It can protect against companies, governments, or criminals spying on your Internet connection, and, to a lesser extent, it can save your email from being read if the computer on which they are stored is stolen or broken into.

It can also be used to prove that an email came from a particular person, instead of being a fake message sent by another sender (it is otherwise very easy for email to be fabricated). Both of these are important defenses if you're being targeted for surveillance or misinformation.

To use PGP, you will need to install some extra software that will work with your current email program. You will also need to create a private key, which you will keep private. The private key is what you will use to decrypt emails sent to you, and to digitally sign emails that you send to show they truly came from you. Finally, you'll learn how to distribute your public key—a small chunk of information that others will need to know before they can send you encrypted mail, and that they can use to verify emails you send.

This guide will show you how to use PGP with a Linux-style operating system using Mozilla Thunderbird, a popular open source graphical email client.

You can't currently use PGP directly with a web email service like Gmail, Hotmail, Yahoo! Mail, or Outlook Live. You can still use your webmail address; you’ll just have to configure it with the Thunderbird program on your computer.

Note that both ends of the email conversation need to be using PGP-compatible software for it to work.

People will normally use this only on their own personal devices, not on shared devices. Fortunately, PGP is available for most desktop computers and mobile devices, and you can point them to these guides to help them set up their own version.

Configuring Thunderbird

Now that you've installed Thunderbird, open it as you would another application on your machine (you might pick it from a list of applications on a menu, or type its name into an application search). You will see the first run wizard appear.

To set up your existing email address, click "Skip this and use my existing email,” and then enter your name, email address, and the password to your email account.

If you use a popular free email service like Gmail, Thunderbird should be able to automatically detect your email settings when you click “Continue.”

If you use two-factor authentication with Google (and depending on your threat model you probably should!) you cannot use your standard Gmail password with Thunderbird. Instead, you will need to create a new application-specific password for Thunderbird to access your Gmail account. See Google's own guide for doing this.

If it doesn't, you may need to manually configure your IMAP and SMTP settings. If you don’t know how to do this, talk to your email provider, or ask someone technical who is familiar with your email provider (so, an IT person at work, or a technical friend who uses the same ISP as you; they don't need to know how to use PGP, but you can ask them “Do you know the IMAP and SMTP settings for my email address?”).

Creating a Public Key and Private Key

Installation and setup of the Enigmail add-on is complete. Now you'll have the option of creating your public and private key pair. This assumes you have not created a private key before.

Click the “Next” button.

Unless you have already configured more than one email account, Enigmail will choose the email account you've already configured. The first thing you'll need to do is come up with a strong passphrase for your private key.

Enigmail will display some information about your private key as well as the configuration settings. We recommend creating 4096-bit length keys. Click the “Next” button.

Your key will expire at a certain time; when that happens, other people will stop using it entirely for new emails to you, though you might not get any warning or explanation about why. So, you may want to mark your calendar and pay attention to this issue a month or so before the expiration date.

It's possible to extend the lifetime of an existing key by giving it a new, later expiration date, or it's possible to replace it with a new key by creating a fresh one from scratch. Both processes might require contacting people who email you and making sure that they get the updated key; current software isn't very good at automating this. So make a reminder for yourself; if you don't think you'll be able to manage it, you can consider setting the key so that it never expires, though in that case other people might try to use it when contacting you far in the future even if you no longer have the private key or no longer use PGP.

Enigmail will generate the key and when it is complete, a small window will open asking you to generate a revocation certificate. This revocation certificate is important to have as it allows you to make the private key and public key invalid. It is important to note that merely deleting the private key does not invalidate the public key and may lead to people sending you encrypted mail that you can't decrypt.

Click the “Generate Certificate” button.

A window will open to provide you a place to save the revocation certificate. While you can save the file to your computer, we recommend saving the file on a USB drive that you are using for nothing else and storing the drive in a safe spot. We also recommend removing the revocation certificate from the computer with the keys, just to avoid unintentional revocation.

Even better, save this file on a separate encrypted disk. Choose the location where you are saving this file and click the “Save” button.

Now Enigmail will give you further information about saving the revocation certificate file again. Click the “OK” button.

Finally, you are done with generating the private key and public key. Click the “Finish” button.

Letting Others Know You Are Using PGP

1. Let People Know You Are Using PGP with an Email

You can easily email your public key to another person by sending them a copy as an attachment.

Click the “Write” button in Mozilla Thunderbird.

Fill in an address and a subject, perhaps something like “my public key,” click the Enigmail menu and select the “Attach My Public Key” option.

You can now the email and the recipient will be able to download and use the public key you sent.

If this method is used, it's a good idea to have the recipient verify your public key's fingerprint over some other form of communication, in case email is already being intercepted and tampered with.

2. Let People Know You Are Using PGP on Your Website

In addition to letting people know via email, you can post your public key on your website. The easiest way is to upload the file and link to it. This guide won't go into how to do those things, but you should know how to export the certificate as a file to use in the future.

Click the configuration button, then the Enigmail option, then Key Management.

Highlight your certificate in bold, then right-click to bring up the menu and select Export keys to file.

A small window will pop up with three buttons. Click the “Export Public Keys Only” button.

Make sure you don't click the “Export Secret Keys” button because exporting the secret key could allow others to impersonate you if they are able to guess your password.

Now a window will open so you can save the file. In order to make it easier to find in the future please save the file to the Documents folder.

Now you can use this file as you wish.

3. Uploading to a Keyserver

Keyservers make it easier to search for and download public keys. Most modern keyservers are synchronizing, meaning that a public key uploaded to one server will eventually reach all servers.

Although uploading your public key to a keyserver might be a convenient way of letting people know that you have a public PGP certificate, you should know that due to the nature of how keyservers work, there is no way to delete public keys once they are uploaded, you can only mark them as revoked.

Before uploading your public key to a keyserver, it is good to take a moment to consider whether you want the whole world to know that you have a public key without the ability to remove this information at a later time.

If you choose to upload your public key to keyservers, you will go back to the Enigmail Key Management window.

Click the Keyserver menu item and select the Upload Public Keys option.

Sending PGP Encrypted Mail

Now you will send your first encrypted email to a recipient. In the main Mozilla Thunderbird window click the “Write” button. A new window will open.

Write your message, and enter a recipient. For this test, select a recipient whose public key you already have. Enigmail will detect this and automatically encrypt the email (you can tell it will be encrypted by the golden key at the bottom right of the email).

Note that the subject line won't be encrypted, so choose something innocuous, like “hello.”

When you click the “Send” button, you'll be given a window to enter the password to your PGP Key. Remember this is different from your email password!

Enter your password then click the “OK” button and your email will be encrypted and sent.

The body of the email was encrypted and transformed. For example our text above, was converted to this:

Revoking the PGP Key

Revoking Your PGP Key Through the Enigmail Interface

The PGP keys generated by Enigmail automatically expire after five years. So if you lose all your files, you can hope that people will know to ask you for another key once the key has expired.

You might have a good reason to disable the PGP key before it expires. Perhaps you want to generate a new, stronger PGP key. The easiest way to revoke your own PGP key in Enigmail is through the Enigmail Key Manager. Right-click on your PGP key (it's in bold), and select the “Revoke Key” option.

A window will pop up letting you know what happens and asking for your confirmation. Click the “Revoke Key” button.

The password window opens, enter your password for the PGP key and click the “OK” button.

Now a new window will open up letting you know you succeeded. Click the “OK” button.

When you go back to the Enigmail Key Management window you'll notice a change to your PGP key. It is now grayed out and italicized.