Encrypt your Email with GPG

SEND AND RECEIVE PUBLIC KEYS

Add keys to your keyring and send your public key [25 mins]

Our task is to send and receive encrypted and signed email. To do this we will need to exchange public keys with the person that we want to send emails to. Normally to exchange public keys you will contact that person and ask them to send you their key via email or you will download it from the Internet. Conversely, you can then send them your key via email or put in online for them to download. 

Receiving public keys and adding them to your keyring

Downloading keys from the web

Many people put their public keys on the web so that it is possible for others to download their key. Later challenges will cover the use of key servers as another way of receiving and sending keys.  

To continue with this task you may want to use the following key and email to test your ability to send encrypted mail.

PGP key:  http://clearerchannel.org/keys/mickfuzz.gpg
Associated email:  mickfuzz@clearerchannel.org

To be able to send an encrypted email to this address you first need to add that key to your keyring in Thunderbird. To do this click on the link to the PGP key and download that file to your computer. 

Then, in the Thunderbird application go to OpenPGP > Key Management

In the Key Management window select File > Import Keys from File

Browse to the place where you saved the public key you downloaded and then select it and click on the Open button

You should then receive an alert message saying that The key(s) were successfully imported.

You should now be able to progress to sign and encrypt email.

Receiving keys by email

Let's say are able to request and receive a public key from a friend by mail. The key will show up in Thunderbird as an attached file. Scroll down the message and below you will find tabs with one or two file names. The extension of this public key file will be .asc, different from the extension of an attached PGP signature, which ends with .asc.sig

Look at the example email in the next image, which is a received, signed PGP message containing an attached public key. We notice a yellow bar with a warning message: 'OpenPGP: Unverified signature, click on 'Details' button for more information'. Thunderbird warns us that the sender is not known yet, which is correct. This will change once we have accepted the public key.

What are all those strange characters doing in the mail message? Because Thunderbird does not recognize the signature as valid, it prints out the entire raw signature, just as it has received it. This is how digitally signed PGP messages will appear to those recipients who do not have your public key.

The most important thing in this example is to find the attached PGP public key. We mentioned it is a file that ends with an .asc. In this example it's the first attachment on the left, which is in the red circle. Double-clicking on this attachment would make Thunderbird recognize the key.

In the example image above, we should double-click on the attached .asc file to import the PGP public key.

After we have clicked on the attachment, the following pop-up will appear.

Thunderbird has recognized the PGP public key file. Click on 'Import' to add this key to your keyring. The following pop-up should appear. Thunderbird says the operation was successful. Click on 'OK' and you are done. You now have the ability to send this friend encrypted messages.

Sending public keys

There are multiple ways to distribute your public key to friends or colleagues. By far the simplest way is to attach the key to a mail. In order for your friend to be able to trust that the message actually came from you, you should inform them in person (if possible) and also require them to reply to your mail. This should at least prevent easy forgeries. You have to decide for yourself what level of validation is necessary. This is also true when receiving emails from third-parties containing public keys. Contact your correspondent through some means of communication other than e-mail. You can use a telephone, text messages, Voice over Internet Protocol (VoIP) or any other method, but you must be absolutely certain that you are really talking to the right person. As a result, telephone conversations and face-to-face meetings work best, if they are convenient and if they can be arranged safely.

Sending your public key is easy.

1. In Thunderbird, click on the icon.

2. Compose a mail to your friend or colleague and tell them you are sending them your PGP public key. If your friend does not know what that means, you may have to explain them and point them to this documentation.

3. Before actually sending the mail, click to OpenPGP > Attach My Public Key option on the menu bar of the mail compose window. Next to this option a marked sign will appear. See the example below.

4. Send your mail by clicking on the button.


Task

  • Import someone else's public key via email or by downloading it from the web
  • Send your public key to someone. You can try mickfuzz@clearerchannel.org