Apr 2, 2024

GPG Tutorial

Introduction

This is a beginner GnuPG tutorial to get start with asymmetric key based encryption and to spread privacy online.

Quick Start

There is a quick start if only a keypair for Thunderbird should be generated. If this is the use case, jump to Thunderbird Quick Start.

Otherwise, this tutorial will guide you from setting up your first key, to encrypting, decrypting signing.

Custom Setup / Full Tutorial

The full tutorial aims to give an introduction to GPG and help to set up a key pair, encrypt and send emails using this key pair. After finishing the full tutorial, you should be able to encrypt and decrypt files using your keypair and also send and receive encrypted mails.

However, this tutorial does not cover every option available with GnuPG. To learn more, checkout the references on the last slide.

Download my public key

If you are already familiar with GPG you can download my public key here. Its fingerprint is:

6F9B 7CB9 9D9F E104 22E0  763B 6EBA 2A98 7AD2 8A6B

You can also run the following command in a terminal to import my key directly:

curl -s https://w1lhelm.de/gpg/6F9B7CB99D9FE10422E0763B6EBA2A987AD28A6B.asc | gpg --import

Thunderbird Quick Start

Since Thunderbird 78, there is built-in support for OpenPGP. Follow these instructions to quickly set up sending and receiving of encrypted mails.

  1. Go to Account Settings > End-To-End Encryption and click on Add Key... in the OpenPGP section.
  2. Select Create a new OpenPGP Key and click Continue.
  3. Set a key expiry, e.g. 1 year. You can update this even once your key has expired. Set the maximum key size of currently 4096 bits and click Generate key
  4. Click Confirm to start the key generation.
  5. Open the OpenPGP Key Manager in Thunderbird. Download my public key here and import it by clicking on File > Import Public Key(s) From File and select the .asc file you just downloaded.
  6. Double click the imported key Semjon Wilhelm (Public Mail PGP Key). Verify the fingerprint with the following one: 
    6F9B 7CB9 9D9F E104 22E0 763B 6EBA 2A98 7AD2 8A6B
  7. Select the acceptance you are fine with, as you imported the key only by downloading, I suggest to select 
    Yes, but I have not verified that it is the correct key.
    and click Ok.
  8. Send an encrypted mail

Install GPG

Use the package manager of your linux distro and install GnuPG, e.g. on Ubuntu run

sudo apt install gnupg

Or on Arch:

sudo pacman -S gnupg

On Windows:

Get GnuPG by downloading GPG4Win. GPG4Win is an email and file encryption software package that includes GnuPG. Download and install the latest version, choosing default options whenever asked. After it’s installed, you can close any windows that it creates [5].

Generate a key

To generate a key, just run

gpg --full-generate-key

  1. Select (1) RSA and RSA (default).

  2. Use the maximum key size of 4096 bits:

  3. Set an expiry of 1y (1 year). You can even change this once your key is expired.

  4. Type in your name and the mail address you want to use this key with. Supply your key with a comment. The comment can be seen by others importing your key. Set a password for your private key, you will be prompted for it.

    Note that you can add more identities later by editing the key.

  5. Export your public key using

    gpg -a --export <your mail address> > key.asc

  6. You can export your secret key as well, but you don’t need to:

    gpg -a --export-secret-keys <your mail address>

Test your key

To test your key, just encrypt some data using your public key (no password is required for this):

echo "some secret message" > msg.txt
gpg -e --recipient <your mail address> msg.txt

You should see a new file named msg.txt.gpg

Decrypt it using your private key (password required):

gpg --decrypt msg.txt.gpg

You will see the recipient of the message you just encrypted and the message itself.

Import in Thunderbird

When importing keys in Thunderbird, there are two options to achieve this:

  1. Import your public and private key in the built-in Thunderbird OpenPGP key manager. This is the easier option to manage keys.
  2. Use an external key through the system’s GnuPG installation. This is a more advanced option, but with the possibility to use keys on an external SmartCard like the YubiKey

Option 1: Use Thunderbird’s built-in OpenPGP key manager

Export your public and private key as described in Generate a key. In Thunderbird, go to Account Settings > End-To-End Encryption and click Add Key.... Select Import an existing OpenPGP Key and select the file which contains your key.

Repeat this for your private key too.

Option 2: Use the system’s GnuPG installation

As for Option 1, go to the End-To-End Encryption in your account settings.

Instead of choosing to import an existing key, select Use your external key through GnuPG (...). You can get your secret key ID by executing

gpg -K

Copy the fingerprint value of your key and insert it into the form. The key should be marked as External GnuPG Key.

Send an encrypted mail

If you haven’t already imported my public key, goto Thunderbird Quick Start and follow the steps to import it.

Go to your inboxes view in Thunderbird and click Write to create a new mail. Send the mail to semjon@w1lhelm.de if you want to try out the encryption using my public key and provide me with your public key.

To do so, select

Options > OpenPGP > Attach My Public Key

and

Options > Digitally Sign This Message

Make sure to select OpenPGP as encryption technology:

Options > Encryption Technology > OpenPGP

Hit send and wait for my reply :)

Please note, that ideally we need to check our fingerprints in person or use another way of communication to ensure, that our communication is secured.

Congrats on sending your first encrypted mail.

Alternatively, you can send a mail to the Edward Mail Bot edward-en@fsf.org with your public key attached. Please see Email Self-Defense, section four, for more information how this works.

Key Expiry

Once your key expires, you can either renew it, i.e. editing the key and setting a new expiration date, or you can create a new key.

To update your key, run

$ gpg --edit-key <your key ID>
gpg (GnuPG) 2.2.35; Copyright (C) 2022 g10 Code GmbH
This is free software: you are free to change and redistribute it.
There is NO WARRANTY, to the extent permitted by law.

Secret key is available.

sec  rsa4096/1E660D0176E8FC20
     created: 2022-06-17  expires: 2023-06-17  usage: SC  
     trust: ultimate      validity: ultimate
ssb  rsa4096/BD678AF2D8954EB9
     created: 2022-06-17  expires: 2023-06-17  usage: E   
[ultimate] (1). Example Key (comment) <key@example.com>

gpg> expire
Changing expiration time for the primary key.
Please specify how long the key should be valid.
         0 = key does not expire
      <n>  = key expires in n days
      <n>w = key expires in n weeks
      <n>m = key expires in n months
      <n>y = key expires in n years
Key is valid for? (0) 2y
Key expires at Sun Jun 16 13:16:31 2024 CEST
Is this correct? (y/N) y

...
gpg> key 1 # repeat this for the subkey used for encryption
...
gpg> expire
...
gpg> save
$ gpg -k # check the new expiry date

With this, you just updated your key. Make sure to supply your contacts with your updated key. Otherwise, they won’t be able to send encrypted mails to you.

If you are interested in more advanced use scenarios, I suggest you have a look at Dr. Duh’s GPG YubiKey-Guide [3].

References

[1] The GNU Privacy Guard

[2] OpenPGP in Thunderbird - HOWTO and FAQ

[3] Dr. Duh’s GPG YubiKey-Guide

[4] How To Use GPG to Encrypt and Sign Messages

[5] Email Self-Defense