[Previous entry: ""We're losing at the government game" (Jim Bovard)"] [Main Index] [Next entry: "Open a REAL IRA"]

02/22/2006 Archived Entry: "NPR, PGP, Thunderbird, Enigmail"

WOW. THE TECHNOPHOBES AT NPR finally lifted their heads up from searching for endangered tree frogs on the Mongolian steppes and noticed the existence of email encryption. Alas, wouldn't you know it, their tale focuses on how almost nobody actually uses email encryption -- including the most dedicated privacy advocates.

Well, I got news for you, NPRistas. Most of my correspondents do encrypt, bless their hearts. And those ex-spurts who say there's no need to encrypt most emails forget the simple virtue of foiling governments on a regular basis. Let the NSA crunch away at your encrypted emails ... only to find your prize recipe for Creole red beans and rice. HA!

True, encryption has its pitfalls. (Try finding some address or phone number amid the 100 encrypted messages somebody sent you. Ack.) But it's simple. It's fun. And it monkeywrenches the snoop works!

Couple of years ago, with a lot of help from my friends, I wrote a pretty half-way decent "Hardyville Beginners Guide to Encryption."

And of course the Chivalrous Tech Geeks at TCF are always willing to help anybody learn to encrypt.

And since I've recently finished talking a technophobic (but bright) Windows user through the specific process of using encryption with the Thunderbird email program (a great, great combo!), I'll paste those instructions behind the "more" link.

Now ... YOU HAVE NO EXCUSE. Go thou and encrypt!

How to use encryption with the Thunderbird email program on Windows

To do this, you must already have the Thunderbird email program. I know for sure that these instructions work for Windows 2000 and Windows 98SE. I don't know about other versions of Windows. But even on a Linux system, these instructions are pretty close. So a little noodling should get you where you need to go.

Step One

Go here and download the free Gnu Privacy Guard (GPG) for Windows. It's listed under "Binaries." This is the basic encryption program that interfaces best with Thunderbird.

Be sure to grab the right file. It's a command-line program, but it comes with a graphical installer. Use the installer. (Typically, the downloader will put an icon on your desktop and all you have to do is doubleclick on it; but this will vary depending on your own personal settings.)

Step Two

Go here and download Enigmail. This is the interface that enables Thunderbird to work with GPG

1) Save the file to your disk. (Do NOT opt to open the file directly from the webpage. You'll get an error message.)

2) Open Thunderbird.

3) Click on Tools --> Extensions. An extensions installer will pop up.

4) Click Install, then go find the Enigmal file you just downloaded. Select it and Thunderbird will install it automatically.

5) Close Thunderbird and reopen it. At the top you'll now see a menu item that will say either "Enigmail" or "Open PGP."

Thunderbird is now almost ready for encryption, but your encryption program isn't yet ready for prime time. That's next.

Step Three
(Okay, actually a bunch of steps. This is the hard part. But keep in mind it's also the ONLY place you'll ever have to use a command line. Everything else is good old point-and-click.)

If anything I say here doesn't make sense, check it against the pretty decent manual you'll find here. The manual isn't always perfectly clear, but it's not bad and it might help clarify anything I leave unclear. And remember, the Chivalrous Tech Geeks will help you if something doesn't work!

1. Click your Windows Start menu and find "command prompt" or "MS-DOS prompt" (depending on your version of Windows). On Win 2000, it's under "Accessories." Open the program. You'll get an intimidating looking black void that says only c:\>. That's the command prompt.

2. At the prompt type in cd c:\Program Files\GNU\GnuPG and hit return.

(This assumes you saved GPG to the default directory). You'll get a new prompt, telling you you're now in that directory. (If you have trouble getting to the GNU directory with the single "cd" command above, try reaching it step-by-step. E.g. cd "Program Files" hit return. Then cd GNU and hit return.)

3. When you're in that directory, type gpg --gen-key

Then hit return. This begins the process of creating your personal secret/public key pair. The secret key is for you alone. The public key you'll share with other correspondents. The single process you're now embarked on creates both at once.

4. A list of options for key type will come up. Choose the default option by typing in 1. Hit return.

5. The program will then prompt you for the key size you want. If you have an old, slow machine, choose one of the smaller sizes offered like 1024 or 2024. But if your machine is fairly modern and fast, go for the maximum size, which is 4096. Hit return.

6. The system then asks how long you want the key to remain valid before it expires. It's up to you, but I'd usually choose 0 for "never expires." Hit return.

7. The program will ask you to confirm that this is your choice. Type in y and hit return.

8. Then you'll be asked to type in your name and email address and will be shown the proper format.

Type in your name at the first prompt, your email address at the next prompt, and any brief comment (optional) at the third. (You can use fictional info, but that makes it harder for some people to encrypt to you. The more closely your key ID matches your real name and email address, the easier for your correspondents.)

9. The system will ask you for a password. Give it something easy for you to remember but hard for any hackers or crakers to figure out. Then be sure you do remember it -- but never write it down anywhere. Hit return.

10. Then the system will begin generating your keys, which will take a few minutes -- maybe more than a few, depending on the speed of your system. This process is automatic, but you can help it become more random and more secure by typing on the keyboard, moving the mouse, etc. while all this is going on. When GPG has finished generating keys, you'll get another prompt. And you're done.

11. Now, open Thunderbird. Choose "OpenPGP" or "Enigmail" -- one of which will appear among the menus at the top of the program now that you've installed Enigmail (as described above). On the drop-down menu choose Preferences. Where it asks you to enter the GPG executable path, type in (or browse to) c:\Program Files\GNU\GnuPG\gpg.exe. Then click OK.

12. Now, open that PGP/Enigmail menu again and choose "Key Management." You should see your own key there.

13. Now, ask somebody else to send you their encryption key. And you're going to send them a copy of yours so you can experiment with your shiny new encryption tech.

Step four

To send your key to someone: Start a message to your chosen encryption partner. With that message window open, select OpenPGP --> Attach my public key. (Note: the OpenPGP icon you're clicking here is the one in the message window, not the one on the main Thunderbird program.)

That will attach your key to the message. Now send as usual.

Step five

Your friend has also attached his or her public key to a message and sent it to you. Now ...

If the key has arrived as an attachment, open it (in NotePad or some other text-only program), highlight and copy it.

Then, in Thunderbird, select OpenPGP --> Key management.

When the Key management window opens, click Edit --> Import keys from clipboard.

That will put your friend's key into your system. Now, you must take one more step before you can use that key. But it's easy. And you're nearly done!

Step six

Open Key Management. Select your friend's key.

Click Edit

You'll see an option for "Sign key."

Click on that.

Check the box for "Local signature only." And select "I have done casual checking."

Click OK.

Go back to the Key management Edit menu.

This time select "Set key trust." Then choose "I trust marginally."

Click OK.


Never give complete trust to a key unless you have 100 percent proof that it really is that person's key. Ditto with signing a key. The reason you choose "local signature" is because you've never gotten any independent verification that your friend's key really is his key. Only after you meet up in person or exchange "key fingerprints" through some reliable method (not going to cover that here) should you totally trust anybody else's key.

Step seven

To use encryption, just compose your message as usual, but before sending, click on the OpenGPG icon in the message window (again, not the one on the main Thunderbird program). Click "Encrypt message." Then when you hit Send, Thunderbird/Enigmail will ask you to type in your passphrase.

Do that ... and your secret message is on its way to your friend.

Posted by Claire @ 02:35 PM CST

Powered By Greymatter