A few weeks ago, when building my new computer, I decided to go with Windows 8, primarily for the under-the-hood improvements. I won’t get into the overall experience, but I did run into a few issues getting security software installed, especially gpg4win, which I chose to enable PGP e-mail encryption.
The OpenPGP specification (encapsulated in RFC 4880) was created by Phil Zimmerman back in 1991 and is pretty much the standard for encrypting messages sent via the Internet. However, implementing encryption is hard, and implementing encryption implementations isn’t always easy, either. While Linux has several options built into most distros to handle this, Windows ends up with two primary options: PGP and gpg4win. We’ll have a look at them and how to install the latter after the break.
The commercial version of PGP itself, now owned and sold as Symantec Encryption, is generally a good product, integrates neatly into Windows, and has a very wide possible set of capabilities including file encryption, secure file deletion, whitespace shredding, and key management, and is well placed for enterprise use. But for the home user, it’s expensive, starting around $150 for e-mail encryption, and that only gets a year of upgrades. For some people, this is a good trade-off, but it’s generally too expensive for most. It’s also proprietary, which may put off some people who are concerned about what their crypto software is doing behind the scenes.
The other option, gpg4win, is a free and open-source software (FOSS) solution supported by a relative handful of developers. As FOSS software, and unlike Symantec’s proprietary version, all of the code, top to bottom, is published and readable by anyone. It’s also completely free for anyone to use, being licensed under GPL v2 or later. The downside is that it sometimes has problems with new versions of Windows as the developers don’t have the same access that Symantec does to Microsoft and other companies, so it tends to lag behind a bit on compatibility. (There are also issues with 64-bit Windows installations in that context menu extensions don’t always work (or don’t work properly). There is a fallback to handle file encryption and hashing operations through the Kleopatra client, but it adds another layer of operations. Fixes are underway, and I’ll update accordingly when it happens.)
So now that it’s clear that the best software depends on your feature priorities, we’ll say that this time around, it’s cost, because that was my deciding factor. I’m not going to get into what or why you should encrypt or explain all the terms; you’re welcome to ask questions if something isn’t clear.
Step 1: Obtain gpg4win
Easy enough: just head over to http://www.gpg4win.org/ (HTTPS is available but, for whatever reason, they don’t use a key recognized by most browsers) and click on the big green download link. Unless you have a really pressing need for one of the smaller versions, click on the new big green download link to save the installer (gpg4win-2.1.1.exe).
Step 2: Disable antivirus software (skip if running Windows 7 or earlier)
At the time of writing, there’s a bug that sometimes (often?) prevents the proper installation of the software under Windows 8. It will seem to freeze for a few minutes at versioninfo.txt before eventually proceeding. However, something goes wrong (what exactly is uncertain right now) and at least some functions won’t work correctly. This has been observed using Windows Defender (the basic AV software Microsoft provides) and ESET Smart Security. As long as you’re not doing anything else at the time, it should be safe to disable AV for a few minutes while you install gpg4win.
Step 3: Run the installer
At this point, it’s safe to run the installer. It should go relatively quickly; if it doesn’t, such as if it gets hung up at some point, there’s a good chance it won’t work. Once it’s done, reboot the computer if it’s requested.
I tend to install everything, but the basics will probably work for you.
Step 4: Re-enable antivirus software
If you haven’t rebooted already, it’s a good idea to re-enable what you disabled in Step 2.
Step 5: Test key imports
From Kleopatra, click Lookup Certificates on a Server. Enter 0xBE8EC3E1 in the Find field and click Search. A key for Microsoft Security Response Center should come up. Select it and click Import. If it works, you should be in good shape from here on.
Step 6: Create your personal key
Load Kleopatra and go to File | New Certificate. From here, follow the prompts to create the key. (I recommend clicking Advanced Settings and changing the Key Material to 3072-bit RSA. For most uses, a 3072-bit key will be secure decades from now and doesn’t present a major performance impediment to people encrypting or decrypting messages to or from you. You can set an expiration date but remember that it means that certificate will not be usable after that date and you’ll have to create a new one. This isn’t bad, just another step.)
The next part actually creates the key using pseudo-random input (drive activity, mouse movements, and keyboard timings) and attaches a password to it. The simplest thing that you can do is to kick off a virus scan to run in the background; the timing between file accesses will provide the entropy necessary to create a secure key. Some weak passwords will trigger a warning, but it’s best if you can come up with a passphrase that is easily remembered and difficult to guess.
When that’s complete, you’ll get the fingerprint and the option to:
- make a backup of your public/private key pair (highly recommended)
- send the public key certificate by mail (the private won’t be sent as that would destroy any security the keys provide)
- upload the public key certificate to a directory service (not recommended quite yet if this is your first time).
Remember, for personal-use keys, ALWAYS PROTECT YOUR PRIVATE KEY. If you lose control, someone else could send e-mail as you or decrypt messages sent to you. Loss of control of the private key should be followed up by the key pair being revoked and the revocation uploaded to a directory service. This will allow e-mail previously signed or encrypted with that pair to be validated but anything later should be rejected.
Step 7: Backup your key pair
I recommend backing up the files to two media: one on a good, archive-quality CD-R or DVD+R and the other to paper. You can archive to paper by exporting the private key and checking ASCII Armor. Open the resulting .asc file in a text editor and print it out. Then store this in a safe place such as a fireproof safe. Not only is it good in case the CD/DVD backup becomes unreadable, but some people won’t accept anything other than a printout (sometimes with a real fingerprint) for verification if it’s done in person.
Step 8: Optional additions
Here, we step away from gpg4win briefly to use its functionality with other applications. I chose the following add-ons:
- WebPG for Chrome (selected for its optional [and experimental] ability to integrate with Gmail)
- EnigMail for Thunderbird (selected for its popularity, good reviews, and running development)
- Outlook Privacy Plugin for Outlook 2010/2013 (selected because it seems to be the only free addon that works with Outlook)
I’m not going to get into these here, as this is already getting a little long. For some programs, there are other options; feel free to search around for them, and if you have suggestions, I’d love to hear them.
At this point, you have the basic architecture to sign, verify, encrypt, and decrypt messages, including those sent through webmail options. It’s not perfect, and it’s not always pretty, but it is there. Please experiment with it to understand how it works before you upload your public key to a server (once they’re out there, it’s virtually impossible to delete all copies), and don’t encrypt any files for which you don’t have plaintext backups until you really understand what you’re doing. There really is no going back once you’ve encrypted something, deleted the original, and then deleted your keys.
I figured a decade ago that Microsoft would eventually put all this stuff into Windows for free. After all, they were getting into digital code signing, they’d been signing some of their communications, and there was a big push for it among certain niche crowds (aka geeks). The standard was out there, free to implement, and it would have given Microsoft a great deal of credit in certain business and government circles.
But it never happened. I’m still not entirely sure why (absent conspiracy theories) except that getting it right is monumentally more difficult than, say, properly overhauling the Start menu. Microsoft got flamed for it when they changed up some behavior in Vista and 7, and veritable nuclear warheads rained down on the Redmond campus with Windows 8’s changes. But at least you could still get to your files and e-mail. I can’t imagine what would have happened if they’d screwed up a PGP implementation, especially if a bad one meant that you couldn’t access your files. They did implement EFS (encrypting file system) back in the 1990s and really pushed its use starting with Windows 2000, but there were still some functional limitations and it didn’t cover e-mail.
In any case, good luck, and remember to PROTECT YOUR PRIVATE KEYS.