Simple email encryption with FireGPG

Imagine that you again want to share a secret message with your group of friends. However this time, the cryptographic algorithm you have agreed to use is such that each person in the group has two keys.

You do not need to understand all the fancy mathematical details, but what you do need to understand is that unlike one key cryptography, each key in your pair can encrypt a message that the other key, and only the other key, can decrypt. This time everyone takes one of those keys and publishes them, letting the whole world see it.

This is what is known as the public key. The second key is carefully hidden and protected, and is known as the private key.

It works like this: Since you published your public key, any of your friends can find it on the Internet and use it to encrypt a secret message to you. Once it is encrypted with your public key, you are the only person who can decrypt it, because you keep your private key secret.

This solves the problem of having a large group share a single secret. This also lets you do something else, and that is prove your identity.

As I said earlier, if something is encrypted by one key, the other key can decrypt it. Since you keep your private key secret, you can encrypt messages with it that only your public key can decrypt.

Assuming that everyone assumes that you keep your private key safe, then anyone can decrypt that message you encrypted with your private key, while you are the only person who could have possibly encrypted it, therefore proving your identity.

This is what is known as a signature. It is common practice for a sender to encrypt, or "sign" messages with their private key, then encrypt the message again with the public key of the recipient.

When the recipient decrypts the message first with their private key and then with the sender's public key, they know that not only are they the only person to have read the message, but that the message was sent by the person who said they sent it.

Public key cryptography is the type of encryption that GPG uses. The key pair mentioned above is actually a set of two files containing very large mathematically related random numbers.

The rest of this guide will walk you through installing GPG on your computer, generating a set of keys, sharing public keys and using them to send encrypted messages.

Make sure you understand the concept of public key cryptography before reading on. Using encryption Installing GnuPG and FireGPG To start off with, you need to have GPG installed on your system.

If you are running Linux, then chances are it is installed by default. If you are running Windows or OSX, you need to download the Windows installer12] (gnupg-w32cli-1.4.9.exe) or the OSX installer13] (MacGPG2-2.0.10-2.zip). Once GPG is installed, open up Firefox and head over to getfiregpg.org8]. Click on the install link to the right and click Download FireGPG on the next page.

At this point you should see a warning at the top of the page saying "Firefox prevented this site (getfiregpg.org) from asking you to install software on your computer." Click Allow, and then Install Now on the window that pops up.

In a few seconds Firefox will tell you that it needs to restart the browser for the installation to take effect, so go ahead and do that. Generating a key pair The first thing you need to do once you have GPG and FireGPG installed is generate your personal key pair.

You can access all of FireGPG's features via the right-click menu. To open up the key manager, right-click somewhere in the page and go to FireGPG/Key manager.

It is important to note that when you make a new key, you need a really good password10]. Hopefully your private key never falls into the wrong hands, but if it does it will be this password that protects it.

In fact, the password is used as the key to a form of symmetric encryption that protects the private key you generate. If you have a good enough password, then the only practical way for an adversary to gain access to your key is to force you to reveal your password (interrogation, torture, blackmail, etc.). At the bottom of the key manager window, click New Key.

Fill out the information on the form, making sure to check boxes The key never expires and Advanced options. Under Key length, set the value to 4096.

Click Generate key and take notices of the text above the button, which reads "Warning! Key generation can take a lot of time, and will freeze Firefox. Do something else while key is generated to create more entropy." Firefox froze on my system for about 10 minutes while the key was being generated.

This is normal, though your key generation time will vary based upon the speed of your processor. What the second bit of the warning text means is that you should move your mouse around a lot while the key is being generated.

This will help make the process go a little faster. Backing up your keys The first thing you need to do once your key pair is generated is to back them up.

There is nothing worse than distributing your public key to all your friends and coworkers, only to have your laptop lost or stolen, or have a hard drive break.

These backups should generally be off-line, so as not to make it easier for an adversary to gain access to your keys remotely. If you have a CD burner, CDs make for great backups.

Burn the files to CD and then stick it in a fire proof safe. If you do not have such a safe, give a copy to a trusted friend for safe keeping.

If a CD is not an option, than a cheap USB stick will work as well. On OSX and Linux your keys will be in the folder .gnupg inside your home folder, so copy the entire folder (you may need to reveal hidden files first). On Windows, your gnupg folder is located at C:\Documents and Settings\admin\Application Data\gnupg, where admin is your user name.

Sharing a key Once you have created your keys and have backed them up, you need to start giving people your public key, so they can send you private messages.