Published on

Practical Introduction to GNU Privacy Guard for Windows

Authors
GPG for Windows - GPG4Win

Introduction

This guide will show you how to use the free public key cryptography system, GNU Privacy Guard (GnuPG or GPG). GPG provides functions to encrypt and decrypt data and to create and verify signatures using public key cryptography.

While GPG is available for many different platforms, including Windows, the instructions given here are Windows-oriented. This guide will focus on using Gpg4win, the Windows version of GnuPG, featuring several tools that integrate seamlessly with Windows, including Kleopatra, GPA, GpgOL, and GpgEX.

Installing Gpg4win

GNU Privacy Guard is available for free from www.gnupg.org for various operating systems, including Windows, Linux, many other flavors of Unix, and Mac OS X.

Installing in Windows

To install Gpg4win on Windows, follow these steps:

  1. Download Gpg4win: Visit the Gpg4win website and download the latest version (currently 4.3.1).
  2. Run the Installer: Launch the downloaded installer and follow the prompts. Ensure all components (GnuPG, Kleopatra, GPA, GpgOL, and GpgEX) are selected.
  3. Edit Your PATH: After installation, edit your PATH environment variable so that Windows knows where to find the program. In Windows 10/11, go to Control Panel > System and Security > System > Advanced system settings > Environment Variables, then edit the Path variable to include the directory where GPG is installed, typically C:\Program Files (x86)\GnuPG\bin.

Now you need to make that PATH change effective. Start a fresh command prompt and type:

gpg --version

You should see output similar to:

gpg (GnuPG) 2.2.27
libgcrypt 1.8.7
Copyright (C) 2020 Free Software Foundation, Inc.
License GPLv3+: GNU GPL version 3 or later <https://gnu.org/licenses/gpl.html>
This is free software: you are free to change and redistribute it.
There is NO WARRANTY, to the extent permitted by law.

Home: C:/Users/YourName/AppData/Roaming/gnupg

Verifying Your GPG Download

To verify the authenticity of your GPG download, you can use a program called sha256sum. Here's how:

  1. Download sha256sum: Download sha256sum.exe from a reliable source and place it in a convenient directory.
  2. Verify the GPG Installer: Open a command prompt and navigate to the directory where the GPG installer is located.
  3. Type:
sha256sum gnupg-w32-2.2.27_20210325.exe
  1. Compare the Hash: Compare the output hash with the hash provided on the GPG website. If they match, your download is authentic.

Creating Your Personal Key Pair

GPG uses public key cryptography for encrypting and signing messages. Public key cryptography involves a public key, which is distributed to the public and is used to encrypt messages to be delivered to you and to decrypt signatures you have created, and a private key, which complements your public key by allowing you to decrypt messages you receive and to encrypt signatures.

About Key Security

When you create a key pair, both your public and private keys must be stored on your computer. This creates a security risk because anyone who gains access to your private key can decrypt your messages and impersonate you. GPG encrypts your private key using a passphrase. Each time you perform an operation involving your private key, GPG reads the encrypted key from the disk, prompts you for your passphrase, decrypts the key in memory, and finally uses it.

Using the GPG Gen-key Command

To generate your personal key pair, at the command prompt, type:

gpg --full-generate-key

Follow the prompts to select the key type (RSA and RSA), key size (3072 bits recommended), and key expiration (choose a reasonable time period or set to never expire). Enter your real name, email address, and an optional comment. Finally, enter a strong passphrase.

Generating a Revocation Certificate

A revocation certificate allows you to revoke your public key if your private key is lost or compromised. To generate a revocation certificate, at the command prompt, type:

gpg --output revocation.crt --gen-revoke "Your Name"

Store the revocation certificate in a secure location, separate from your private key.

Publishing Your Public Key

To transmit your public key over the Internet, export it to ASCII format. Open a command prompt window and go to a folder where you want to place the exported key. Type:

gpg --armor --output "key.txt" --export "Your Name"

You can share the contents of key.txt via email or upload it to a public key server.

Here is an example of what your public key might look like:

-----BEGIN PGP PUBLIC KEY BLOCK-----
Version: GnuPG v2.2.27 (GNU/Linux)

mQENBGAZ2ZoBCAC7bsfDprfEYglZKf91zwm3opm0UbjsHTCjLBM/F7/BP4xNMe0I
dD+omDbo/e6+omrfOM7gOEv6PnR7PeVsHj4ZT9iz49IabXLEON8x7Y4XpEFMLi8W
OSdyXfZFYOn7n8kk3Fdv/tOvwR1nH9UAK4QlsLv/CmNClf1r2dXWJ7NHlm5Yw7L6
gfYBNzYWvLtZ8jZsbXoHHYrhEJSmJ50i3+4MdV2ImOwTxrJ+ECb4KUZVuKvvAlTG
Av5ZajJ+S9+ffCwUCAQL1nKBdFpeX5dFBrRBpVf/WGbc7tCv6Bb+9XOPVbU4QlCz
SK8p0L8Rnkhldgy0nPcdErPSRDSF/b8GLUnPABEBAAG0I1lvdXIgTmFtZSA8eW91
ck5hbWVAYmFybGV5c21pdGguY29tPokBVAQTAQgAPhYhBC+QXfrtAsb4p4T9IN5+
9NTnP8u5BQJgmfdqAhsDBQkDw7dXAhoEFQgKAgMWAgECGQECGwMCHgEAAAxGCBYJ
AAYDAwMCAQgCAQgDAgIVgRZIwEAAAQgJQMBEBN0cXGZ7uRI5K9BJpLM9H7AxE1JN
gjjHb0oDr0v9IRRBhDo0iYgsgYX7XqFJKwHAOdI4Hj73O6Zfy3Pr+X0bbU8VbH/Z
gL2WNLwsD96aWxOtPhkjFayZ6DgdPVSDOrRtmsPB6HtTOjht5CEkESsGVqov6eDw
IgKkIIdGg7Ej8X5gUIgO+K8hyOAHNfF5ch9NuNP9D8LrPrQSEHedG6JWehdhR7y5
UnOUpRSPIgOmD6kDxm5a5umv7LKHX/BOJWXcYo3CympZ9uAnDxB46PCbSt1qCxhD
ABAFmyAik4Gc51OozjqxGePfwspM1x8a7tOsW7v5JQ67hsIfdXqMhSxA8F2ZWQ2R
Y9K5J2fnfTUnM1ox
=sdr1
-----END PGP PUBLIC KEY BLOCK-----

Backing Up Your Keys

Keep your GPG key files safe. Locate the files pubring.kbx, secring.gpg, and trustdb.gpg (usually in C:\Users\Name\AppData\Roaming\gnupg) and copy them to a safe location, such as an external drive or cloud storage.

Listing Your Keys

To list the keys on your keyring, at the command prompt, type:

gpg --list-keys

You will see a list of all the public keys stored in your keyring. Here’s an example of what the output might look like:

C:\Users\YourName>gpg --list-keys
C:/Users/YourName/AppData/Roaming/gnupg/pubring.kbx
--------------------------------------------------
pub   rsa3072 2024-04-10 [SC] [expires: 2026-04-09]
      1234567890ABCDEF1234567890ABCDEF12345678
uid           [ultimate] Your Name <your.email@example.com>
sub   rsa3072 2024-04-10 [E] [expires: 2026-04-09]

pub   rsa3072 2023-01-01 [SC] [expires: 2025-01-01]
      ABCDEF1234567890ABCDEF1234567890ABCDEF12
uid           [ultimate] John Doe <john.doe@example.com>
sub   rsa3072 2023-01-01 [E] [expires: 2025-01-01]

Encrypting and Decrypting Files

GPG can encrypt and decrypt files using public key cryptography. When you encrypt a file, GPG uses the public key of the recipient to encrypt the file. The recipient can then decrypt the file using their private key. When you decrypt a file, GPG uses your private key to decrypt the file.

Using the GPG Encrypt Command

To encrypt a file, at the command prompt, type:

gpg --recipient "Recipient Name" --output "encryptedfile.gpg" --encrypt "plaintextfile.txt"

This will create an encrypted file named encryptedfile.gpg.

Using the GPG Decrypt Command

To decrypt a file, at the command prompt, type:

gpg --output "decryptedfile.txt" --decrypt "encryptedfile.gpg"

Enter your passphrase when prompted.

Signing Files

GPG can sign files to ensure their integrity and authenticity. When you sign a file, GPG uses your private key to create a digital signature. The recipient can then verify the signature using your public key.

Using the GPG Sign Command

To sign a file, at the command prompt, type:

gpg --local-user "Your Name" --output "signedfile.sig" --sign "file.txt"

Verifying a Signature

To verify a signed file, at the command prompt, type:

gpg --verify "signedfile.sig"

GPG will check the signature and report whether it is valid.

Integrating GPG into Your Workflow

GPG can be integrated into various workflows, including email encryption and decryption, and securing files for transmission over the internet.

Encrypting and Signing an Email

To encrypt and sign an email, first compose the email and save it as a text file. Then, at the command prompt, type:

gpg --local-user "Your Name" --recipient "Recipient Name" --armor --sign --output "email.asc" --encrypt "email.txt"

Decrypting and Verifying an Email

To decrypt and verify an email, save the received email content to a file and at the command prompt, type:

gpg --decrypt "email.asc"

Conclusion

GnuPG and Gpg4win provide robust tools for securing your digital communications. By following this guide, you can encrypt and sign your emails and files, ensuring your privacy and the integrity of your communications. For more detailed information, refer to the Gpg4win Compendium.

Visit the Email Self-Defense site to learn more about why and how to use GnuPG for your electronic communication. Reconquer your privacy today by incorporating these powerful encryption tools into your daily digital interactions.

Discuss on TwitterView on GitHub