Lab: Securing Email with PGP

Objectives
Understand the concept of public keys, signing, and encrypting email with PGP.

Background
GNUPG (or GNU Privacy guard) is a free implementation of the OpenPGP standard (RFC 4880) as a
tool for secure communication. It is a method for digitally signing messages.

Note: The instructions that follow are specific to the software applications specified. This is only one of
many ways to accomplish this exercise.

What You Need

• Enigmail: http://enigmail.mozdev.org/home/index.php.html
• GnuPG http://www.gnupg.org/
o Current version: GnuPG v2.0.22
o Binary packages are available for Windows (GPG4Win) and Mac OS X (MacGPG)
• Operating System: Windows, Linux, or Mac OS X
• Email Client: Thunderbird (installed)

Steps:

I. Installation

A. Installing PGP

If using Mac OS X, download GPGTools. It’s a collection of several software packages –

including GPGMail, GPG Keychain Access, and MacGPG2 - into a single binary installer for
Mac OS X. The current version is 2013.10.22 (also the date of the release) and compatible for
Mac OS X v10.5 or higher.

• GPGTools - https://www.gpgtools.org/

Note: make sure to verify the hash after download (this is good practice)

If using Windows, install GPG4Win. The current version is gpg4win-2.2.1, a complete package
with Kleopatra and Compedium.

• GPG4Win - http://www.gpg4win.org/

As both of these are GUI-based, installation is straightforward. Simply follow the install
process.

To install on Linux (CentOS) or Ubuntu, this can be done from the command line.

$ sudo apt-get install gnupg

APNIC Training Security Lab Page 1 of 5

 Lab: Securing Email with PGP

$ sudo apt-get install rng-tools

(optional) Add some randomness required to generate a key

$ sudo sed –i –e 's|#HRNGDEVICE=/dev/hwrng|HRNGDEVICE=/dev/urandom|'
/etc/default/rng-tools
$ sudo service rng-tools start

B. Generating the key

GPG keys are managed using a software - GPG Keychain Access (Mac OS X) or Kleopatra
(Windows). The software shows all the keys that you have generated and other public keys in use.

To generate, click the New icon on the upper left menu. Input the following:

Full Name: <Test Account>

Email address: <your-email-address>
Tick Upload public key after generation
Advanced Options
Comment:
Key type: RSA and RSA (default)
Length: 2048
Tick key expires
Expiration date:

Select Generate key. Then type in a passphrase (don’t forget this).

If using the command line, execute the following commands:

gpg –gen-key

Please select what kind of key you want: Select 1

(1) RSA and RSA (default)
(2) DSA and Elgamal
(3) DSA (sign only)
(4) RSA (sign only)
Your selection?
RSA keys may be between 1024 and 8192 bits Type a desired keysize. Press Enter to use the default
long.
What keysize do you want? (2048)
2048 bits.
Please specify how long the key should be Press 1y so the key will expire in one year. Avoid choosing
valid.
0 = key does not expire
the key to remain active (does not expire) if possible.
<n> = key expires in n days
<n>w = key expires in n weeks
<n>m = key expires in n months
<n>y = key expires in n years
Key is valid for? (0)
Key expires in … Press y to verify your choice.
Is this correct? (y/N) y
Real name: Enter your information (name, email and comment). The
Email address:
Comment:
comment is optional so you may leave it blank.
You selected this USER-ID: Type O (okay).
"Test 123 <[email protected]>"
Change (N)ame, (C)omment, (E)mail or
(O)kay/(Q)uit?
You need a Passphrase to protect your secret Enter a strong passphrase.
key.
pub 2048R/8BFDAA1A 2014-05-08 The generated key will be shown as follows.
Key fingerprint = 75CC D992 BB53 7BF0
D76B 8F62 50FB 81CE 8BFD AA1A
uid Test 123 <[email protected]>

APNIC Training Security Lab Page 2 of 5

 Lab: Securing Email with PGP

sub 2048R/1510813B 2014-05-08

List all the gpg keys in your keyring.

gpg –list-keys

II. Usage

A. Encrypting and decrypting files

a. Using your favourite text editor, create a text file. This file supposedly contains “sensitive
information” so you want to encrypt it.

vi my-secret-file.txt

b. Encrypt using the following command.

gpg –e my-secret-file.txt

If it asks for a recipient email, you may write your own email address.

c. Verify that you now have another file with extension .gpg in the same folder. This file is in
binary. If you try to open, it will only show garbage.

d. If you want something readable, encrypt using ASCII encoding. To do this, the command is
as follows:
gpg –a –e my-secret-file.txt

To avoid it from asking the email, you can also use

gpg –a –e –r [email protected] my-secret-file.txt

e. Check the contents of the folder and a .asc file should have been added. At this point, you
may delete your original .txt file.

f. To decrypt this file, the command is simply

gpg my-secret-file.txt

You will be prompted to input your passphrase. After this, a .txt file will be created in the
same folder. Verify that this is the same as your original file.

B. Sending encrypted and signed emails

a. Installing Enigmail (on Thunderbird)

If you do not have Thunderbird installed yet, please download and install from
https://www.mozilla.org/en-US/thunderbird/

APNIC Training Security Lab Page 3 of 5

 Lab: Securing Email with PGP

On Thunderbird, select Tools, then Add-ons. When the Add-ons menu appear, either search
for Enigmail (this will download a new copy of Enigmail).

Alternatively, you can download the add-on from the link below. Then click on the gear icon,
then click “Install Add-on from file”
https://www.enigmail.net/download/

You must restart Thunderbird before changes can take effect.

Notice the OpenPGP menu has been added to the top menu.

b. Sending a signed or encrypted email.

Compose an email. In the compose window, notice the OpenPGP button. Click on this, and
tick “Sign Message,” “Encrypt Message” or both.

A. Verify in your recipient email.

Send an email to [email protected] or [email protected]

C. Distribution and Signing

To be able to encrypt and decrypt files and email, you must have a copy of your recipient’s public key.
You must import their key, compose your email and encrypt using their public key, and send to your
recipient. Below are more detailed steps:
A. Exporting your public key.
gpg --list-keys
gpg --export –a --output myname-key.asc [email protected]

This will create the .asc file in the same folder. The contents will look something like this:

-----BEGIN PGP PUBLIC KEY BLOCK----- Version: GnuPG v1.4.11 (GNU/Linux)

mQENBFH3yPkBCAC2DHRIk6FXiovejBXlNgZdnapHqq7OwascfluD+qX7wDk93etX
4Y+GfSLC2vlC4tNlB9VEYgMAY61sQC31ZoY9vr5MfJnZPcN+3Byzx2G0d8lwnH0g [...]
t1CdT+UawL0dWu4bkNHjC8qwBgOPedS/VBJqlJl4TWg832CXRYI= -----END PGP PUBLIC KEY
BLOCK-----

B. Exchanging keys
Once exported, forward or email your public key to your to each other. This is not a secure way
to exchange keys, but will do for this lab.
Once you receive other people’s public keys, import them using the command:
gpg --import my-colleague-key.asc
If successful, this will be indicated as imported.

You may also verify using “gpg --list-keys” command.

Verify that you only imported public keys. This means you should only have your own private
key. Use the command below to do this.

APNIC Training Security Lab Page 4 of 5

 Lab: Securing Email with PGP

gpg --list-secret-keys

C. Encrypting files and sending

To encrypt key using your colleague’s key instead of yours, the command is as follows:
gpg –a –e –r [email protected] my-secret-file.txt

Make sure to replace the email with the email address of your colleague used in the public key
you imported.

D. Key Signing Party

A. Upload your key to a keyserver. There are many public keyservers around. We will use
pgp.mit.edu.

gpg --send-keys --keyserver hkp://pgp.mit.edu KEYID

Replace the KEYID with your own keyID. You can find this when you list your available keys in
the keyring.

You may also find the key ID using the fingerprint command.

gpg --fingerprint [email protected]

B. Email your key id to the instructor (or to the other participants).

C. Download another person’s key.

gpg --recv-keys –keyserver hkp://pgp.mit.edu KEYID

D. Now verify whether you obtained the same key from what your colleague has by asking them to
read out their fingerprint. This is the key fingerprint value with the fingerprint command above.
See example below:
pub 2048R/2B058225 2011-06-18 [expires: 2016-06-16]
Key fingerprint = 27AF B7E0 123B 0896 BA06 2F1E F57A FB8F 2B05
8225
uid Sheryl Hermoso <[email protected]>
sub 2048R/7D20FAAC 2011-06-18 [expires: 2016-06-16]

E. Also verify the person’s identity. You may ask them to present a government ID or passport to
verify their name. If convinced, you may sign their key.
gpg --sign-key KEYID

F. Once signed, upload it back to the keyserver.

gpg --send-keys --keyserver hkp://pgp.mit.edu KEYID

APNIC Training Security Lab Page 5 of 5