OpenPGP is a protocol which allows two parties to communicate 'in pubilc' via a secure channel. Potential malicious agents can read all messages send between the parties but only the receiver of the message is actually able to decrypt the message and read its plaintext content. What follows are all necessary steps to setup a secure, viable and funtional infrastructure to use OpenPGP.
Following this guide should take about ~ 10 - 15 Minutes.
In order to use OpenPGP to communicate some pre-requisites are required to be installed / available on the system the user operates on.
First we need to install the GPG utility which contain the libraries for creating PGP Key-Sets, encrypt and decrypt messages as well as accessing the OpenPGP key-servers.
If you do not trust the utility provided 'as is' you can always take a look at the source code on the official git repo.
The package also contains a nice GUI called Kleopatra which we will use a bit further down
After downloading and installing pgp4win we now need to create public and a private key pair which will be used to encrypt our messages, there are several ways to do this:
This is the fastest option to get started, every step is automated. `This option is less secure then option two but still considered 'extremely save' and is very much recommended.
Due to low available 'random entropy' on a 'normal desktop home computer', the keys generated by this method will have a significantly lower fluctuation within ther random variance and could potentially be bruteforced by pooling of ressources (computational clusters). If you want to take a deeper look (without getting too technical) at the underlying mechanism(s) andreasons you can do so here.
- Open the 'Kleopatra' app now installed on your machine.
- Select File => Create New Key Pair
- Choose the "Create a personal OpenPGP key pair" option
- Enter your name
or any alias. If you are using a Forum or any other platform which requires you to register as a user you should use the username of the platform here. - Enter your email, this step is also
optional
After doing this, click on the "advanced options" button and set the fields as shown in the picture below.
PIC1
Verify that you have chosen 4096 bit as the key length. 2048bit is still considered secure, even 1024 bit has not been cracked up to this day (but a 776 bit key has). Also verify that the key expires at some point, here I have set the expiration date 6 months in adance at which point a new keypair should be generated (if you are using it only for encrypting messages). 4096 bit keys are considered to be secure untill at least 2031.
PIC2
Now you can click on "Next" => "Create" where you will be promted for a password (*).
Once you have entered the password, generate the key and create a backup afterwards by choosing "Make a Backup Of Your Key Pair". This backup contains your secret (private) key and must be stored in a secure location. If you cannot guarantee the safety of the backup you should consider not backing up the keys or backing them up once you have found a solution to safely persist them.
This option assumes you have knowledge of what is happening when exeucting the command(s) below as well as how to debug potential issues. Make sure you have a valid installation of ssh-keygen | gpg. If you do not, you can get the library by installing git and then re-executing the commands in a new process (since new environment variables are being set). Or just restart the machine.
Open a PowerShell console and enter
gpg --full-generate-key
This method should be used with pre-storing ranomness and entropy generating software (!)
You can also copy-paste the script below (copy everything into a powershell console and press enter). Afterwards you will have to convert the keys which can be a tedious step depending on the environment. The advantage of using this method is that it allows us to use the ecdsa algorithm with a key size of 521 bit which is comparable to a 16384 bit RSA key (~approximation when norming security strenght).
$algorithm = Read-Host -Prompt 'Which algorithm should be used (RSA recommended): '
$keystrength = Read-Host -Prompt 'Encryption key strength to use (minumum 4096 recommended): '
$keybasename = Read-Host -Prompt "Enter basename for keypair (name 'thekey' will create the files 'thekey.pub' and 'thekey', public and private key respectively: "
$path = Read-Host -Promt "Enter the path you want to write the keys to (F.E: 'C:\Users\UserName\Desktop\temporaryFolderForKeys'): "
ssh-keygen -t $algorithm -b $keystrength -f $path
Once all steps are done you can import the keys into the keystore of your choice or create one from the commandline yourself.
Note that Kleopatra does not support ecdsa at the moment and another Keystore will have to be used (not recommended)
There are several ways in which you can encrypt -/ decrypt a message but the following algorithm can be used to create, encrypt, send and decrypt received messages.
Kleopatra has additional security layers build in which prevent caching or storing unencrypted data in memory. You can safely use the notepad for its intended purpose.
In order to send a message, you will need the public key of the receiving party. You can find a public key created by me at the end of this document. If you would want to send a message to the owner of this specific key (myself), you will need to copy the public key from the browser into the Kleopatra notepad.
- Open Kleopatra and once open, open the "Notepad" and paste the public key into the notepad.
- Click on "Import notepad" (This step has to be repeated for every new receiver, but only once)
- Once imported we can encrypt all future messages to this key-holder
- Clear the notepad and enter a test message
- Now go to the recipients panel and choose
- Weather to sign the message (this will show who created the message and can be used to verify if the message has been send from the person you were expecting)
- Encrypt for me: choose your key here, this will allow you to decrypt the message at a later time if you wish to do so. Failing to select encrypt for me will lead to you never being able to decrypt your own message
- Encrypt for others: Choose the person you want to send the message to here.
- Now you can encrypt the message clicking the button "Encrypt/Sign" in the left upper corner.
This is it :) !
If you want to verify if everything works, you can create a message in the notepad, sign and encrypt it yourself and define yourself as "encrypt for others".
Then Encrypt the message (botton top left) and decrypt the message again. If you successfully en- and de- crypt the message, your setup is working as intended.
If you recieive an encrypted message, simply paste it into the notepad and click on "Decrypt / Verify". After entering your password, the plaintext content will be visible in the notepad.
After creating PGP key-pairs for personal use (a public and a private key) and securing the private key with a password, you can start sending encrypted messages to other entities by copying their public key into the notepad, followed by "importing" the public key and selecting the corresponding receiver via Notepad => Receivers. Then you can encrypt the message and send it via email / forumpost / messaging service etc.
The password chosen for the private key should be unique and long, optimally consisting of at least 20 characters containing an upper and lower case character, a number and a special character. Consider using a passwordmanager like KeePass. The password manager can be used to autogenerate passwords like these (every line is a password with a length of 48 characters)
8m43YHxEY'ZWfzuA5G7d]RVsPe`MA78]r[n}=qT(`]q0:dZ|
HzIxR}X"Z]jL"[.!Ufp]fZ(g/K>D(/ya/"%TQU!Wb#6LYEg.
I_/#ie~=oSDJ=2EQ]WQGS_sPCme]hvxy1=I]2q,z~YgwOprw
BJkPO,F[6EzyX/%Q{oO{c\g(n_(Vj7':XJ":NfYNIV+,QCkv
~Xzr`*Z5MHDr*]p,g9^p0sn4vmLN@/Z%9JGQn=%y,PN]8y@b
A_}V1P"h+s.X3ePUx"/EbM2LENWTI1'iU$l'DLYsMBrf>]fR
}/4NBH}~Eh#]\t)cTE8uhU'MG3dQkKJV,dq=1\6{Zj)7&@wm
+xgN'}3?7zx!CEh%Jj9<}AFg6\;}#ge<e}9&3{{Y\Fn7|\(2
17`cw+NA7dJpODA''jr{de.[Ays(37J~S:fUr.pm0SAwWh|{
84z$DX%2c'q)]c$EyRb@|>+dPd">gGzq#v(=ZUA=F!}d.=%#
urkt1?yKc:!w=oS'e"U8MG~?|WPe{V8jNZr%<`xU7Qv!<$78
n<MH#sRAKVBF,Y*8:"!IcxKoK]rnF\Mr!ZpV@?&sK]a.&!i=
If you do not use a password manager, choose a long but easy to remember password, for eample: "TheHorseJumpsOverRainbowRopes_20_Times!!" which is a 160 bits password and 'practically' impossible to bruteforce.
This is the test-key mentioned above. Try to import it and send an encrypted message to the holder of this key and yourself.
-----BEGIN PGP PUBLIC KEY BLOCK-----
mQINBF3/MW4BEADPAUFCuunXQxlPTwenzSZXDZ1ip4Ab9gONqW5pKk0yE7Y3LMIr VRdvtq2cStxzKPf7jHqLHKPFU4B1BCuwv+Ile26/JzFYWirHoarZUxCgMemLDHZ2 hrB+kPtoCSMM3CB9hzRF2Fx6GcdDK2uDbRiZqcmJPsedot8vnBJ9iD7zGkZa2WOm svND/o9mEbVG7caT6iNtqzX8agRAX/4aTs4/eWaJhzunonngL1IFD0Q0zpKYNCDB vAGACf4GnX3tcqQ2pse+psyOHpRQIQGHRm7QekaUDeOULUbCAyC1kYtZct5atwfn uD24OLGgyvv5qySWXwCGGawzra0Fv4y/9rj0G7upBbx9st69lnO3OY2P5G8/0w6X yv+ct7PmjeLsTqkBPIrYLkUXEEpeaf85hSmYm0SPqPctJvpZZYloOdOlJ8M/ERyZ yoptDaFcr1GfOfWvLiqUYarCxZt912/siBk1A/fPnstuIXO3ZL0Vdzgl3LAnjvwM B/uGH+E7QgeBGhy5VhRg7D+9TVlr4C3Q32rYs7JjEtwuUI9z3W5yaG1HSLVqkELF W/D/brrEGaqNPD2AYAaPcOJhHel1dJc9m/PBMWQJTstrc20MQxzB/UXpy0F/I15H pf6A58Z8TklZ0pV7Wp6A4GADTHNro9h95BXflQ+t1cSKNCJhpoWuYHJ4fwARAQAB tCpKb2huIFNtaXRoIDxqb2huLnNtaXRoQGVuY3J5cHRpb250ZXN0LmNvbT6JAlQE EwEIAD4WIQSJc5fa4y3WBlUMyxT6OnUOZKbTaQUCXf8xbgIbIwUJA8PTwgULCQgH AgYVCgkICwIEFgIDAQIeAQIXgAAKCRD6OnUOZKbTaVyhD/91FVGDQiwztUY5JFih YTtelro32QO2VELMhrntUNnGi109ncZLGRKKF4JCAYhX5mpf/ULleEGzRoBZlBFj cQAlU8Oj8Je9K4X/gB3SQHpTfI1IeCtVuPoAJcitoj3R6HU2FGN03jR7dVn++sYS dg3BBsiHFLUdP7WteFvE6RbMn0s1Nv8yyI/ZKoFbbhJeEvMqfZThXb5bkupb0aG5 FH9ehvreGtDVIeBJYp+j25wlXZLHqScFY7V1IWnTvv79d8Q1hsroPnVtBVAkmvXT X5fptf0pfmeNeOb8x6jiANP7MBveV5AkNEJTS6xOrXLtX+8+kmXeEiZRB1TceywN l9yzZs+bLAbbfWu5KEQwLUQurXlpvu2H81jPlcZOu4FymBkESAjlDLjfhaicfnGg j5gSfQCZfPHNL7RdOrvWwzUxTqEUywuFgZ8tyD+iXAQcCISp4fLHTg2E72QllYg3 N/4GAOwHxwGTrzhqfBkmNug9h50Sde/20N1gXAYE2oeS8/KWOSEb5f6+yEq2uSI8 DOWvAIhHicUNifY4v6/boQN5WNEvaqQEojTzVyZp7QmBfBxKQVdoU9taWpWrAdWM xxLw+7ytFpM/HsMCIlWYpjKDcxw0gXnyLuZ1jKT2VU9IFKUUPbX91mpJZywopID/ FQbNjqYiWQ53LcdNOxJi5yVX87kCDQRd/zFuARAAzH0gZouWOAKCSec/WcmqI4NT mfP8sR2pDR44foFdTRE27f6qr0y+JpFsLqT1DtbnzVzYdAlj+zOKJGEFcvHcrQlf A3G3G43lloe26IfzBaG/xCGse8uNIhYbGaWVSmzqMtpbd7HMkdjlh7bosptQDkCP bIp4rJcIHFFHvwAALGBPGQ3MjGso8Cn+bBXIrmm3YwX1cEP1MFlRcm4I+RCvaB10 W2csIPh8WZxhyV2zF4Ei7T7uQWdf//hQs8gUSa+FA0jOmgys4ah9TXe5tSL+xecb k495I3h4eyFixGTaVu3wKd32zQyivlwD37TDKNU846t7bpeXwS3mFYAwQWcjghrU NAh3Y2HIDEz34totVGREfLXu5W7qjxWANDRLLnONUyKbme4iPPSYvWmO1y7Ctq4a 4y5wwTjvZw9ssIuXVPp0nxez5J8Zupl5GkF3Yk6a8ORCdS53Vp1jDKAu1GTZTgDG vUhqlQqMlSSWwk1YWoACPoiEH6aJcrF1yzu5aYKsTfmmk3HbgWZmQIYjunvpOK+X QiLDHjlb1Eq3TAH6jlk3AKD1BsxAGilTtepxaMWK41awV2+j1JZgs7QwL1SZ8b67 8OHRovlSBQFDXHUtlxzU9StfQXEaV2+1ap2RuAuM4v2HykSyDuhRmWOv9wbe0IzH JSN1p6kiGzGAdsEBmJkAEQEAAYkCPAQYAQgAJhYhBIlzl9rjLdYGVQzLFPo6dQ5k ptNpBQJd/zFuAhsMBQkDw9PCAAoJEPo6dQ5kptNp4mIP+wZoK+1sHsNeDYINnPmI WsQpDt0TJ2wfLpddPM7n47GNfcMTxMBgsDdvrTWG/ZX9oyh99SrbE17Sr+WXpnrZ BmFTyWEQEBjmTnveQ96ikqIb1fDPt/ofoQzNRWSXICttZI4xIJ8FIqZML09d0KzI ty/g3vsJqnbQG0113iFYTK7Bhba20J9mrFeCNBhndV9bNPGPwEQ7LxmsnGc/xAym 6XcKHSjf2X07VVYJXUm6FOwhjhCa0NNOqjU01bY5SfFoSx0xO6SqCNUI4iabdfm7 rNcVdZqIkEkMM8v1aAwQZG+tiO2NLsVm/H9Qs82O7UmLAApu1HJt6epM7VhGMhts Qem0/Mo6pIqfn1RifpmVxZr/rhYHIfmWbGBpVEJB1A1KIHO72CT1fge8viX/X5Pp uj8LLaNGjsloASov/LQBbihHgDTD+Pu/FHAEAoSJss2AeIbFH+SYPO/vv9RwKhjf D1hq7/YY8lBMKPwJGFeOJp1ogdPen/all02iTbY5A5LndmZCfzdMV12DHh4pqzH8 PppAkDWfQswHgQMO58GYQZF3wI2zzQMj8z+HoIQjCex9e4RZEuSdep/qDtI8VEPJ zEZInvO8dHnFKo3SpFbG12z/5VMOE7J+L59RK4TMaIlWL2cltWWmPi+bhoekYp8o TbEkNrN6/90ua3NaEnYGVgpE =lChO -----END PGP PUBLIC KEY BLOCK-----