ePlaice / For the Best Software on the Net
Mainly Free and Open Source Software
Web Browser & E-mail Navigation
Firefox Web Browser | Feed Readers | Thunderbird e-Mail | GNU Privacy Guard |
Latest news
13 Apr 2007: Version 0.95.0 of Enigmal has been released which now works correctly with Thunderbird 2.0.
05 Mar 2007: Version 1.4.7 of GnuPG has been released with some fairly minor changes.
20 Apr 2006: Version 1.31 of GPGee has been released which is mainly a bug fix release
Links:
GnuPG, Enigmail and GPGee
How can you verify that the mail received is actually sent by the person claiming to be the author and conversely how do your clients/friends actually know the mail is from you. For some time there has been a good open source solution, namely Gnu Privacy Guard (GnuPG) and now there is Enigmail that provides the easy to use interface via Thunderbird and Mozilla Netscape leaving no excuse for not installing this.
I have to admit that there does not seem to be a great enthusiasm for using digital signatures, after having had this facility for some time. Perhaps it's because it is seen as a bit of unnecessary red tape which gets in the way of sending a message. Perhaps an improvement would be if this was fully integrated into the email client and a digital signature was made mandatory. It probably has more relevance in a commercial environment when often you are sending mail to people with whom you have had no previous dealings.
Installing GnuPG
The installation is relatively straightforward but the actual
implementation is a bit daunting from a first glance. There is a nice
little beginners guide in PDF
format on the Enigmail website. The first task is to generate a key
pair comprising
a public key that is avilable to anyone who needs it and a private key
that needs
to be protected like a key to a safe deposit in a bank. Because GnuPG
is based
on linux there are now some messy bits on XP using the command line
processor.
So in XP press Start/Run and open command. Navigate to the directory
where GnuPG
is installed using the CD (Change Directory) command. Once there, type
in
gpg --gen-key
Then follow the instructions in the Beginners Guide, just watch out
that first
you enter your name, then your e-mail address and finally comments,
each on
separate lines.
You will then be asked to enter a passphrase, which should be a phrase
that you
can remember and also one that is not obvious. There are hints in some
of the
GnuPG documentation as to how to construct a passphrase. You will then
have to
repeat this entry as verification. GnuPG will then generate a key id
and you will
have to save your public key to an ascii armored key file using :-
gpg --export -a > my-key.asc
Once you have got your file you can either post it on your web site or
probably
more practically post it to a public key server. I visited pgp.mit.edu key server
copied and pasted the details from my-key.asc. This worked without a
hitch and you can retrieve your
details from the site by preceding your key id with 0x to denote hex
input. So apart from the non-intuitive unix commands it is not so
difficult to set yourself
up with PGP signatures and encryption.
Enigmail Installation and Setup
Please note this only works with Mozilla products, so if you are using Outlook Express or Outlook you will have to obtain the appropriate Microsoft solution. Make sure you are downloading the appropriate version for GnuPG and Thunderbird using Mozdev. This is then installed as an extension into Thunderbird. Once this is installed it's a good idea to go to Thunderbird Tools/Account Settings and put in the OpenPG Security options. For each e-mail account you can decide whether or not to use OpenPG, whether or not you wish to digitally sign and or encrypt messages. Then there are some settings in Enigmail, the most important being to specify the path of your Gnupg folder. Most of the other settings you can leave as default.
Using Enigmail
Now you should be all set for receiving and sending messages. Now, when you receive a signed message you should see a pen symbol in the top right hand corner. Enigmail should be able to go directly to the key server and check whether this is a good signature. If so it will give you the details in the mail header. You can then view all your signatures using Enigmail/OpenPGP Key Management. If the signature cannot be verified a broken pen symbol will be displayed at the top right hand corner. When sending messages that you wish to sign, you will be prompted for your passphrase. If you don't have the passphrase then you will not be allowed to send the signed message. This is the whole basis of the security so that you as the sender must have access to both the public key and the private passphrase.
Signing and Verifying Documents
If you are sending a document attached to a mail, then enigmail gives you the option of digitally signing both the mail message and the attached file. But what happens if you have downloaded or uploaded a document to the internet and you want to use digital signatures. Here's where GPGee fits in. This is an extension to Windows File Explorer that allows you to sign and encrypt your files. There is also an automated verify and decrypt function. With version 1.2.1 of GpGee I hit a few problems with program hangs using certain functions. Recently, I have upgraded to version 1.3.0, but as yet have not had a chance to check whether these problems are fixed. Watch this space for an update.
Summary
For several months I toyed with the idea of using digital signatures, but never quite got round to it because I believed it would be difficult to install and did not see much general usage. I was prompted to use this when I received a signed message from a person with whom I had had no previous dealings. I was able to quite readily check the digital signature using the Enigmail and GnuPG that I installed. So, I next decided to digitally sign my own documents. Although, it was not straightforward, all the setup, including passphrase and export to key server, was completed in under 2 hours. With the ever increasing number of email scams, the option of not using digital signatures will be as unthinkable as not using anti-spyware today.