Secure your email with Gpg4win. Part 1: introduction and installation

The best way to keep your private email private is to use PGP encryption. However, the concepts involved are complex and often confusing; a problem compounded by the fact that setting up PGP encrypted email is unintuitive and poorly explained in existing documentation. This ‘how-to’ guide is aimed at making the process clearer, providing step-by-step instructions for setting PGP in Windows.

What is GnuPG?

Gnu Privacy Guard (also known as GnuPG or just GPG) is an open-source clone of the highly popular email encryption program Pretty Good Privacy (which is now commercially available from Symantec). Developed by the Free Software Foundation, GnuPG is free, open-source and completely compatible with PGP, using a full implementation of the OpenPGP standard (RFC 4880).

 GnuPG works by encrypting messages using asymmetric key pairs generated by individual GnuPG users. These keys can then be exchanged with other users, and users may add a digital signature to verify the identity of the sender and the message’s integrity.



If all this sounds complicated, that’s because it is! However, once you get your head around the key concepts, it all becomes much clearer.

With public-key cryptography, each user has a private key, which they keep secret and use to decrypt emails sent to them using their public key. They also have a public key, which they freely distribute so that other people can use it to send them encrypted mail.

  • Private key – kept secret and used to decrypt own mail
  • Public key – distributed so that others can use it  to encrypt mail for sending to you

The GnuPG website provides lots of support, but much of it is highly technical and not newbie-friendly.

Gpg4win - the Windows Version

Gpg4win is the Windows version of GnuPG, and is really a suite of utilities held together by a common installer script. The utilities are:

  • Kleopatra – a certificate manager
  • GPA – another certificate manger
  • GpgOL – a plugin for Outlook
  • GPGEX – an extension for Windows Explorer
  • Claw-Mail – a lightweight email program with GnuPG support built-in
  • Gpg4win Compendium  – a manual

Use GPA to create a key pair

  1. Download Gpg4win from the website, and install it (requires a reboot). We’re going to be using GPA and Claw-Mail for this tutorial, so make sure you select them when given the option.
  2. When you first install Gpg4win you are offered very little in the way of clues about how to proceed, so the first thing you should do is generate a key pair. To do this, fire up GPA and it will helpfully offer to generate a private key for you.gpg install
  3. Simply follow the Wizard, inputting your name and email address (which are used to build the key), the password you want to use, and where you want to save the key. It is important to use the same email address that you will be sending your encrypted email from, and the password is important as the recipient will need it to decrypt your files. We are going to save the key in a folder called ‘Encryption keys’. gpg2
  4. Congratulations! You now have your first key  gpg gpa 2
  5. You now need to generate a public key, so that others can decrypt files you that encrypt with your private key. In GPA select the key you have just generated, click on ‘Export’, choose a name for the public key, a folder to save it to, and click ‘Save’.
    We saved it to our ‘Encryption keys’ folder. If you look in the folder you will now see a key pair – your encrypted key (to be kept secret) and your public key (to share). gpg gpa 3
  6. Share your public key – this can be done by simply emailing it to whoever you want to send encrypted mail to. The recipient should ‘Import’ this key in their instance of GPA (or Import Certificates’ if using Kleopatra). You will also need to provide the intended recipients with password you specified in step 2. key pair

Encrypt your files or folders

You can now encrypt any file or folder, so that it can be sent to a recipient of your choice.

  1. To encrypt a file or folder, right-click on it, and select ‘Sign and Encrypt’
  2. Check that the file save paths are where you want them, and that the ‘Sign and Encrypt (OpenPGP only’) radio button is selected.
  3. Select the recipients you want to encrypt the file for, and ‘Add’ to the list. When you are ready, click ‘Encrypt’. For the purpose of this tutorial, we will send the file to ourselves. gpg sign 1
  4. If you have more than one identity, you can choose which one you wish to use for signing. For now, just click ‘Sign and Encrypt’. If you choose not to sign in step 2, you won’t see this screen.gpg 8
  5. An encrypted version of the file or folder is created (with the .gpg file extension), which can then be simply emailed to the person you want to have it, or you can decrypt it yourself.gpg sign

Decrypting a file or folder

  1. If an encrypted file is emailed to you, Download it to a convenient location, right-click on the file and select ‘Decrypt and verify’.
  2. You will be asked to enter the passphrase set up by the sender (see step 2 of ‘Use GPA to create a key pair’ above). Remember that you will also need to have imported the sender’s public encryption key into your certificate manager (GPG or Kleopatra).gpg 9gpg 10
  3. A new folder with the suffix .tar_1 (or similar) will be created, with the encrypted files inside.
    Clicking Show Details will give you more information about the certificates validitygpg12

Conclusion

We’ve shown you how to install Gpg4win, how to create key pairs and use it to encrypt and decrypt files. In its raw form Gpg4win is a little basic, but going through these steps is good way to start understanding PGP encryption. In the next tutorial in this two-part series we will look at integrating Gpg4win with the popular Thunderbird email client, so that you can easily send and receive encrypted emails.

Written by: Douglas Crawford

Has worked for almost six years as senior staff writer and resident tech and VPN industry expert at ProPrivacy.com. Widely quoted on issues relating cybersecurity and digital privacy in the UK national press (The Independent & Daily Mail Online) and international technology publications such as Ars Technica.

16 Comments

  1. Sindo N. R

    on August 27, 2019
    Reply

    how do i setup my email with the software ?

  2. Bojan

    on December 23, 2017
    Reply

    Great article. Can you tell me please if it is possible to use search functionality in Outlook to search for an PGP encrypted email? My company plans to use this tool, but it seems to be inconvenient in some situations,as the one I described. Users want to be able to to search emails as usual. Thanks in advance, Bojan

    1. Douglas Crawford replied to Bojan

      on December 28, 2017
      Reply

      Hi Bojan, Good question, but I'm afraid I don't use Outlook enough to be sure of the answer. A little research suggests that the best solution might be to create a search folder that only holds encrypted mail. More info here.

  3. dc

    on March 20, 2016
    Reply

    In your experience, do businesses decrypt emails using Gpg? I want to mostly use this for business, not for personal. I could spend the time to educate for personal mails but would businesses even try to follow the instructions? Would Protonmail make more sense for these situations?

    1. Douglas Crawford replied to dc

      on March 21, 2016
      Reply

      Hi dc, The biggest problem with PGP encryption is that, because it is complicated, take-up has never been great (this includes the business world). ProtonMail might make more sense for you, but please be awarer that it is nowhere near as secure as using Gpg as outlined above.

  4. Yago

    on October 4, 2015
    Reply

    Hi, great tutorial! Thanks you! I do have a question. How you keep your private key safe? Is The ‘Encryption keys’ folder encrypted? Do I need to make a backup on a pendrive just in case my computer crash? Be well Y

    1. Douglas Crawford replied to Yago

      on October 5, 2015
      Reply

      Hi Yago, Good question! No, the private key is not encrypted, so if you are worried about the physical security of your PC you should use another method to encrypt it. The simplest solution is to store it in a VeraCrypt container, so that it is automatically decrypted for use when the container is mounted. Yup, making a backup is very good idea (and keeping it on an encrypted pen drive is an excellent solution.)

      1. Yago replied to Douglas Crawford

        on October 7, 2015
        Reply

        I use cloudfogger a lot, but I don't trust anybody right now. I want to go encrypted just to get use and learn for the future that I think will be worse than now. Also it is hard to cover all aspects, android, pc, tablet, drive, gmail, protonmail, ghostmail, ....... Thanks for your kind answer.

        1. Douglas Crawford replied to Yago

          on October 8, 2015
          Reply

          Hi Yago, With Cloudfogger you should be aware that it is not open source, which means that you are trusting a commercial company to do right by you. I prefer open source solutions such as VeraCrypt.

Write Your Own Comment

Your comment has been sent to the queue. It will appear shortly.

Your comment has been sent to the queue. It will appear shortly.

Your comment has been sent to the queue. It will appear shortly.

  Your comment has been sent to the queue. It will appear shortly.

We recommend you check out one of these alternatives: