Five minute guide to Windows GnuPG email encryption with Thunderbird's Enigmail
I decided to go beyond GPGShell for using GnuPG for email. While GPGShell is excellent for There's a wonderful extension called Enigmail for Mozilla Thunderbird that makes it very easy to use GnuPG to encrypt and decrypt your email; however, I spent a little while scratching my head configuring it to be the way I wanted. Here's what I ended up doing:
1) Install and configure GnuPG (latest version 1.4.2)
The install went smoothly, but I wanted my keyrings to be somewhere other than the default of C:\GnuPG. There are supposed to be three ways to relocate them:
Be sure to remove any old versions first. The only option I really had to change was related to the multiple identities I have set up. You have to enable Enigmail for each identity, and after doing so, you get prompted with the Per-Recipient Rules Editor asking how to sign/encrypt for each recipient of your email. I just wanted it to respect what I specified in the OpenPGP button when composing mail instead. The secret is to add a rule to this dialog with the recipient containing '@' and no PGP key specified that makes it permitted to sign, encrypt, and use PGP/MIME.
After doing this, Enigmail will respect the sign/encrypt settings you put for an individual email message in the compose window. Make sure this rule is the last rule.
3) Upgrade your signing key
If you use PGP/MIME to encrypt email and have generated your private key using the GnuPG default DSA signing key and El-Gamal encryption key, you will quickly run into an error from gpg stating that you can't use SHA512 (or any hash algorithm better than SHA1) with PGP/MIME. This is because the DSA signing key only supports SHA1. Since SHA1 has been broken, you may wish as I did to use a better signing algorithm anyway. I found this excellent article walking you through the steps on how to do this. To paraphrase them and get to the meat of it, using the GnuPG command line, you have to add a new signing key:
1) Install and configure GnuPG (latest version 1.4.2)
The install went smoothly, but I wanted my keyrings to be somewhere other than the default of C:\GnuPG. There are supposed to be three ways to relocate them:
- Pass the --homedir switch to gpg on each execution (a pain if you are using multiple GnuPG clients);
- Use regedit to set the HKLM\Software\GNU\GNUPG key's HomeDir string value with the path, but this did not work for me (I tried specifying it both with forward slashes and backslashes but it never changed the setting from the default);
- Set the GNUPGHOME environment variable. This worked great for me and sets the location for any execution of GnuPG (either from Enigmail, GPGShell, or any other client).
Be sure to remove any old versions first. The only option I really had to change was related to the multiple identities I have set up. You have to enable Enigmail for each identity, and after doing so, you get prompted with the Per-Recipient Rules Editor asking how to sign/encrypt for each recipient of your email. I just wanted it to respect what I specified in the OpenPGP button when composing mail instead. The secret is to add a rule to this dialog with the recipient containing '@' and no PGP key specified that makes it permitted to sign, encrypt, and use PGP/MIME.
After doing this, Enigmail will respect the sign/encrypt settings you put for an individual email message in the compose window. Make sure this rule is the last rule.
3) Upgrade your signing key
If you use PGP/MIME to encrypt email and have generated your private key using the GnuPG default DSA signing key and El-Gamal encryption key, you will quickly run into an error from gpg stating that you can't use SHA512 (or any hash algorithm better than SHA1) with PGP/MIME. This is because the DSA signing key only supports SHA1. Since SHA1 has been broken, you may wish as I did to use a better signing algorithm anyway. I found this excellent article walking you through the steps on how to do this. To paraphrase them and get to the meat of it, using the GnuPG command line, you have to add a new signing key:
To generate a new subkey begin by editing your key (–edit-key ‘name’), then choose addkey, and finally choose RSA (sign only). That’s it; now you can use the newer SHAs.That's it--you should have a pretty smooth encryption experience.
posted by The Penns at
8:19 AM
0 Comments:
Post a Comment
<< Home