Gpg and windows
Welcome to Simone Giustetti's wiki pages.
Languages: English - Italiano
GPG for Windows
Gnu Privacy Guard is a cryptographic software suite for personal use developed to implement the OpenPGP standard defined by the Internet Engineering Task Force. Initially developed for the Linux / Unix platform, over time GNU Privacy Guard, also known as GPG, was ported to many other platforms including the Windows family of operating systems. The GPG Windows version is called GPG4Win and supports all of the functionality available for Linux, MacOsX or Unix. The GPG4Win graphical interface was designed and optimized for Windows and as such is slightly different from other operating systems. This paper provides an overview of the software basic operation.
Software install procedures are specific for any operating system. As a consequence it is important to detail the GPG4Win installation as it widely differs from performing the very same operation in Linux or Macintosh. The very first step is finding the software as GPG4Win is a separate project. The install executable is available in the download page of the project web site; a recent snapshot for the page is available below:
Download the exe file with any web browser into a directory of choice. The Desktop or the standard download directory or a temporary one. Once finished downloading the file, you may want to check it for consistency scanning it for viruses or calculating its checksum then comparing the outcome against the code available in the download page. If the antivirus alerts you of an infection or the outcome of the checksum operation differs from the correct value something is wrong with the file and you are encouraged to delete it then download it again. Assuming that both checks went well you can install the software:
- Double click the install file. The operating system will ask you to confirm or abort the procedure:
- You can confirm pressing the Run button. The language selection window will show up:
- Select your language of choice then press the OK button. The snapshots below use English, but the sequence does not change for other languages. After pressing the button a summary window will pop up:
- Press the Next button and a window containing the GPG4Win license will appear. Press the Next button again and a window listing all available components will pop up:
- Check for the GPA entry to be flagged otherwise set the appropriate check box. Press the Next button. Select an installation path for the GPG4Win program executable, its documentation and libraries:
Were you not in need of a custom path, leave the default destination and press the Next button. The default values for all of the options following usually work well for standard use. Please pay attention to the last windows where the install procedure asks whether to reboot the personal computer immediately or to postpone the reboot.
Following a restart all the default GPG services will be available then you can execute the first program configuration, create a new key pair and begin to encrypt information.
Key Pair and Configuration
Key creation is a sensitive matter and you are encouraged to download and read carefully the GPG4Win manual or at least the beginner section where you can find a summary of the basic concepts:
- GPG and GPG4Win use asymmetric cryptography also known as public key cryptography.
- Asymmetric cryptography requires a key pair: a public key, used to encrypt information, and a private key needed to decrypt data.
- A copy of the public key should be delivered to whoever wishes to send you encrypted e-mails or files.
- The private key is secret and should never be shared with anyone.
- Information encrypted with the public key can be decrypted with the private one only.
- The private key can be protected using a passphrase. If stolen, a protected key cannot be used by unauthorized people who do not know the passphrase.
The key pair is the building block for GPG to work and as such should be created soon after the installation. Please follow the procedure below to create the key pair:
- Start Kleopatra the GPG4Win graphical interface.
- Select the menu item "File → New Certificate":
- A new window will open. Select key pair format "OpenPGP" with a click of your mouse:
- In the next window appearing insert your personal data: your name or other identifier, a valid e-mail address and a comment useful to recognize keys when more than one pair is configured for the same user:
- Finally, you can set some low-level parameters such as key type and length. The default values are usually the best choice, if you wish to customize them press the "Advanced Settings" button to open a dedicated window:
The maximum key length GPG can manage is 4096 bit, but the default is 2048. A 2048 bit length offers a high security level balancing it with the performance need and the ability to export keys to standard smart cards and similar external devices. If you do not have a reason to configure a longer key length, you are highly encouraged to set a 2048 bit length for your keys. For more information about key type and length please read the GPG FAQ available in the web site pages.
Default values for configuration parameters are suitable for private or professional use, you should not change them unless needed. It is however advisable not to make changes by trial, but be sure to consult the documentation and proceed only when you are sure of the desired result.
During key creation you'll be asked for a passphrase for the private key. The passphrase is optional, but a sensible choice that protects you in case of theft of the device where the keys reside. The request window offers a tool that checks the password strength:
A passphrase too short or too easy cold be discovered by a brute force attack. Please use a passphrase longer than 8 characters containing letters, numbers and special characters to defend against such attacks. Following the pair creation a confirmation window will appear:
- Press the "Finish" button to conclude the procedure.
Back-up the Key Pair
By the end of the private / public key pair creation procedure, GPG4Win permits to export the keys to file. The back-up safeguards users from accidental loss of the private key and, consequently, of all the encrypted files. Opening an encrypted file is considered impossible with current technology and it is therefore very important to keep a safety copy of the keys, copying then to an external device to be kept in a safe place. To this end please press the button in the center of the window: "Make a Backup of Your Key Pair". GPG4Win will let you set the name and path of the saved file:
Press the "OK" button to save the file then move it to a safe location.
A special mention goes to a set of parameters that govern the error messages verbosity level and set their destination. The default configuration ignore errors and warnings so as not to disturb users. A sound settings when everything works fine, but useless when problems arise requiring for debugging. When a problem presents itself it is better to set the verbosity level to a value greater than zero and to forward all output to a file in order to perform a better analysis of the issue.
- Start Kleopatra
- Select menu item "Settings → Configure Kleopatra"
- Select the GnuPG System icon in the left window column. It should be the one at the bottom of the list.
- The "Options useful for debugging" string will appear in the right column of the window more or less in the middle. Set the level entering a value in the list box immediately below the string. The destination file path and name can be set in the text-box below. The resulting file can be opened with any text editor.
How-to Encrypt and Decrypt Files
Encrypting and Decrypting files with GPG4Win is quite an easy task. When the program is installed specific options are added to the menus of the file manager and to the drop down menu shown by clicking the right mouse button. To encrypt a file you point it with the mouse pointer, then press the right mouse button and choose option "Encrypt":
- A wizard will show up to guide you. First the wizard will ask you to confirm your request:
- Press the "Next" button to proceed to a second window and select the file recipients. Add the recipients related keys using the "Add" button:
- The encrypted file can be read by owners of the keys in the list only. Add all of the recipients, your own key, then select a destination directory for the encrypted file and press the "Encrypt" button. GPG4Win will write a new encrypted file in the selected directory. The original "clear text" file should be manually deleted. You can configure GPG4Win to automatically remove each clear text file once it is encrypted by setting the proper flag in the encryption window.
Decrypting a file is just as easy. Point the file with your mouse pointer, right click and select the "Decrypt" option from the drop down menu. GPG4Win will pop up a confirmation window; confirm and a clear text copy will be written in the same directory where the encrypted file resides:
Even easier: double click the encrypted file and GPG4Win will write a decrypted copy of it in the same directory.
Either way, if a passphrase were set for the private key, the program would ask for it before deciphering the stored information.
Gpg-agent is a service that can simplify users life. When running, the service saves in an internal cache all of the user provided passphrases the first time they are inserted. Later, when GPG requires a password again, it is read from the cache provided by gpg-agent. You basically have to insert a password only once and not each time a document is opened. The time saving is considerable for the staff of an office that needs to read and handle large amounts of documents every day.
The service starts automatically the first time a passphrase is requested no previous configuration is needed. Usually passphrase information is kept in the cache for about ten minutes. If you feel the time period is too short you can increase it through the gpg-agent graphical interface:
- Open the graphical interface:
- Select the "Edit → Backend Preferences" menu option that will load the options window for the service:
- Set option "Use custom value" in the drop down control right of default-cache-ttl, then insert a custom duration for the cached entries:
The duration is expressed in seconds. The default value, 600 seconds, sets a 10 minutes period after which the password is removed from the cache and, if need be, asked to the user again. Set a higher value to increase the duration of a stored item.
This paper provides a brief description of the Microsoft Windows optimized version of GNU Privacy Guard. The installation and the basic operation of the program were described. For more information you are encouraged to read the manual and the many articles available on the net and in this very same website. Were You interested in our offerings or simply looking for more information, please refer to our contacts page. Thank You.
To contact me or leave me your feedback, Please e-mail at studiosg [at] giustetti [dot] net.
Languages: English - Italiano