PGP is a computer program that enables you to scramble email messages so that they can only be read by the people you want to read them.
Sending normal emails is like using postcards instead of letters - anyone can read them en-route. When you send an email to someone else, the contents may pass through a dozen other computers. Anyone in control of these could easily see what you have written. Also, if your computer falls into the hands of the authorities, they would be able to look back over all your past emails. Even if you think you've deleted them they can still be lurking on your disc, and computer forensics experts will be able to retrieve them.
This guide will take you through the basic steps necessary to install and use PGP on a computer running Windows 95, 98, ME, NT, 2000, or XP. This won't work on a computer running an older version of Windows, like Windows 3.1. There is a version of PGP for Apple Macs, but the installation procedure will be slightly different and this document doesn't describe it.
First, you need a copy of the program. If you have a PGP setup CD already you can use this.
If you don't have a PGP setup CD, you can always download PGP from the website at http://www.pgpi.org/. The CD has a copy of PGP version 6.5.8. Even though this is quite an old version, it is the most trusted as it has been carefully scrutinised by experts for several years. The later versions may have hidden weaknesses that are yet to be revealed.
There are two basic security issues concerning PGP and emails:
PGP is almost certainly unbreakable as regards the first case, so you should start using it to scramble your everyday emails straight away. Remember the more emails sent using PGP, the better, because then the people using them don't stand out so much. So even if you're just forwarding someone a joke you've received, use PGP to scramble the message. If the authorities raid your house and get your computer, there is some small opportunity for them to see some of the scrambled messages you have sent if you don't take appropriate precautions. So don't start using PGP for really important emails until you're happy you understand the risks.
But the most important thing is to start using PGP and encouraging other people to use it.
First insert the CD into the CD drive on your computer.
Now we need to run the setup program. From the menu, click
Now we need to find the setup program on the CD.
From the Run window, click on the button to find it.
Normally the CD drive will be called D: but depending on how you computer is set up, it could be E: or F: or some other letter.
From the drop-down box at the top of the Browse window, choose the CD drive. It should have an icon of a CD and be called "Untitled CD". You should see two folders. Double-click the one called "PGP for PC windows".
The window below may look slightly different depending on which version of Windows you have, but it should work in the same way.
In the PGP for PC windows folder you should see a file called setup.exe
Highlight this by clicking on it once (so it turns blue), and then click on the button.
Now you should be back at the Run window, which should look something like this.
Click on the button to start installing the PGP program.
The screen should clear and you'll see a small window like the one below while the installation program files are copied from the CD to your hard disk.
Once this is done you will see a Welcome window. Click on the button.
The next screen is just some legal blurb. Just click the button.
Now we get some Important Product Information, telling us why the program is so great. Just click the button here.
Now it asks you for your Name and Company. You can just make something up here if you want. Then click the button again.
Now we choose whereabouts on our hard disk we want the program to be installed. You can just accept the default here and click the button again.
The PGP program has several components. We can select which ones we want installed. Most people will be using Outlook Express for email and can just accept the default values. Click the button again.
The next screen just reviews the choices we have made already and gives us the chance to go back and amend anything we've done wrong. Just click the button here.
Now the actual PGP program files are copied over from the CD to your hard disk.
If we are installing PGP for the first time, we won't have any existing keys, so we can click for a change on the next screen.
That's the installation complete now. Basically it was just a case of running through some standard screens clicking each time.
Just click on the button now and we can go on to the second stage, which is setting youself up with a pair of keys so you can scramble and unscramble message.
Depending on which version of Windows you are using, it might ask you if you want to restart Windows at this point. You can say yes and then carry on from where you were. If the process doesn't automatically continue when the computer restarts, you can move on to the next stage by clicking on the small grey padlock icon in the bottom right corner of the screen and selecting the PGPkeys menu option.
The setup program now moves on to a series of screens that will generate a pair of keys for you.
One key is the secret key. This is only held by you and is protected by a secret passphrase that only you know. You use the secret key to unscramble messages that have been sent to you.
The other key is the public key. You can make as many copies of this as you want and hand them out freely. Other people will use these to send you scrambled messages.
Click the button.
Here is the first screen where we have to enter some actual information.
Your email address should be your real email address. For your Full Name, you can put your proper name, or you can use just your first name or a nickname if you prefer. But bear in mind this could make it difficult for people to remember that this is your key.
Now you get a technical question about the method PGP uses to scramble the key. Just accept the default and click the button.
The "size" of a PGP key is an indication of how secure it is. The default of 2048 should be fine, but let's be paranoid and select the maximum possible Custom value of 4096. Click the button to continue.
If you want you can set you key to automatically expire on a certain date. As you get more familiar with PGP, you might wish to use this feature but for now we can just say that the key never expires and click the button.
This next screen is probably the most important one to get right. Although the technique used to scramble the messages is almost certainly unbreakable for the foreseeable future, the weak link in the chain is at the endpoints. If the authorities were to get hold of your computer, all that protects your secret key is a passphrase. So if you use "cat" or "qwertyuiop" or your name, or your pet's name, or your mother's maiden name as a passphrase, the authorities would probably be able to guess it simply by trying thousands or millions of common words or passphrases every second. So the best idea is to use a sentence with several words in it. It would also be good to include some numbers as well. Passphrases with capital letters are different to lower-case passphrases, so if you include capital letters you must type them exactly the same each time.
If you forget your passphrase, there is no way to recover it - you'll just have to generate a new pait of keys, which isn't that much of a problem, but you won't be able to read any of you old scrambled emails. The trick is to choose a passphrase that is both easy for you to remember and difficult for anyone else to guess.
On the screen below you have to type your password in twice just in case you make a typo the first time. If someone might be looking over your shoulder, make sure the "Hide Typing" checkbox has a tick in it, and you won't see the passphrase come up as you type. If this isn't a problem, remove the tick and you can make sure you have typed it in correctly.
The Passphrase Quality indicator gives a rough guide to how good your passphrase is. You want the blue dashes to fill as much of the bar as possible.
Once you have entered your passphrase, click the button.
Now the program will create a key pair for you. On the latest PCs this will only take a few seconds but on older machine it could be a minute or so. Once this has done click .
If you want to you can send your public key to a keyserver. This is like a Directory Enquiries for PGP keys. To do this you need to be connected to the internet, but you probably don't need to do this, and you can always do it later anyway, so make sure the checkbox is unticked and click .
Now you are congratulated on having created a key pair. Click and the PGPKeys window should appear.
Now we have installed the program and have set ourself up with a pair of keys, we are able to receive and send scrambled messages.
The PGP program installs a small grey padlock icon in the bottom right corner of the screen by the time. You click on this to scramble and unscramble your messages, and to manage the keys on your keyring.
Let's have a look at our keyring. If you've just finished the first part of the setup the PGPkeys window will already be open. If not, click on the padlock icon and select the option to access it.
The PGPkeys window shows you all keys on your keyring. You should have only one private key (John Smith, in our case) which has an icon of a head and a yellow key. All the public keys will have icons that are just yellow keys.
The setup program gives you some sample keys to look at. You can delete these if you want.
You want people to be able to send you scrambled messages. For them to do this, they need a copy of your public key. You can export your public key to a file and email it to everyone you know, either in the body of the email or as an attachment.
To export a key to a file, firstly highlight your own key, then click on the black floppy disk icon on the toolbar of the PGPkeys window. This will bring up a dialog box where you can select where you want the key saved.
From the Export Key to File window that comes up, choose a filename to save the key to. In our case, we've saved our public key to a file called "John Smith.asc" on the desktop. This is a plain text file that you can open in a text editor such as Notepad if you want. If you did, it would look something like this:
-----BEGIN PGP PUBLIC KEY BLOCK-----
Version: PGPfreeware 6.5.8 for non-commercial use
mQCNAzROcN4AAAEEAONpUgn9KJni9eagqCKyDEBRaHcmhn+aQwPAuH2DONnREvkA
J0YjnsN7tKOyINU+RsUmn2IIxZQag8bVKJ52MXHQGNtQoSgwSK8G+hV70+48WqJ8
5HaiDeaW9GxDjVgwX7hmrw6cv7sPurDNW3CAgANhojIxlM6xA6YYzwRO4XVtAAUR
tCZLZW5uZXRoIEEuIFNjaHVtYWNoZXIgPGtzY2h1QGZuYWwuZ292PokAlQMFEDSN
...
This is how the saved file looks on the desktop. Now we can email this file to anyone we know.
Other people we know will also be sending us copies of their public key. To be able to use them, we need to add them to our keyring. Firstly we need to save the email they have sent to a file. In Outlook Express we do this using "Save As..." from the File menu. I'll suppose we have saved the email to the Desktop and called it "My PGP key.eml".
To add someone else's public key to our keyring, click on the yellow folder icon in the toolbar of the PGPkeys window.
Now we need to locate where we saved the email and click on the button to add the public key to our keyring. By default the program will look for files that end with ".asc". If we saved our email as something ending with ".eml", we need to change the "Files of Type" drop-down box at the bottom of the window to say: "All Files (*.*)"
Now we are all set up with a PGP program and a bunch of keys on our keyring, we can start sending scrambled ("encrypted") messages. Suppose we are called John Smith and we want to send a scrambled email to Ann Onymous. We assume that Ann has already emailed us a copy of her public key, and we have added it to our keyring as described above.
First we write our email as normal. Just before we send it, we have to scramble the message in such a way that only Ann can unscramble it. To do this we click on the grey padlock icon in the bottom right corner and from the submenu we choose .
Now the PGPtray: Key Selection Dialog window comes up and we have to choose who to encrypt the message to. We want it to be encrypted to Ann Onymous, so we double-click on her key in the top panel. This should move it to the panel underneath titled "Recipients".
If we leave it at this, only Ann will be able to read the message, we won't even be able to unscramble it ourselves. So we need to also double-click on our own key (John Smith) in the top panel to move it to the Recipients list. Now both Ann and ourselves will be able to unscramble ("decrypt") the message. Click the button once you've done this.
The screen should flicker for a few seconds and then the original email should be replaced by some nonsense-looking text like that shown below. This is the scrambled email. The BEGIN PGP MESSAGE line just lets the PGP program know that a PGP scrambled message is coming up.
Now you can send the email as usual by clicking the button.
Suppose Ann recieves our message, successfully unscrambles it, and then uses our public key to scramble a message back to us. We will receive an email looking similar to the one we sent out - except the nonsense-looking text will be different.
To unscramble ("decrypt") the message, click on the grey padlock icon in the bottom right of the screen, and from the submenu, select .
A window should come up telling us that the message is encrypted to both Ann Onymous and ourselves. To unscramble the message the program will automatically use our private key. To stop our enemies from breaking into our home and stealing our private key, we protected it with the passphrase we set earlier.
Every time we unscramble a message that was sent to us, we have to type in this passphrase. The tick in the "Hide typing" checkbox means we can't see what we are typing, which is useful if someone might be looking over your shoulder. If you're alone you can remove the tick so you can see what you're typing. Once you've typed in your passphrase, click the button.
If you've correctly typed in the passphrase, the unscrambled message will appear in the Text Viewer window. Clicking the OK button here will lose the unscrambled version from your computer. If you want to save the unscrambled message, click on the button. Then you can Paste the text in to somewhere else, like another email or a Word document for example.
Now we've gone through the basics of installing, setting up and using PGP. This should be enough to get you started. Remember that the more people that use PGP the better, because then the people who do use it don't look so suspicious. Use PGP even for your mundane everyday emails. PGP is almost certainly unbreakable by someone intercepting your emails. However, if the authorities confiscate the computer at either end it makes their job a lot easier - your passphrase is a lot easier to break than the PGP code itself.
One story regarding PGP comes from a Mafia gangster who was using PGP to hide his secret files. The FBI knew it would be impossible to crack the code, so they secretly broke into his house and installed a small gadget in his keyboard that transmitted every keypress he made to a nearby receiver. The next time he used PGP and typed in his passphrase they were able to see exactly what it was, so they could now raid his house and read all his secret files.
So the moral is, don't trust PGP for really important things - not because it isn't good in itself, but because tactics like the one mentioned above can be used. You have to judge whether your messages are important enough to warrant the authorities using extreme measures to get your passphrase.
Another idea is to change your PGP keys every now and then. Although this means you won't be able to read your old emails, it also means that the authorities can't either, should they manage to break your passphrase.
To read about the other more advanced features of PGP, do a search on Google or start by looking at http://www.pgpi.org/.
If you have questions or comments on PGP or this document, you can email:
