Last edited by David Mayo on Nov 10, 2008  (view change)

Labels:

Enter labels to add to this page:
Wait Image 
Looking for a label? Just start typing.

What is PGP

Pretty Good Privacy (PGP) is a popular public-key encryption standard created by Phil Zimmerman in 1991. With PGP you can encrypt, or probably more useful from a practical viewpoint, digitally sign email messages and files, which ensures their authenticity. A signed message verifies that the information within it has not been tampered with in any way. PGP is also an encryption company that sells PGP software.

PGP (the protocol) is based on a widely accepted encryption technology known as public key cryptography in which two complementary keys - a key pair - are used to maintain secure communications. To use PGP you generate a pair of keys - one private, one public. By definition you give away your public key (it is public!) and your private key remains private.

A signed message verifies that the information within it has not been tampered with in any way. To sign an email you use your private key and your recipient validates it using your public key. Conversely when someone sends you a digitally signed email they have used their private key to do so and you verify it using their public key. To encrypt an email you use your recipient's public key and they decrypt it with their private key. When you receive an encrypted email the sender has encrypted it using your public key, you decrypt it using your private key.

What is GPG

GnuPG (GPG) stands for GNU Privacy Guard and is GNU's tool for secure communication and data storage. Like PGP is compliant with the proposed OpenPGP standard. GPG is a complete and free replacement for PGP. Because it does not use the patented IDEA algorithm, it can be used without any restrictions. GPG has better functionality than PGP and some security enhancements over PGP. For these reasons GPG is recommended for use with Mulberry for signing and encryption.

Getting Started

Note - getting this plugin working is considered an advanced topic. You should be familiar with the Mulberry email client itself, using the command line, general email concepts and have an overall understanding of the principles of PGP. You do this all at your own risk. Generation and management of your keys, specifically your private key, is your responsibility. If your private key is lost you will be unable to sign or decrypt emails. If your private key is compromised or stolen other people may be able to masquerade as you.

You will need:

Installation

Install GPG - Unzip the GPG zip package to the folder c:\gnupg. The package must be unpacked to this folder for the Mulberry plugin to work

Note - you will have to have administration rights to do the following:

Install the Mulberry Crypto plugin - from the software drive g:\mulberry\windows\tools\MulberryCrypto_v3_1_6.exe.

  • Run the installer
  • Run Mulberry
  • If you are prompted for a registration code for the GPG plugin you can find it in g:\mulberry\windows\tools\readme.txt
  • Go to the Help -> About Plugins... dialog box and make sure GPG appears in the Secure Messaging section. If not, double-check that the plugin is in the Mulberry Plug-ins directory and that gpg.exe is installed correctly in C:\gnupg

Configuring GPG

You now need to generate (or import) key pairs. Refer to the crib notes for more information. Brief instructions are:

To generate a public-private key pair open a command prompt and 'cd' to c:\gnupg. Type:

gpg --gen-key

Follow the prompts. Key generation may take a minute or two. Once complete you will have a pair of keys ready to use. Your private key must remain private and it is highly advisable to back it up. Your public key should be distributed to whomever you wish to communicate with.

Refer to the GPG Howto for full details of key administration. Basic commands are:

  • gpg --list-keys - list all public and private keys on your 'keyring'
  • gpg --list-secret-keys - lists all your private keys on your 'keyring' (usually just one)
  • gpg --export uid - export a public key. By default the output is set to stdout. Use -o option to send to a file
    • The uid is the name of the key supplied as part of the generation process - you only need to supply enough to obtain a unique match
    • Supply the -a option to write the key to a 7-bit ASCII file instead of a binary file. eg gpg -a --export uid
  • gpg --import filename - import a key - usually somebody else's

Using GPG with Mulberry

Open Mulberry. Now open an email draft window to compose a message. Two new icons will appear on the toolbar - a sign icon and an encrypt icon.

To digitally sign an email click the sign button. When the send button is clicked a dialog box will be presented to enable you to enter your passphrase. You have the option to cache this passphrase for the duration of your session.

To encrypt a message click the encrypt button. When the send button is clicked the message will be encrypted using the public key of the recipient. You must have the recipient's public key on your keyring to be able to encrypt a message.

Security settings

Installing the Mulberry Crypto plugin presents another tab in the preferences section (File -> Preferences).

Select the method to use here - set and leave at PGP - using GPG Plugin

The following options are worth explanation:

Use MIME Multipart Security with PGP - specifies whether to send the encrypted message as MIME path or inline. Most modern email clients are MIME compatible so this option is probably the best choice

Always Encrypt to Self - Enable this option when you still want to be able to read your encrypted messages yourself in your sent-mail folder. If you disable this option you will not be able to read messages you encrypt

Cache Passphrases while Running - Disabling this option means you will have to type your passphrase every time you want to sign an outgoing or decrypt an incoming email

Links