Oversimplified WinPT mini-guide
This guide will help you to use WinPT (gpg) to encrypt your mail.
The following common operations are explained:
(The corresponding gpg command-line is indicated for each operation.)
Create your keypair
gpg --gen-key
The first time you will start WinPT, it will propose to create a keypair ("Something seems to be wrong [...] Continue ?" > "Yes" ; then choose "Have WinPT to generate a key pair" > "OK").
Otherwise, right-click on WinPT tray icon > "Key Manager" > menu "Key" > "Generate..." > "Expert".
- Key type: choose "DSA and ELG (default)"
- Subkey size in bits: enter 1024 or 2048.
- Real name: enter your real name and surname
- Comment: enter a comment, or you pseudo
- Email address: enter your email address
- Key expiration: leave empty.
- Passphrase: enter a word (or phrase) which will protect your secret key.
- Repeat passphrase: enter the word/phrase again.
- Click "OK".
Symbols (++...++..+.) will print on screen. Wait.
(Don't forget your passphrase. If you lose your passphrase, you lose your key.)
After a moment, "Key Generation complete" shows up. Click "OK".
WinPT will prompt you to backup your keys. I recommend to accept ("Yes") and to backup your pubring.gpg
and secring.gpg
on a floppy disk or USB key (which you will store in a safe place).
Your secret key (secring.gpg
) must never fall in the wrong hands. Protect-it well.
If WinPT asks "Do you really want to reload the keycache ?", always answer "Yes".
There you are ! You are now ready.
You must distribute your public key to everyone.
You must keep your secret key safe and never give it to anyone !
Publish your public key
gpg --armor --export KeyID
gpg --armor --export name
Now you have to give your public key to everyone.
Just put your public key on a public key server (so that everyone can access it).
- Open the "Key Manager", right-clic on your key, "Copy key to clipboard". This will copy your public key in the clipboard.
- Go to http://pgp.mit.edu (or any other key server (search for "pgp key server" on Google)) and paste your key in the "Submit a key" form.
- Click the "Submit this key to the keyserver !" button.
There you are. Your key is published.
For your [correspondants] to know which key to use, I recommend to put your KeyID in your email signature (automatically added to all your outgoing mails). For example:
I will send you the document tomorrow.
--
John Schmoe
john.shmoe@foo.bar
KeyID: 0x7C638FCD
You can also put your KeyID on your website or in your profile in a forum (or even your public key itself).
Import a public key
gpg --import filename
Before sending an encrypted mail to someone, your need his/her public key.
You can retreive the key from wherever your want: website, somewhere else, or a public key server.
For example, from a public key server:
- Go to http://pgp.mit.edu and enter the name, email or KeyID of the person in the "Extract a key" form.
- Click "Do the search !". The corresponding key list should appear.
- Choose the key your are interested in. It will show up on screen
("-----BEGIN PGP PUBLIC KEY BLOCK-----
" followed by a gibberish).
- Right-click on the WinPT tray icon > "Current Window" > "Decrypt/Verify".
- A "Key Import" windows appears, showing the key about to be imported. Click the key to select it and click "Import".
- A summary of imported key appears ("Key Import Statistics"), click "OK".
You can see the newly imported key in your "Key Manager".
Check the key
gpg --fingerprint KeyID
gpg --fingerprint name
How can you be sure you got the right key ?
- Open the "Key Manager", right-click the key you just imported > "Properties".
- You will see the "Fingerprint", a long string like "F379 08E9 CBA0 41F1 B205 5C1D 58C2 36EE B1F5 D937".
- Contact the key owner to ensure your fingerprint matches his (ideally by metting the person face to face, otherwise by phone or other indirect means.).
Once you are sure of the authenticity of the key, sign it.
Sign the key
gpg --sign-key KeyID
gpg --sign-key name
- Open the "Key Manager", right-click the key you just imported > "Sign".
- Passphrase: Enter the passphrase used to protect your secret key. Click "OK".
- A window appears ("Choose Signature Class"):
- Choose (1) if you could not check the key.
- Choose (2) if you checked the key by phone, internet or other indirect means.
- Choose (3) if you checked the key by meeting the person face to face (and checked his/her ID if possible).
- Click "OK".
- The message "Key successfully signed" will show up. Click "OK".
The key is signed, you can now use it.
Sign and encrypt a message
gpg -sea -r KeyID
gpg -sea -r name
By encrypting the message, only the recipient will be able to read it.
By signing the message, the recipient will be able to ensure you are the real originator of the message.
Imagine you are in a windows where you entered your message (browser, email program, text editor...):
- Right-click on WinPT tray icon > "Current Window" > "Sign & Encrypt"
- A window appear: Choose one or more recipients (Only those recipients will be able to decrypt the message).
- Click "OK".
- Enter the passphrase which protects your secret key.
- Click "OK".
This is it !
The encrypted message in pasted in the current windows ("-----BEGIN PGP MESSAGE-----
"...).
This looks like gibberish, that's ok.
You just have to send the message.
Sign a message
gpg --clearsign -a -r KeyID
gpg --clearsign -a -r name
If you sign a message without encrypting it, everyone will be able to read it and make sure you are the real originator of the message.
Imagine you are in a windows where you entered your message (browser, email program, text editor...):
- Right-click on WinPT tray icon > "Current Window" > "Sign"
- Enter the passphrase which protects your secret key.
- Click "OK".
Et voilà !
The message is signed:
-----BEGIN PGP SIGNED MESSAGE-----
your message
-----BEGIN PGP SIGNATURE-----
a small block of gibberish
-----END PGP SIGNATURE-----
Don't change a single character in this message ! This would invalidate the signature.
If you want to change the message, remove everything that is not your message (the special lines), change your message and sign it again.
Then you just have to send the message.
Decrypt a message and/or check its signature
gpg
If you are the addressee of a message, you will be able to decrypt it.
If the message is signed and you have the corresponding public key of the person, you will be able to check that the message really comes from this person.
Imagine you are in a windows where the message you received is displayed (browser, email program, text editor...):
- Right-click on WinPT tray icon > "Current Window" > "Decrypt/Verify"
- If the encrypted message is addressed to you, you will have to enter the passphrase which protects your secret key. Click "OK".
- A window opens showing who signed this message and if the signature is good.
If you see "The signature is good", it means the message really comes from that person.
-
Otherwise, nothing proves the message is authentic. The message may have been be forged or tampered.
- If the message was encrypted, it should appear decrypted on screen.
(If the message was encrypted and did no decrypt, it should be in the clipboard: Just paste the message in Notepad.)
Conclusion
Now you know the basic operations of WinPT/gpg.
You have all you need to securely communicate with anyone, and ensure of the identity of the authors of messages.
This document is located at http://sebsauvage.net/winpt_en.html
This document is public domain.
Last update: 30 mai 2004.
Author: Sébastien SAUVAGE (sebsauvage at sebsauvage dot net)
|
--fin de document--