Microsoft

Using GnuPG encryption tools with Gpg4win

Last month, I wrote about using GnuPG on Unix and Linux systems. You can get OpenPGP functionality on your Microsoft Windows system with GnuPG as well, and I aim to explain how.

Last month, I wrote about using GnuPG on Unix and Linux systems. You can get OpenPGP functionality on your Microsoft Windows system with GnuPG as well, and I aim to explain how.

There are several ways to get GnuPG for MS Windows. Among them are GnuPG, a graphical installer for a command-line GnuPG binary compiled for MS Windows, and Gpg4win, a modular multi-function GnuPG software suite. This article addresses getting the functionality of GnuPG on an MS Windows system by way of Gpg4win.

What's In Gpg4win

Gpg4win is not just a basic GnuPG package. It is a suite of tools that can make your life somewhat easier while using GnuPG in a Microsoft Windows environment. Among the tools included in Gpg4win are:

  • GnuPG: This is the GnuPG encryption tool itself, an implementation of the OpenPGP standard that provides the same functionality as the commercial PGP application. It also supports S/MIME encryption, if you choose to install version 2 of GnuPG.
  • WinPT: This is a key management application for use with GnuPG and other encryption systems.
  • GPA: This is another key manager, specifically for GnuPG.
  • GPGol: This is a Microsoft Outlook 2003 email encryption plugin for GnuPG.
  • GPGee: This is a Microsoft Explorer file encryption plugin for GnuPG.
  • Claws Mail: This is an email client application designed specifically for integration with GnuPG for encryption.
  • Documentation: This is documentation for the Gpg4win suite, in both English and German.

Installing Gpg4win

To install Gpg4win on Microsoft Windows, you should have administrative rights for the system. You can download the installer by going to the download page and clicking on the gpg4win-n.n.n.exe file (where each n stands for a number) that matches the latest stable version of Gpg4win, indicated at the top of the Gpg4win main webpage.

When you run the installer, after accepting the license agreement (the GNU General Public License, one of the most-used open source software licenses), you will be presented with an opportunity to customize your installation by selecting or deselecting components. The defaults should be sufficient, perhaps deselecting the Outlook plugin and -- if you cannot read German -- the German language manuals. Select or deselect others as required, if you have specific preferences or needs. Only about 25 MB or less of hard disk space should be required for the install.

Using the Gpg4win Suite

After installation, you will need to make use of the tools Gpg4win provides. Basic setup is explained in exhaustive detail in the Gpg4win for Novices manual, a lengthy PDF file. In addition to the documentation, Gpg4win also helps you prepare your GnuPG encryption tools with special practice software that allows you to simulate use of the tools to be sure you have the hang of things before using them for "real-world" purposes. Once you have GnuPG working on your MS Windows system, don't forget to check out my list of 10 tips for effective use of OpenPGP with GnuPG.

The tools included in the Gpg4win suite can be used to encrypt files on your system's hard drive or on other storage media, to encrypt emails sent to others and decrypt emails sent to you, and to sign your emails so that recipients will know they have not been forged by someone else.

Securing your data and your communications with others, as well as maintaining the integrity of your identity -- the purposes for which the OpenPGP standard was developed -- is extremely important. In a perfect world, doing so would be second nature. Because this is not a perfect world, it is not generally second nature, but Gpg4win exists to make it easier than it might otherwise be.

About

Chad Perrin is an IT consultant, developer, and freelance professional writer. He holds both Microsoft and CompTIA certifications and is a graduate of two IT industry trade schools.

18 comments
apotheon
apotheon

The article Using GnuPG encryption tools with Gpg4win discusses the Gpg4win suite of tools for Microsoft's flagship operating system. Do you use other GnuPG installation tools for MS Windows? If so -- did you choose them over Gpg4win because you prefer them, or because you didn't know about Gpg4win? What do you use for file and email encryption and email signing, and why?

techrepublic@
techrepublic@

My email client secure setup of choice is Thunderbird + EnigMail + GnuPG + GPG-agent. With the exception of typing a password once per session everything else is automated. Unfortunately, trying to have people to use secure email is a straggle. Most people think, wrongly, that email is a private communication medium.

Michael Kassner
Michael Kassner

I have tried and worked with every variation of encryption with a friend of mine. To qualify that I am fortunate as he is working toward his doctorate in cryptology (yes there is a degree). Having this ability at this time and point is unrealistic unless both parties to the email transfer are willing to setup the encryption process. In most cases that is like pulling teeth. I was curious to learn if there are any enterprise situations where email encryption is required? Then do they do force the receiver to setup encryption on their email client?

$$$$$$$$$$
$$$$$$$$$$

[i]In most cases that is like pulling teeth.[/i] Technically, the requirements are trivial. My second programming class included an encryption scheme over about 1.5 pages of code, printed. Many prominent apps don't have an icon for encryption, but that's a far cry from "not feasible."

doug
doug

One of the big Insurance companies was sued because it sent claim numbers and other PI over unsecured email. The problem is, of course, a large corporation isn't going to be able to use a product like GnuPG. If they're being sued they're not going to be wanting to tell the judge that they use an open source product. For a while this insurance company was using a third party vendor which secured the email and had software that could be installed on the mail server.

apotheon
apotheon

Are you sure it's a degree in cryptology, and not in cryptography? I'm aware there are degrees in both fields, but cryptography is by far the most common, as far as I'm aware. A cryptology degree would essentially be the combination of a studies about cryptography (which addresses technologies, techniques, and theories of "hidden" communication) with studies about cryptanalysis (cracking encryption, basically). If he's into cryptology, I tend to guess he might be aiming for either a government job or an academic career (which in many cases is sort of a government job in some respects), in the long run.

apotheon
apotheon

If you want secure email communication, you need encryption. If you are sharing sensitive information, you need secure email communication. Your options are: 1. use encryption 2. don't say anything private in email 3. do the electronic equivalent of taking out a full-page ad in the local paper explaining where the key to your front door is hidden in a flower pot outside, where the most valuable items are in the house, and how long you'll be away from home on vacation It's up to you to decide which option you like best. If someone wants to discuss what school your kids go to, passwords, bank account information, social security numbers, home addresses, and other sensitive data over email, my advice is to give two options: 1. discuss it only in person 2. use encryption The fact someone is too lazy to apply a little security awareness is no excuse for exposing yourself to the potentially disastrous consequences of poor security practice. "[i]I was curious to learn if there are any enterprise situations where email encryption is required? Then do they do force the receiver to setup encryption on their email client?[/i]" There are many such situations -- and the corporations in question tend to have very strict policies about either using encryption or not discussing sensitive matters via email at all. Many others, sadly, do not address the matter that well -- and as a result, a lot of problems can arise. If you're sending trade secrets through unencrypted email, you might as well just post them on every vertical surface within a mile of your offices like fliers offering a reward for finding a lost dog. edit: forgot a word

Neon Samurai
Neon Samurai

It seems he would prefer to be called into court and be able to point a finger at a scape goat rather than be responsible for his own technology. "Your Honor, we where going to pick this OSS program proven to be secure but we never wanted to be called before you having to admit to running FOSS.. wow.. talk about a funny turn huh jugde.." :) Some days it's so hard to find people that think it's better to not have the security issue in the first place rather than have someone too point fingers at after you choose a poor solution and have issues. The irony being that those prefered brand names include "it's not our fault if it sucks for you" clauses in every legal document they can through at you. Ah well.. I amuze me greatly today anyhow ;) but maybe he meant something other than feeling legally shamed if he where ever caught running open source software.

apotheon
apotheon

"[i]The problem is, of course, a large corporation isn't going to be able to use a product like GnuPG. If they're being sued they're not going to be wanting to tell the judge that they use an open source product.[/i]" I'm afraid that doesn't make sense. You must have left something out. What are you trying to say?

Michael Kassner
Michael Kassner

Whew it has been a tough day for me. Making all sorts of mistakes. My friend definitely let me know that I was in error as well.

shardeth-15902278
shardeth-15902278

Lotus has had very easy to use encryption in Notes ages ago. Well, easy for anyone usign Notes within the same corporate umbrella anyway. It seems to me that for it to succeed, every email client (or at least the very popular one's) needs to support an open standards-based encryption Framework(?). One which can "hide" much of the detail as to encryption method selection etc... from the average user?

apotheon
apotheon

I might actually flesh out what I said in my "I agree, sadly," comment to include some analysis and advice, thus creating an article for the near future. Damn. My "Mail Client + GnuPG on MS Windows" article keeps getting pushed back further. I'll get to it eventually.

Michael Kassner
Michael Kassner

I look forward to your posts on this as well as any security subject.

apotheon
apotheon

"[i]until it is automatic, ubiquitous, and simple to implement, email encryption will not happen on a wide scale.[/i]" Claws Mail (the mail client that comes with Gpg4win) is a step in the right direction in terms of making mail encryption a little easier and a little more automatic, but there's still some distance to go. Much of the problem, of course, is in the fact that Microsoft still tends to lead the way on determining what the majority of end users do, because most end users just take whatever is on the computer when it ends up in their hands without questioning it -- and Microsoft is not nearly as concerned with security as its executives and marketing personnel would have us all think. The key toward that end, though, is (at this time) mostly to just: 1. Increase the number of technically astute people who consider it important to use email encryption, thus increasing the ubiquity. 2. Work on lowering the bar for necessary technical knowledge to make use of encryption. Number 1 actually helps Number 2 in a couple of ways: A. The more people there are that make use of encryption facilities, the more developers will respond to their desire for greater convenience, and the more opportunities there will be to innovate in the realm of encryption system convenience. B. The more technically astute people there are using encryption, the more technically astute people there are who will get annoyed enough with some of the shortcomings in the convenience of encryption tools and join the efforts to innovate, themselves. As for point B . . . I think I've just hit on a couple of very vague notions for how to improve the convenience of email encryption for end users. I'll try considering them enough to come up with some kind of cohesive, explainable ideas for what needs to be done, and either do it or try to get others to do so (possibly by talking about the ideas publicly as "what's needed", such as in this IT Security Weblog).

Michael Kassner
Michael Kassner

We are of the same mind to be sure. I am just aware of and frustrated by the fact that there are very few corporate entities that are demanding their email be encrypted. So it is not an argument about being more secure or not, but an observation that until it is automatic, ubiquitous, and simple to implement, email encryption will not happen on a wide scale.

apotheon
apotheon

An encrypted attachment isn't bad. It should be just as secure, all else being equal. I just tend to like having the option of using may mail user agent's encryption facilities because it's easier than encrypting files separately and sending them as attachments.

Michael Kassner
Michael Kassner

I agree completely and try to change clients minds, but just like most other security, email encryption is a real pain in the A** for them. For the most part what happens is that if it is that important it get faxed or sent as an encrypted attachment.

Editor's Picks