Encrypt and digitally sign your mails with GPG, Thunderbird and Enigmail on Ubuntu 8.04.

If you don’t know, what GPG is, read the introduction from the GPG mini Howto, it won’t take long.

Install Thunderbird and Enigmail, start Thunderbird and create or add an email address.

For the following operations, navigate to: OpenPGP -> Key Management

Generate a keypair with: Generate -> New Key Pair

Choose your email address and type in a strong password, set other options if wished and click on ‘Generate Key’ when you’re finished.

Create the revocation certificate and store it on a save medium away from the digital world. You can use this certificate to revoke your GPG Key, if it gets compromised.

These are the minimal preparations for GPG.

Now, you need the public key of the person you would like to email to.

This, for example, is my public GPG key in ASCII, save the file or copy the whole block to your clipboard.
File -> Import Keys from File
Edit -> Import Keys from Clipboard

Well, you’re ready to send encrypted or signed mails to the public key person, which you added before.
When you write a mail, you can now sign and/or encrypt the message over the ‘OpenPGP’ Button.

Further, you can send your public GPG key by mail, so others can write you encrypted or signed mails.
File -> Send Public Key by Email

Or publish it on your blog/website and make it accessible.
File -> Export Keys to File

And now you’re ready to receive encrypted or signed mails send to you by other persons.

The main functions should work now.

But wait, there’s more.

You can share your public key on a keyserver, like http://subkeys.pgp.net or http://keyserver.ubuntu.com
Select a key and then go to: Keyserver -> Upload Public Keys
You can search through the keyserver over http by accessing them via Port 11371, f.e. http://keyserver.ubuntu.com:11371

Well then, but there’s a little problem with this Key System.
You don’t know if the public key really belongs to the person behind.
Someone could just spread a public key with a fake identity and abuse the system.

The solution is called ‘signing’.
You can sign someones public key to prove others, that he’s really the person behind the key.
There are some guidelines for signing a public key. [from the official Ubuntu Documentation]

1. Search for a person with GPG in your region (Biglumber can help).
2. Keysigning is always done after meeting in person.
3. During this meeting you hand each other your OpenPGP key fingerprint and at least one government issued ID with a photograph.
4. Install the ‘signing-party’ package to get the fingerprint easily printed on paper. Start your printer and type in a terminal:

   $ gpg-key2ps youremail@adress.com | lpr

5. You check whether the name on the key corresponds with the name on the ID and whether the person in front of you is indeed who he says he is.
6. There are two ways for signing the public key of the other person.
   For both ways it is recommended to upload both keys to a keyserver (caff uses per default subkeys.pgp.net, read the manpage and change that in .caffrc if wished)1. The Ubuntu Documentation Way (more work, but very secure): Having done these two checks, you only need to check whether this person is in control of the private key. You do this by sending him/her back his/her signed public key, encrypted with his public key. The caff program makes this part very easy. It is included in ‘signing-party’, but requires a Mail Transfer Agent (MTA), like sendmail, exim, postfix, fetchmail etc. if not already on the system, install one of them and setup, so you can send mail over one of these.
   You need to create a file named .caffrc in your homedir (only once) with the following content:

   $CONFIG{owner} = q{Your full name here};
   $CONFIG{email} = q{The emailaddress used in your key here};
   $CONFIG{keyid} = [ qw{last 16 characters of your key fingerprint here} ];

   Then run: (type ‘quit’ if you get to the ‘Command>’ prompt)

   $ caff key_id_of_other_persons_key

   When you receive signed keys from others, you get them as attachment, save these attachments and import them with Enigmail. You can then send this signature to the keyservers so other people can know about it.

   To finish up, you must upload the signed public key to the keyserver, so your signing partner can get his signed key from the keyserver.

   2. The Enigmail Way (easy and fast): This way requires that you get the public key of your signing partner, let him mail it to you, or get it over a keyserver with: Keyserver -> Search for Keys type in his Key ID (including 0x at the beginning) and import it. Select the public key, then: Edit -> Sign Key choose your selections and click on OK.

This is called; building a ‘Web of Trust’.
Look out for ‘Keysigning Parties’ in your region to increase your Web of Trust.

If you would like to graphically display your Web of Trust, try sig2dot.

Enjoy GPG!