Windows updates to enable PGP signature email/file encryption

I don't want to forget this, so here goes.

To enable use of PGP encryption on windows for Free, the following route will work.

1. Install the OpenPGP for windows. The One I used is

gpg4win-2.0.4.exe

Right click that, "run as administrator".

After the install starts, choose only the options for "Kleopatra" and the GPG-Ex linkage for the file manager. Don't choose the other graphical interfaces to PGP/GPG, and do not use the Outlook linkages if you are on a 64 bit system. They don't work in 64 bit systems.

Make sure to choose "create desktop item", kleopatra will show in desktop.

2. For new enigmail, it will be needed to update Thunderbird.

That's easy install, just download

Thunderbird Setup 3.1.6.exe

and right click, "run as administrator".

I've tested that on several systems, it will "upgrade" an old Thunderbird or install new. All Good.

3. Get the Enigmail PGP encryption extension for Thunderbird.

Currently, that is

enigmail-1.1.2-tb-win.xpi

Here's the magic recipe to install this for ALL USERS on the system. Don't let the install start just for your one user, that's a waste of effort.

Copy the enigmail.xpi file into the extensions folder of the Thunderbird installation. You have to be administrator to write in there, for me it is

C:\Program Files (x86)\Mozilla Thunderbird\extensions

After you paste that xpi file there, then run Thunderbird AS ADMINISTRATOR. We are trying to install the extension so it applies to all logins, and only the administrator has that power. If you don't do it as administrator, then you are killing the whole process.

Thunderbird will start and say "can we install stuff", you say OK

Then it notices the new xpi enigmail file, and it asks if we install it. Click "install".

Problem solved!

Close thunderbird so you won't be running as administator anymore.

Now, how do individual users interact with this hassle.

First, each user has to have a "private/public" key pair. The GPG system tries to remind you to do that the first time you log in. After you have a key pair, you can install the exact same key pair on all your systems, so that you never regenerate a key pair, unless you really need one.

There are many ways to start that, here's one that works.

Start Thunderbird

There should be a new menu, "Open PGP". In there, I see an option "Manage keys". On a "clean" system, I choose that, and a menu pops up and asks if I want to get started with PGP encryption. I say OK!

I choose not to encrypt all email, allowing myself to decide later. You can do what you want.

I allowed Enigmail to set PGP settings to work best with Thunderbird. I honestly have no idea what that does, We'll see.

Then we come to "Create Key". There is a passphrase where you have to type in some long thing YOU CAN REMEMBER AND TYPE AGAIN, exactly. do that.

It asks if I want a "revocation key" created. I say OK, it suggests a file name, I added "revocationkey" on the front. That is a text file. Then it asks for my passphrase again. That gives the revocation generator access to my private key, so it can put my thumbprint in there. (Every time you use your key, you'll have to give the magic words).

I think that is all.

There is one confusing thing I have not solved. After you create the key pair in thunderbird, then a PGP key manager pops up, it appears to come from Enigmail or Thunderbird.

I do not know how that competes or conflicts or works in cooperation with kleopatra, the recommended key manager that comes with Gnu GPG. For what it is worth, to inspect keys and encrypt/decrypt files, I've been running kleopatra, it seems to work OK. But the key manager from Enigma might be good too.

I'm guessing that a half-assed key manager program must be pretty easy to write, that is why there are so many competing things floating around. Getting one that actually works right, all/most of the time, appears to be more difficult. I don't seem much difference between Kleopatra (from Gnu OpenGPG) and the "Key Manager" think in Enigmail, both seem to interact with same key database.

Let me know what happens!

Now, here's part I'm still trying to figure out. Where does Win7 (by default) store the key pairs and how can I copy the private part from one system to another. If somebody steals my private key, disaster awaits, so I certainly should not email it. So I'll transfer on USB stick.

But where is it? In my Linux system, the keys can get dumped in either of two places. I usually use PGP encryption with ssh logins, so it appears most of my keys are in my HOME dir, under ~/.ssh. However, it appears I also have a folder where gnu keys might go, ~/.gnupg/private-keys-v1.d.

Anyway, the public part is easy to spot, in my .ssh dir, for example, the one I use to sign software is called "Paul Johnson- Binary Package Signing Key". If I go into the key manager and find that one, then "export key", it outputs a file that has the public part of the key. This is the part I put on websites or give to other people so they can grant me permission to open a file. If somebody encrypts an email with my public key, then only I can open the email. That is a text file, nothing too mysterious:

PaulJohnson-BinaryPackageSigningKey.asc

That looks like this:
-----BEGIN PGP PRIVATE KEY BLOCK-----
Version: GnuPG v1.4.9 (GNU/Linux)

lQHhBEhNkwERBACE2SLAKLs/8IpysCSIlXuibEeOhg0nXXJbyPD/mgTSwvQan1rA
NBcaWc4j0QfTY7q4iWoCVouzUTcZuNFGrNUk18+0YFqpKa5L2XeFVBiQFPp57cKY
DTAynfbmNU2IMdJEzcZ/pu3q2ufaKyFz7zsDX7Rj/G0SFpZJziGkbcHpTwCgwYno
U/tvN8gJ1IqLb95GXi6Ti9kD/0wJHo0n6XexwzXXXqNDEv2BuR2qnZV/pjqmJc/5
6Ub4/A3bjbSaxC0zeJlzqc9gkXHKwi1nkivf9l9jG5m5nWZ11LXlJBiHyf4wCfYu
7Qavoui7yH3EhFOvOK87XmXxcebzgJMeAVxyLkkc183gwHdsstaTDvZxiGkHIoWc
GRG+A/435tw/wMpCga6aEPuulD/wEKXkgWCQoJTaR/mNe8+RvwtoRtbiZ8ipQ+KB
D1HFikzPRURZhaA6Yn25Eavcn5yI2tCET3/anlXoryiZEfDHojTMCZJlNrM7VtDs
+LoyG2WD4X19ZqYh9Y4SlF0B3ZYmFv/quBYNblZ5E/5pPQ3Tov4DAwJnfPg8L38L
6GATkZBtPFDVplC1om08tiIDrOoND33ZEOshoM+1FeG0pnTOtZWFzjcYpQ+LZhIQ
oSZ5DLRGUGF1bCBKb2huc29uIChCaW5hcnkgUGFja2FnZSBTaWduaW5nIEtleSkg
PHBhdWxqb2huMzJAZnJlZWZhY3VsdHkub3JnPohgBBMRAgAgBQJITZMBAhsDBgsJ
CAcDAgQVAggDBBYCAwECHgECF4AACgkQsvPbE97pDMuHngCfZX5PT0eEmNT7CyBs
NZxb5tX7qQMAniTitNkREAHGp+nzfiuzMwjADTPqnQJjBEhNkwUQCACp7pE6pFWS
X7nLInGVGPZ5acMT1BKGPnG/HHUueDr8Q4FfvqSwH0ST4FqEo+vkvK0AHgD4d/rs
Wqr2vII+K9f7jxyMzqw9Nr6ivYBFlmH8c9krmFlRLDMq+pWzrnSgBswKUz7o3tl3
Q0rX3x1FKlUZnhOdiNy7hX20kc5A398fLGAYng5Do54ARc7UeWqZV1gva0heEpsH
eKh5S0JPCNMZ/nXbVbZI+3p9wt8dRrHvpamiWh1JZOkoJESLs02hUYDFKLl5L2eF
T/GOseo1jeUEaDkhVVH22wXLUi0mlkauretpFk5l+KFB+ebnkGpIWDxH9ZBQUEVA
Q0BPXJpkWzenAAMFB/9neImJThJjer7wq+bdck7RZfkhxQccJzG1n9ZxsbVSApgg
2bNOj6fTfNK4witU4YdVubzW3pVa2JgnMRmz6whqrMhfp++MW/Q7OktREkDUw/pK
vTgK6B9gTpbsWjF5HmcViAqSiV4FdwzAZzBd/SUiu68oIRJ2rY+na8XlC5ao5/qE
yUweZA/bqWUFQaAoungNpTzLKSAf1viD5yq3W9KKZnEumK2gwxY0iszcgLCGB56U
9ok5OWKDjte5exVCC3Vaz/wDtahclZDOzhmhMn6eAQNzhXAOB9y+fj3e9fFf+TZh
/BjFOGq1HylB2fdFBwf8jBccOsV0nKJsxnVJDGNH/gMDAmd8+DwvfwvoYMLjStvh
9TooSmEcV4/dWMFd0zDgLC+F2qhMd/h8cbcAGFjfLv0rmnCmyREUPZ5TCWUjtUwr
Y+XhkxCTiBZ2MF+vNRH1f6glTKCISQQYEQIACQUCSE2TBQIbDAAKCRCy89sT3ukM
yxCeAKCDN8IWHkdJPgbZ59nj05mkmGMNHACgrYvi4Oj7sghlw6wIYMe9kKVJ2Do=
=QDOg
-----END PGP PRIVATE KEY BLOCK-----

To export the private key, I had a bit more trouble. No two systems use the same terminology. In Seahorse on Linux, the option to hunt for is "export complete key". One can also type a command,

$ gpg --export-secret-keys > secret.keys

That exports secret keys to a file. This can be backed up and re-imported later.

The private keys will look like this.

-----BEGIN PGP PRIVATE KEY BLOCK-----
Version: GnuPG v1.4.10 (GNU/Linux)

lQHhBEhNkwERBACE2SLAKLs/8IpysCSIlXuibEeOhg0nXXJbyPD/mgTSwvQan1rA

[Snip! You thought I'd give you my private key? Ha.]
yxCeAKCDN8IWHkdJPgbZ59nj05mkmGMNHACgrYvi4Oj7sghlw6wIYMe9kKVJ2Do=
=QDOg
-----END PGP PRIVATE KEY BLOCK-----

It appears to me some extra research will be necessary. The Enigmail Key manager has options to email the public part, that seems to be a good way to send it to people. It also has a way to copy the public key to Clipboard and export keys to a file, and it asks if you mean to include the private part. I think if you transfer that file via usb and import with key manager, all will be well.

But, then again, there's only so much I can do to guess what problems Windows users will find.

pj
Kleopatra has "Export Secret Certificate"

About pauljohn

Paul E. Johnson is a Professor of Political Science at the University of Kansas. He is an avid Linux User, an adequate system administrator and C programmer, and humility is one of his greatest strengths.
This entry was posted in Windoze. Bookmark the permalink.