Another day has come and you so you get another way to encrypt your files. Many think that you must be a true geek in order to love encryption. However, I don’t believe that to be true at all. While you must be a hardcore geek to want to learn how the actual encryption algorithm works, encryption itself can be utilized by just about anyone who wants to keep communication at its highest level of confidentiality. In past articles, I’ve gone over how you can securely trade emails using the OpenPGP encryption system with the Thunderbird email client along with Microsoft Outlook. Don’t care about emails? I’ve also gone over how you can use TrueCrypt to protect your data files and in some cases, your entire computer itself. In this article, I’m going to go over yet another way to protect your data and how you can use it to trade secure files with other users as well. For this to work, we are going to once again use the awesome GnuPG encryption system to do the bulk of the work for us.
I admit that I’ve only really thought of using OpenPGP for email encryption purposes only. However, it can do so much more and that includes protecting the actual data on your computer. To effectively share confidential files between party members, the only requirement is that all party members have their own key pair. Anyone can easily create their own public/private key pair and begin using the encryption system. The other beauty with GnuPG (the software that builds on top of the OpenPGP standard) is that it can be as open or closed as you want. For example, you can choose to either publish your public key to a public key server for anyone to see or choose to be more protective about the whole process and only email your public key to your selected audience members. With OpenPGP, you can trade secure files only between your friend living overseas or you can trade files with dozens of other people. It doesn’t matter. Once you understand how public/private key pairs work, then you pretty much got all the knowledge needed to use the system.
Using GnuPG, which is based on the OpenPGP standard, is fine for many advance users. However, it is command line only and well, you know how that goes for most users. What we need is a front end graphical utility that will allow us to utilize the GnuPG backbone. Luckily for us, there are dozens of these graphical utilities to help us! One of the more popular utility for Windows is called Gpg4win. When you install Gpg4win, you are not only installing the GnuPG element but also a graphical utility called Kleopatra that helps us utilize the many different commands GnuPG has to offer but with buttons and mouse clicks instead of you having to type in commands in a command prompt. Let’s get started!You can download Gpg4win from here. Please download the full version and not the lite version. The lite version does not include Kleopatra, which is the graphical interface we use to interact with GnuPG itself. The installation is pretty much a Next, Next, Finish type so no real customization is necessary.
With Gpg4win installed, we are now ready to begin using the system. Here, I will assume that you do not have a key pair generated for yourself. Therefore, we will do that right now. First, open up the Kleopatra utility within your start menu. By default, because you most likely don’t have any public or private keys on your system, the certificate area will be blank as seen below:
To generate our own private key pair, click on File –> New Certificate. You can also press the key combination of Ctrl+N. Doing either will invoke the Certificate Creation Wizard. You want to select the first option of generating a personal OpenPGP key pair.
You will then be asked to fill in some personal information. These pieces of information is what gets stuck on your certificate. Technically, you can fill in bogus information but that’s not really advisable unless you are doing tests like what I am doing here. Also remember that this whole process takes place on your computer only. No third-party service such as Google or Microsoft is involved at all!
To set a validity period for your certificate along with the key length, click on the Advanced Settings button. Generally, you don’t have to mess with the default settings. The one option you might want to configure however is the validity period. My recommendation is to leave the default of no expiration date until you can learn more about certificate revocation.
In the confirmation screen, make sure that you have everything the way you want it to be. Once you are satisfied, go ahead and create the key pair. You will then be asked to create a pass-phrase to help protect your private key. You must never forget this pass-phrase because without it, you will not be able to access encrypted documents sent to you encrypted with your public key. Also, you will not be able to sign documents so that recipients can be sure the files came from you and no one else. To be more blunt, DO NOT FORGET YOUR PASS-PHRASE!
Once you’ve entered in your pass-phrase twice, you key pair will then be generated. Congratulations because you now have your own public/private key pair that technically is unique to only you and no one else in the world. Feel special yet? Having a your own key pair is good but now we need to put it to use. Before we do that, Kleopatra will allow you to create a backup of your key pair for safety measure. I highly suggest you backup your key pair because once you lose your private key, you’ve lost access to all your encrypted files and you’ll then need to generate another one. This might not be a problem if you were only trading secure files with one or two individuals but if you invested a lot in the system with dozens and dozens of other individuals, then this might be a hassle. Therefore, make a backup and keep them in a secure location!
To easily make a backup, click on the “Make a Backup of Your Key Pair” option. This basically performs an “export” of your key pair to a file in which you can then email to yourself (not recommended unless of course you use another method to protect that key) for storage or keep in another safe location offline. You’ll want to select the ASCII Armor checkbox and then select a output destination. Here, I just chose to make a copy on my desktop and the file will be called Backup.asc.
You might be wondering can’t I just spoof a user by creating a key pair combination with bogus information? For example, can’t I just create a key pair with the name Bill Gates and a email address of something along the line like BillGates@microsoft.com? Technically, you can. However, like I mentioned above, every key pair combination is unique. Each certificate has a unique fingerprint and Key-ID number. Don’t believe me? Try creating a bogus certificate with some information and take note of the fingerprint and Key-ID in Kleopatra. Now delete the key pair and recreate a new pair with the same information. You’ll notice that the identifiers are completely different. Therefore, if the real Bill Gate’s key pair has a Key-ID of 1234abcd, then you’ll know that someone who is spoofing Bill Gates will give you a public key with a different identifier. By personally validating a public key in your key chain initially (done later in this tutorial) for someone you know, you can be sure that when you verify a signature for that person in the future and Gpg4win says that it can’t be completely validated or it spits out a warning, something is wrong.
Importing and Exporting Certificates
However, if you want others to be able to send your encrypted data, you must give them your public key. To do so, we must first export our public key and only our public key! We can then send this key to our recipients via email or through another method. The public key is just a single file of really small size so it is very easy to transfer. In Kleopatra, click on your key pair and click on the Export Certificates button. You will then be prompted for a location on your computer to store the certificate. You can also give your public key a different name instead of using the default fingerprint ID number. However, do keep the .asc file extension.
Once you give the public key to a friend, they can begin encrypting data for your eyes only. Similarly, they will also give you their public key so that you can do the same for them. In this example, I will be importing a public key from a friend called Michael (yes I love make believe friends). Michael is also using the OpenPGP standard and so he also has generated his own key pair for use similar to what we just did. Michael exported his public key and sent it to me and I’ve downloaded the key to my computer. I now need to import the key into my key chain. In Kleopatra, click on the Import Certificates button at the top. I then simply browse to the public key file I’ve downloaded from my email. That’s it! The imported certificate will now up in the Other Certificate tab section. At the moment though, Michael’s certificate is not fully trusted on my system. More on this later.
Once both parties have each other’s public key, the fun can then begin!
Want someone to test GnuPG with but can’t convince one of your friend to get on board? No problem. I can help you with this part. Here is my public key that you can save and import in your key chain (right click and do a Save-As). Simply create a simple text file with some text, encrypt it with my public key, attach the encrypted file along with your public key and send it to me via email at email@example.com. I will then decrypt it and relay back what was written in your text file. I will then do the same and encrypt a text file using your public key so that you can see everything in action.
Encrypting Data with Gpg4win
Since Michael has my public key, he can now send me encrypted documents for my eyes only. He’s created a folder called Secrets and within he has a couple of simple text documents.
To encrypt the folder, we simply right-click on the Secrets folder. Within the context menu, we select the “Sign and Encrypt” option.
The Kleopatra utility will appear once again but this time, it is not the key management interface you’ve seen above. Here, we get to pick a couple of options. With the Archive Files drop down box, I only have the single option of TAR PGP Compatible. By default, the encrypted file will be located in the same location as the original file/folder location. Change that here if you want to. Under this, you can choose to both Sign and Encrypt the data, Encrypt only or Sign only. Here Michael will do both. At the bottom, you have the option of deleting the original un-encrypted data file after the encryption process. If you select this option and in the next step don’t choose to encrypt the data with a key that you own, then you will not be able to access the encrypted data.
On the next screen, you get to choose who you want to be able to decrypt the files. Michael needs to send me the file so he will choose my certificate from his key chain. Once selected, he just needs to click the Add button and that’s it. Once again, if Michael does not choose to add his own certificate, you will receive a warning stating that you will not have access to the encrypted document. This is not a problem if he chose not to delete the original data after encryption in the previous screen.
The next screen asks us which certificate to use to sign the encrypted data. Since Michael is sending to me, he would use his own certificate to sign the data.
Once selected, the encryption process will begin. When finished, you’ll be presented with the success screen.
I had a little error here in that the generated encrypted file did not show up in my C: directory, which is where the original Secrets folder was located. I had to move the folder out of the root C: drive before I saw the encrypted file.
We now have our encrypted file. Michael will now send me the Secrets.tar.gpg encrypted file.
GnuPG provides only the encryption mechanism. We still need to transport the file to the other party member(s). This can be via email, third-party file hosting sites or with cloud storage such as Dropbox or Skydrive. Because it is encrypted, you have no fear of it being opened by malicious individuals.
Decryption with Gpg4win
Alright, so now I have the encrypted file sent by my buddy Michael on my desktop. To decrypt it, I just need to right-click on the file and select “Decrypt and Verify”. In the initial screen, you’ll be asked where you would want to unpack the files to. I chose the default location but unchecked the “Input file is an archive” box:
The decryption process will then proceed. It will automatically use my private key to decrypt the contents but of course, I will first have to input the correct pass-phrase to unlock that private key. Because the sender has also signed it, it will use the public key of the sender to verify the signature. However, you’ll notice that we receive a warning that there is not enough information to verify the signature. This is due to the fact that although we imported Michael’s public key into our key chain, we didn’t explicitly trust it.
Although the decryption was successful, we should now verify Michael’s signature so that we don’t see this error again. Usually, you would do this step when you received the public key initially but for demonstration purposes, I left that step out so that you can see what happens. In Kleopatra, right-click Michael’s certificate and select Certify Certificate. In the resulting box, select the certificate and select the checkbox to confirm that you can vouch for the certificate in that it indeed came from Michael. In the next screen, choose to verify only for yourself. Once done so, Michael’s certificate now belongs into my Trust Certificate list.
To truly confirm that the certificate indeed came from Michael, I easily could have just asked him to give me his Key-ID identifer via phone or in the initial email he sent to me with his attached public key. This piece of information is not a secret so it doesn’t matter if anyone else gets a hold of it because technically, you can’t reproduce a key pair with the same fingerprint and Key-ID.
I should then not get any more warning whenever I try to verify his signature from now on.
With the tar file decrypted, I can use a file extraction utility such as 7-zip to extract the Secrets folder and access the contents.
In the End…
Here, you saw how easy it is to trade encrypted contents with other people. There are many ways to protect your data but the beauty with the OpenPGP standard is that well, it’s open! It is not a proprietary format owned by a single company. In businesses, one may not have a chance to pick which encryption standard to use as the company decides on that for you but on the outside, it’s really hard to beat OpenPGP. Once every party member gets set up with their key pair, it’s then relatively easy to begin trading secure data.
The thing with encryption is that many people will usually ask why is it that someone is so concerned about protecting their data when they have nothing to hide? If you aren’t terrorists trading secret plans with other members around the world on who the next target is, what fear do you have? Well, it’s not as simple as that. Sometimes people just want the comfort knowing that no one besides the intended recipient(s) can get access to the data. Other times people just don’t trust the Internet as a transport mechanism. With data encryption, we add a very strong layer to help protect our data so that other snoops can’t see what it is we are sending. It doesn’t matter whether or not a user have something to hide from the authority or not. Data equals value. How you value your data is up to you.