It seems that getting a free OpenPGP solution to work with the Microsoft Outlook email client is harder than I thought it would be. The only thing I could dig up was the Outlook Privacy Plugin, which I wrote extensively about here in this article. At the time I wrote that article, the plugin version I used actually worked to a certain extent but it was missing a crucial element in that it would not allow me to both sign and encrypt an email at the same time. It was either or. Similarly, I could not both verify and decrypt an email sent to me. This in itself is a major flaw when implementing OpenPGP. That article is very popular here on my blog but I’m surprised that not much people complained about it as the newer version of the plugin is even more horrible than the older one’s. This led me here, to this article. Sometimes, not everything can be had for free. If you are seriously looking to use OpenPGP with Outlook 2010 and maybe Outlook 2013 in the future, than it seems to me that a paid solution is required unless you love troubleshooting. Here, I take a look at a paid Outlook plugin that incorporates OpenPGP called gpg4o.
gpg4o is developed by a German firm called Giegerich & Partner. Luckily for me and many others, their website has English translation. They have a ton of information on their site but most importantly, what I am looking for is their support and requirements to gpg4o. The gpg4o plugin supports the latest Windows 8 operating system and more importantly, supports both Outlook 2010 32bit and 64bit installations. They have stated that the plugin will work with Outlook 2013 in the near future so that is definitely good news.
The pricing for gpg4o is based on yearly support and updates to the plugin. At the moment, purchasing a single year of update and support for gpg4o will cost you about 94 euros, which when converted to US dollars, will be at around $127. They do offer discounts if you purchase more than one year of support for up to 5 years, which will cost you around $255. If you are also planning on purchasing licenses in bulk, they have discounts for that as well.
More information about pricing for gpg4o can be found here. Check here for more general information about gpg4o.
From what I have noticed, their support is excellent. I’ve had a chance to talk with Mr. Giegerich himself and upon installing the trial version, I’ve stumbled across a big issue that prevented me from continuing. An email to their support staff quickly helped remedied the problem and prompted a direct response from Mr. Giegerich as well. This lets me know that they seem serious about their support for gpg4o.
So without further ado, let’s take a look at how gpg4o works!
To demonstrate OpenPGP, I have two email accounts configured. In one corner I will be using my main email account for this blog, firstname.lastname@example.org. This account is configured on my Thunderbird email client along with the Enigmail plugin. In the other corner I will be using a dummy account of email@example.com. This email has been configured in my Outlook 2010 email client.If you are new to OpenPGP, feel free to download my public key here (do a right click, save-as) so that we can trade secure emails with each other for testing purposes. OpenPGP is not hard to learn at all once you get the basic concepts and I promise I will do my best to help you if you are stuck at any part of the process! If you are still confused, then simply send me a regular email at firstname.lastname@example.org so we can discuss it some more.
gpg4o allows you to try the full product for free for a full 45 days. It states that the trial version is not limited in functionalities but it will place a watermark on your email signatures.
UPDATE 4/4: Good news! gpg4o version 3.1 has been recently released! Some of the new features include:
- Support of Outlook 2013
- Embedded Installation of GnuPG
(gpg4o checks if you have a GnuPG installation – if not – you can automatically download and install it)
So there is no need to download and install GnuPG manually anymore.
- Redesigned settings dialog
- New first installation wizard (more support for first-time PGP users).
- Backup and Restore of all settings (including your keys)
- Displaying of signature/encryption state inside the mail’s body.
So if you forward or print a mail, you can see how it was secured
The first thing we need to do is install GnuPG. gpg4o requiress a version below 2.0. They have included a download link to GnuPG version 1.4.13 on their download page. The installation is pretty much a next, next experience. The defaults will suffice. GnuPG is what will provide much of capabilities of the OpenPGP implementation. Think of it as the backend. gpg4o and all the other third party plugins can be considered the front end, which usually provides you with a graphical interface and much better client integration.You can download GnuPG version 1.4.13 from here.
Once GnuPG has been succesfully installed, don’t be alarmed if nothing happens or changes! This just sets the stage for the installation of gpg4o itself, which we will do next. At the writing of this article, the latest version of gpg4o is 3.0.
The first step is to install Visual Studio Tools.
Next up is the EULA agreement for gpg4o:
Next is the installation directory, which you can keep at the default:
And just like that, the installation will start and in just 3 seconds, the installation will complete.gpg4o also provides a comprehensive manual guide to get you started with using the plugin.
gpg4o Key Generation and Configuration
Once gpg4o has been installed, relaunch Outlook 2010 and you will be presented with the configuration wizard to help you get started. First, gpg4o will look for the gnupg executable. If you’ve installed GnuPG in the default directory, gpg4o should have picked this up automatically and you won’t have to do a thing. If not, simply browse to the gpg.exe executable location.
Next up is your email account settings. Because this is my new email account, I will need to create a new key pair for it, which gpg4o will happily allow me to do. Here, you also have the option to configure if you want to by default sign and encrypt all outgoing emails from this email address. Not all of my email recipients are on the OpenPGP system so I will leave these options unchecked. On a sidenote, you will later have the ability to create recipient send rules which allows you to specify to gpg4o what do to whenever sending emails to a recipient. And finally, you can tell gpg4o what to do when you try to send an HTML email rather than a plaintext one.
Now that we have our OpenPGP key pair created and the gpg4o settings configured, it’s time to prepare the email clients with public keys!
First things first. How easy will it be to import other recipient’s public keys? Well, that turns out to be easy as pie. Simply right click on the public key attachment within the email and select the “Import public key” setting. If you head into Key Managment, you will see that the public key has been successfully imported. That’s it!
To send the recipient my own public key, I simply create an email and within gpg4o, there is an option that allows me to automatically attch my public key to the email with a click of a button.
Now that the initial setup has completed with both of my email accounts having each other’s public key, the fun can now begin.
Encrypting and Signing with gpg4o
First I will send an encrypted and signed email by using gpg4o. By doing so, I am both encrypting the email so that no one else may see it besides the intended recipient and to prove that I indeed have sent the email and no one else as the email has been signed with my private key. gpg4o makes both task extremely easy to do. When composing an email, you simply hit the Encrypt button to encrypt it and the Sign button to sign the email. If you hit the “Activate Automatic Options” check box, gpg4o will look to see if any of the recipients you are sending to are configured with a matching send rule and if it has, then it will apply the options you have configured to it here.
When you hit either the encrypt or sign button, you might see a warning message about sending HTML emails. At this point, you can either keep the email as HTML or convert it to plaintext.
Of course, anytime you require access to your private key, you will be asked for your password and that is no different here with gpg4o. You can as well specify how long to cache the password so you don’t have to reenter it.
In my Thunderbird email client, the below picture should look very familiar to users who are familiar with OpenPGP. All that random character gibberish basically means the email have been successfully encrypted and sent to the recipient!
Once decrypted and verified, everything turns green within Thunderbird, which lets me know that the email has been successfully decyrpted and verified!gpg4o automatically encrypts each email you send with your public key as well. This is intended because if not, then you will not be able to read that sent email message within your Sent folder in the future as it was only encrypted with the recipient’s public key. You obviously don’t have the corresponding private key so you won’t be able to decrypt it. The semi-bad news is that I couldn’t find a way to change this. However, there really isn’t a good reason for doing so unless you have strict requirements. If that is such the case, you’ll most likely need to contact them for support.
Decrypting and Verifying with gpg4o
You’ve seen the sending part with gpg4o. Now let’s see how we decrypt and verify an email with the plugin. This time I will send an email from my Thunderbird client, encrypted and signed, to my Outlook 2010 client. As expected, you can see below that the email came in its encrypted form and without the private key, it’s basically useless.
Once I use my private key to decrypt the email though, you can see that everything once again works smoothly and as expected! The highlighted portion tells me that the signature has indeed been verified with the recipient’s public key and of course, being able to see the original message in plaintext proves that I have the private key and passphrase. What’s also neat is the ability to zoom in and out of your email using the slider!
One thing I did notice is that the if you do not have the reading pane enabled in Outlook 2010, you will not see the signature validation information as seen above. If you like to read your emails in a separate window, then this might present a problem for you. As seen below, you can see that I don’t get any signature verification status (the colored box) once I double click on an email:
At this point, I’ve just proved that gpg4o indeed works as expected when you use OpenPGP for its most basic purposes, which is encrypting and decrypting an email along with both signing and verifying a digital signature. If this is all you need to do, then I’m sure you’ll enjoy gpg4o a lot! However, the plugin has a couple of other options and most of their usage depends on how deeply rooted you are to the OpenPGP system.
If you have a lot of email recipients that you communicate with using OpenPGP and a whole bunch of others who don’t, then creating sending rules can help automate some tasks. For example, you can create a rule called “Subject Private” where you specify that any emails you send henceforth with the word “private” in the subject line, then automatically encrypt it with the recipients public key but to not sign it and also do not allow HTML. Sending rules also help if you manage a bunch of different email addresses within Outlook 2010. By combining different conditions in a rule, you can make some pretty complex send rules to do your bidding. Continuing with the example earlier, I can in addition specify that the rule only takes place if the subject has the word private in it in addition to it being from a specific sender. Because I manage 5 different email accounts, I can have this rule only apply for the one I use with OpenPGP.
If you heavily rely on OpenPGP for your communications, then I’m sure you’ve heard about key signing, trust levels and key uploads. All of this can be done within the Key Management section within gpg4o.
Signing a public key means that you put your stamp of validation on the key’s owner. This is how the web of trust works. As a public key gains more signatures, the more “trusted” that key can appear although there are definitely exceptions to this which the topic alone can span to a whole new different article. A very simple scenario is what you get when you have John, Sally and Bob. Both John and Bob know each other very well but Bob doesn’t know Sally, whom he needs to communicate securely with. Luckily for Bob, John knows Sally and has signed her public key with his signature. Because Bob knows John and therefore trusts him, then he should also trust his “vouching” for Sally and therefore trust Sally’s public key really does belong to Sally.
Set Owner Trust
You can also set a level of trust to each public key’s owner. This “trust” is not what most users initially think it means. The trust level here specifically states the level of trust you put in the owner in signing other people’s keys and has nothing to do with the owner’s identity. For example, you can be sure that Bob’s public key really belongs to Bob but you also know that Bob has a habit of signing other people’s public key without putting much effort into the validation process. Therefore, I wouldn’t put too much “trust” in Bob not because he’s not who he says he is but rather on his reputation as a key signer.
Upload to Keyserver
If you want your public key to be easily attained by the public community, then you would consider uploading your key to one of the several public key servers around the world. This allows people who’ve never communicated with you before to easily download your public key and send you encrypted emails. Of course, you can also search those key servers for public keys as well right within gpg4o. Once you have signed a recipient’s public key, you can similarly re-upload it to the original keyserver from which you’ve obtained it from. Do be aware that some users do not want their public keys to be uploaded so please do not do so unless you are sure.
In the End…
If you are serious about using OpenPGP for your communications and are dead set on not making the switch to Thunderbird, then currently you don’t have much options where Outlook 2010 and 2013 is concerned. Two products that I know of out there is Symantec PGP Desktop and the other is that of gpg4o by Giegerich & Partners. Whereas the former works as a proxy on your desktop, the latter is a direct plugin for Outlook 2010. gpg4o works pretty well and for these types of software, they either work or they don’t. It’s as simple as that. I’m glad to say that yes, gpg4o works very well within Outlook 2010.
The plugin is very user friendly and I’m sure anyone who is familiar with the OpenPGP universe will have no trouble at all. The problem might come for more advance users. When compared with Enigmail on Thunderbird, there definitely are some options missing. For example, you aren’t able to attach a photo to your public key within gpg4o. The requirement to enable the reading pane in order to view signature verification status might not be what the user wants. Enigmail also gives users the ability to pass command line parameters to the gnupg.exe executable, which does most of the encryption/decryption legwork. For example, advance users might want to compress their emails using a different level of compression. That can be easily done within Enigmail but not so in gpg4o. Again, these are only things advance users might need but I do still wish to see that a paid alternative can match and/or even surpass that of free solutions.
All in all though, gpg4o seems to be a sturdy little plugin that from my estimation, will only get better over time. Their support seems excellent as mentioned earlier in my article. Keep in mind however that they are a German based company and from my guess, their support staff might rely on language translation services when communicating with non-German speaking customers. This didn’t seem to be a big problem for me with the couple of emails I’ve traded with Mr. Giegerich himself and his support staff. What I am most excited for when it comes to this company is their future offering of a Home and Student edition of gpg4o. This either means private home users and students can either purchase gpg4o for a much lower price or it could be that the company will offer it as a free download. It’s hard to hide my excitement with this news because I was always a strong believer in email encryption and many users I’ve come across have always asked for an “Enigmail” alternative for Outlook clients. I will definitely keep my eye out from now on. Once again, big thanks to Mr. Giegerich himself and his support staff for quickly helping me solve an issue I’ve had with gpg4o!