1. Generating a Key Pair. To generate a new key pair select OpenPGP
Once in the Key Management window select Generate and New Key Pair
Select the account from the drop down menu to generate a key pair for.
Although you can create a key pair without a passphrase, anyone who has
access to your system could effectively use your private key to
encrypt/decrypt mail. Enter a passphrase that is sufficiently strong,
but is also something that you can remember. Optionally, you may enter a
description for the key in the Comment field, which is visible on your
public key. Finally, select Key Expiry and choose an expiration period.
Next select the Advanced tab and choose a key size and type. By default,
GPG will create a 2048-bit key using DSA & El Gamal Click Generate Key
and verify the creation of the key. As noted, the key generation process
may take a minute or two.
After the key-pair is generated, you will be asked if you wish to create
a revocation certificate, which has to be done in order to revoke a key
if your private key become compromised. Click OK to generate the
certificate. You will be prompted for the passphrase you gave the key in
order to complete the process. Your new key will now appear in the Key
1b. Using WinPT to add an image to your key.
First you must download WinPT from http://winpt.wald.intevation.org.
Running WinPT will add a launch menu to your taskbar. From here, go to "Key
Right click your key-pair and select "Add > Photo ID".
A new window will open requiring your private key
passphrase. Select the image you wish to use and click "Add".
If you wish to upload your newly modified public key to the key server, right click your key and select
"Send to Keyserver". You can now exit WinPT to continue with the lab.
2. Adding an ID to a Key Pair. If you have multiple email
accounts set up in Thunderbird, you have the ability to associate and
use those email addresses with the same key pair. To use the same key
with multiple email addresses first you have to add an ID to the key
pair. Bring up the Key Management window by selecting OpenPGP > Key
Management. Then select the key pair to which you wish to add an ID.
Once you have selected the key to add an ID to select Edit then Manage User
IDs. You can also right click the key and select Manage User IDs.
Click Add to open the Add User ID window.
Type the email address you wish to add, your name, and an optional
comment. and click Ok. To set a particular address as the primary ID,
select the address and hit Set Primary ID.
3. Uploading your Key to a Server. Although there are a
number of options of making your public key available to those who wish
to send secure email to you – emailing it to users, placing it on your
website – one of the most convenient methods is to upload your key to a
public PGP key server. Not only does this allow anyone access to your
public key from an OpenPGP-enabled email client (try Keyserver and Search
for Public Keys), but it also allows others to sign your key, thereby
verifying that this key does in fact belong to you. In the absence of a
central certificate authority that verifies your identity and the
authenticity of your public key, PGP relies on users building up webs of
trust by signing each other keys.
Right-click on the key you wish to upload and select Upload Public Keys
to Keyserver. Select the keyserver where you will send your key (pgp.mit.edu),
and click OK.
To verify, select Keyserver then select Search for Keys, and search for part of
your name or email address.
4. To email your public. Compose a new
message to whomever you are sending your key. Then select OpenPGP and
Attach my Public Key. Your public key will be attached to your message
as a *.asc file.
Once your public key is attached it will be visible to the left of the
messages header information as seen below.
OpenGPG will ask you how you want to send the message and you should
chose to send it unencrypted.
5. Export Public Key to File.
5. Importing Public Keys from the Server. Having your own public-private
key pair as only part of the equation in sending encrypted mail using PKI – you also need access to the public keys of those to whom you plan
to send the secure email. Ideally, you would physically exchange public
keys with others in person via CD, USB memory key, etc. to ensure that
the public key really does belong to the person you think it belongs to.
Obviously, exchanging public keys in person is not always feasible, so
GPG and Enigmail include features allowing you to easily exchange public
keys electronically, as well as verifying the authenticity of a public
key by signing the key with your digital signature.
Just as you uploaded your public key to a key server, you can also
download public keys from the server and attach them to your “public
keyring.” Open the Key Management window by selecting OpenPGP then
Management. Then select Keyserver and Search for Keys. You can search for
part of the person's name or email address, which you did in the
previous step to check that your key was upload. Check the box next to
the key you wish to import, and click OK.
6. Importing Keys from an Email. If someone sends a message to you with
their public key attached, Enigmail automatically recognizes the key and
alerts you to the presence of the key. To import the key, you can select
Decrypt in the Thunderbird toolbar, then click Yes to import.
7. Importing Keys from a File. If you obtained someone’s public key by
other means you can also import the text file containing the key into OpenGPG. Select OpenPGP
then Key Management. From the menu select File and Import Keys from File.
If the file contains a valid PGP key block, Enigmail will add the public
key to your list of keys. (Note: if you have ever used PGP, you can also
import your public and private keyring files into GPG.)
8. Sign a public key. Before you can a send someone a secure email
encrypted with the recipient’s public key, Enigmail requires that you
verify that the public key is authentic. GPG does not rely on a central
certificate authority (such as VeriSign) to verify the identities of
those who generate key pairs; instead, it relies on key holders to vouch
for each other’s identity by digitally signing others’ public keys.
Signing a public key has to be done before you can email that person
using their public key. Open the Key Management windw by selecting
OpenPGP then Key Management. Select the key you wish to sign and select
Edit > Sign Key or right click click the key and select Sign Key.
A dialog pops up asking you which key you wish to use to sign, as well
as how well you have verified the identity of the key holder. Select the
key and the level of verification, then hit OK. Even if you select “I
will not answer” or “I have not checked at all”, the key will still be
Alternatively, you can sign a key by viewing a message containing the
public key to be signed, right-clicking on the pen icon Enigmail places
next to the email and selecting Sign Sender’s Key. When you have signed
the recipient’s public key, you will then be able to send encrypted
email to them through Enigmail.
If you created your public-private key pair through Enigmail, you were
asked at the end of the creation process if you wanted to create a
revocation certificate for the key pair. If you believe your key pair
has been compromised, you have the ability to revoke the keys by
importing the key pair’s revocation certificate into Enigmail, thereby
permanently nullifying the private key. If you have uploaded the public
key to a key server, you can use the revocation certificate to revoke
the public key by uploading the revocation certificate to the key
9. Create a revocation certificate. Open the Key
Management window by selecting OpenPGP and Key Management, and then select
the key pair you wish to create a revocation certificate for. Select
Generate then Revocation Certificate or right-click on the key and select
Generate & Save Revocation Certificate. You are prompted to choose a
location to save the certificate. It is best to save the revocation
certificate to some type of removable media that is kept in a safe
place. Select the destination folder, and click Save.
10. Revoke a key pair. Open the Key Management window
by selecting OpenPGP then select Key Management, and then select the key you wish
to revoke. Select Edit and Revoke Key (alternatively, right-click on the
key and select Revoke Key.)
You will be prompted to allow OpenPGP to create and import a revocation
certificate, which must be done to complete the revocation process.
Select Yes to continue with the revocation process.
After the key has been revoked the key listing becomes italicized, gray,
and marked as “(revoked).” At this point, the private key has been
permanently revoked. After you have revoked the key on your system you
must also revoke the corresponding key on the server to prevent anybody
from using this old key.
11. Revoke a Key on Server. To revoke a public key open the Key
Management window and select right click the key you just made a
revocation certificate for and select Upload Public Keys to Server. This
will upload the revocation certificate to notify others that you are no
longer using that certificate.
While key servers provide a convenient, centralized repository for
public keys, the management of the repository itself is the
responsibility of individual users. While this decentralized approach
works fine for such tasks as making valid keys available or signing each
other keys, a broadly-defined search of any one of the key servers
reveals the problem of cleaning up old keys. The assumption was that
individual users would take responsibility of managing the removal of
old keys, either by revoking the keys manually or setting an expiration
date whereby the keys would be dropped by the server. Instead, many keys
were set to never expire; furthermore, their owners often have either
lost the private keys and/or revocation certificates or cannot remember
the required passphrases.
The reality is that many of the keys on the key server may no longer be
valid, and there is no way to delete the invalid keys without the
revocation certificate. Managers of the key servers refuse to take
requests to remove keys because they have no way to identify you as the
true owner of the key, and key servers generally synchronize their
keystores among each other; if a key is removed from one server, the
synchronization algorithm will dutifully copy the “missing” key from