Timberline Employee Blog

I have found a few programs to relatively securely encrypt email and files. One of those is the GPG Gnu Privacy Guard.

So now that you’ve decided to converse by email, you’ve learned that every email you send can be stored forever on some obscure server your email made its way through.So what do you do now?Simply, encrypt.

One tool, GnuPG, is a GPL licensed encryption engine. It doesn’t do anything by itself. However when combined with a few other tools Outlook integration is only a few steps away. I used Gpg4WIN from gpg4win.org. It includes the whole suite of tools needed to interface Outlook and the GnuPG encryption engine. The site is a German site and the included documents are in German so I chose to download the light package without documents. If you look around you can find an English manual.

After installing you will need to generate a key using your name, email, and a good pass phrase using the GNU Privacy Assistant, GPA for short. Don’t loose your password. You will need it.

For secured communications with an outside party, that party must also have GPG software installed and you must exchange your public keys. Once you install their key on your computer you can encrypt emails automatically using a combination of your key and their key.

The second thing Gpg4WIN does for you is it allows you to sign your email against your public key. It is recommended that you email your public key to just those you communicate with and to avoid posting your key to the public key servers as it is possible for spammers to harvest emails from them. The easiest way to email your key to open up the WinPT Key Manager, right click on your key, and select send key to mail recipient.

Outlook Express needs a plug-in running in your system tray when you wish to sign or encrypt emails. You can download gpgoe from wald.intevation.org/projects/gpgoe. Only message bodies are encrypted with this plug-in, attachments and subject lines are not encrypted. To automatically encrypt attachments, use Sylpheed-Claws instead of Outlook Express. This program is included in the Gpg4WIN download but is not installed by default. The party on the other end will also need to run something other than Outlook Express to automatically decrypt your emails with attachments.

Encryption can be thought of like a lock on a door. It keeps the honest people out. As computers become faster and given enough time and processor power any encryption key can be broken. If security is of the utmost concern then don’t use a public method of communication. The key is here is to consider the cost of breaking in verses the payoff.

The last post talked about GPG4WIN. I have found another source of certificates. Thawte will allow you to create a personal account for free. Once logged in you can request a security certificate. After a minute or two your certificate will be ready. I’m running Windows XP and Outlook Express, not to mention the virus scanners and other security measures in place. All I had to do was to click on the certificate on the Thawte web page and it automatically installed while I followed the prompts. Nice and easy.

Thawte and GPG4WIN can be used together when you exchange files by email for added security. After you have your e-pals GPG4WIN public key and Thawte public key, you can encrypt the file easily with GPG4WIN and then add the encrypted file attachment to your email. When you have Outlook encrypt too there will be two keys to break to get into the attachment.

It would be good to point out to not use the same password on both keys.