Secure Electronic Messaging & File Encryption: PGP

Is secure email possible?

PGP ("Pretty Good Privacy") and GPG ("GNU Privacy Guard") are both implementations of OpenPGP (as defined by RFC4880), which you can use to encrypt your email as well as digitally "sign" it so you don't have to worry about forgery.

Encryption: when you encrypt an email message using PGP, you use the public portion of each recipient's PGP key. Only the intended recipient(s) can decrypt the message, since only they have the corresponding private portion of their respective PGP key(s). PGP-encrypted email provides end-to-end assurance that the email will be readable only by its intended recipient, and cannot be altered in transit or while in the recipient's mailbox.

Signing: whereas the sender information of an email message can be forged trivially, using PGP to "sign" an email message provides assurance that the message really was sent by the person whose key was used to sign the message.

Some issues

Email encryption using PGP and GPG are not supported at Penn. There is presently no infrastructure for supporting the sharing of PGP keys, though ISC Information Security is available to hold key-signing parties for local units. Key-signing parties also are held after SUG and Security-SIG meetings. You should plan on an investment of time up front for installing and learning it. The following instructions are intended for use by LSPs only.

PGP is not integrated with webmail. If an Outlook Web Access or Zimbra user receives an encrypted message, it would have to be saved locally and decrypted using a local installation of PGP.

PGP is not compatible with all handhelds. While PGP Corporation does offer a PGP Support Package for BlackBerry, they do not support PGP for the Apple iPhone. Windows Mobile devices can use PGP Mobile, but it has limited functionality - email integration is not available.

Use of PGP encryption requires that both sender and recipient have PGP. Depending on the use case, other solutions may be implemented more easily, such as Secure Share or a shared file server.

PGP is subject to export restrictions. PGP may not be exported to Cuba, Iran, Iraq, North Korea, Sudan, and Syria or to disclosed to foreign nationals from those countries. For more details, see the PGP Corporation FAQ or the Export Administration Regulations.

If you want to use PGP to encrypt files on your computer, make sure you don't lose the key. Once encrypted, data can probably never be recovered without the key. It may be years before the file is needed, and if the key is forgotten, the file is worthless. Don't rely on your memory. Make sure that keys are stored some place safe before encrypting important information.

Installing PGP or GPG

• PGP Desktop is available for Windows and Mac OS platforms from PGP Corporation through these options:

  • Desktop Email: http://na.store.pgp.com/desktop_email.html
  • Bundled with Full Disk Encryption: http://na.store.pgp.com/desktop_pro.html
  • 30-day trial: http://www.pgp.com/downloads/desktoptrial/desktoptrial2.html
  It is also available from other online retailers. Please note that PGP software purchased through Penn's Office of Software Licensing does NOT include PGP Desktop Email.

• GPG ("GNU Privacy Guard") is freely available for Windows (http://www.gpg4win.org/), Mac OS (http://macgpg.sourceforge.net/), & and most UNIX variants (http://www.gnupg.org/download/index.en.html) from GnuPG.org: (http://www.gnupg.org/).

Email Client Integration

DRAFT documentation for integrating PGP and GPG with Penn-supported email clients is below:

PGP Basics

Click here to view a web version of a PowerPoint presentation on basics of PGP

PGP Terminology

There are a few terms in PGP you will need to become familiar with:

Public Key

The public half of the keypair which is shared openly. To encrypt mail to someone, you encrypt the message with their public key. The message can only be decrypted with that person's private key. Public keys are generally shared widely by publishing them on home pages, in mail signature files and on specialized PGP key servers.

Private Key

The private half of the keypair. This must be known by the user alone. You use your private key to decrypt mail that was encrypted with your public key.

Pass Phrase

Private keys are long strings of seemingly random characters, and are not easily memorized. For ease of use, PGP saves you from having to type in your private key. Instead, it stores your private key wherever you specify (on your hard drive, or better yet on a removable diskette) protected with your pass phrase. PGP will ask you for your pass phrase whenever it needs your private key.

Key Rings

PGP stores your keys on key rings. Public keys are stored on public key rings, and secret keys are stored on secret key rings. You may have many keys on your public key ring (one for each person you correspond with using PGP), but typically you will only have one key on your secret key ring - your own.

Other References

PGP Key Signing Party Procedures

Last updated: Thursday, April 9, 2009