Secure Electronic Messaging & File Encryption: PGP
Is secure email possible?
PGP ("Pretty Good Privacy") and GPG ("GNU Privacy Guard") are both implementations of OpenPGP (as defined by RFC4880), which you can use to
encrypt your email as well as digitally "sign" it so you don't
have to worry about forgery.
Encryption: when you encrypt an email message using PGP, you use the public portion of each recipient's PGP key. Only the intended recipient(s) can decrypt the
message, since only they have the corresponding private portion of their respective PGP
key(s). PGP-encrypted email provides end-to-end assurance that the email will
be readable only by its intended recipient, and cannot be altered in transit or while in the recipient's mailbox.
Signing: whereas the sender information of an email message can be
forged trivially, using PGP to "sign" an email message provides
assurance that the message really was sent by the person whose key was used
to sign the message.
We recommend that Local Support Providers (LSPs) review the issues below and use their judgment regarding whether a deployment makes sense for their unit.
Email encryption using PGP and GPG are not supported at Penn.
There is presently no infrastructure for supporting the sharing
of PGP keys, though ISC Information Security is available to
hold key-signing parties for local units. Key-signing parties also are held after SUG and Security-SIG meetings. You should plan on an investment of time up front for installing and learning it. The following instructions are intended for use by LSPs only.
PGP is not integrated with webmail. If an Outlook Web Access or Zimbra user receives an
encrypted message, it would have to be saved locally and decrypted using a
local installation of PGP.
PGP is not compatible with all handhelds. While PGP Corporation does offer a PGP Support Package for BlackBerry, they do not support PGP for the Apple iPhone. Windows Mobile devices can use PGP Mobile, but it has limited functionality - email integration is not available.
Use of PGP encryption requires that both sender and recipient have PGP. Depending on the use case, other solutions may be implemented more easily, such as
Secure Share or a shared file
PGP is subject to export restrictions.
PGP may not be exported to Cuba, Iran, Iraq, North Korea, Sudan, and Syria or to disclosed to foreign nationals from those countries. For more details, see the PGP Corporation FAQ or the Export Administration Regulations.
If you want to use PGP to encrypt files on your
computer, make sure you don't lose the key. Once encrypted,
data can probably never be recovered without the key. It may be
years before the file is needed, and if the key is forgotten, the
file is worthless. Don't rely on your memory. Make sure that keys
are stored some place safe before encrypting important information.
Installing PGP or GPG
Email Client Integration
DRAFT documentation for integrating PGP and GPG with Penn-supported email clients is below:
||Outlook 2003 & 2007 (PGP)
|Entourage 2004 & 2008
(not supported by PGP except in POP/IMAP mode)
Click here to view
a web version of a PowerPoint presentation on basics of PGP
There are a few terms in PGP you will need to become
- Public Key
The public half of the keypair which is shared
openly. To encrypt mail to someone, you encrypt the message with
their public key. The message can only be decrypted with that
person's private key. Public keys are generally shared widely
by publishing them on home pages, in mail signature files and
on specialized PGP key servers.
- Private Key
The private half of the keypair. This must be
known by the user alone. You use your private key to decrypt mail
that was encrypted with your public key.
- Pass Phrase
Private keys are long strings of seemingly random
characters, and are not easily memorized. For ease of use, PGP
saves you from having to type in your private key. Instead, it
stores your private key wherever you specify (on your hard drive,
or better yet on a removable diskette) protected with your pass
phrase. PGP will ask you for your pass phrase whenever it needs
your private key.
- Key Rings
PGP stores your keys on key rings. Public keys
are stored on public key rings, and secret keys are stored on
secret key rings. You may have many keys on your public key ring
(one for each person you correspond with using PGP), but typically
you will only have one key on your secret key ring - your own.
PGP Key Signing Party Procedures
Last updated: Thursday, April 9, 2009