![[ZOIS]](/pics/little.zois.gif){kind=small}
Home Page *
Contact ZOIS *
Technical Notes
ZOIS Technical Note TN-2008-12-09
Author and Audience
This TN is intended for persons sending information to and
retrieving information from ZOIS specifically using
e-mails. A general knowledge of Microsoft or UNIX style operating
systems is assumed. Written by Martin Sullivan[2],
ZOIS Limited, Cockermouth.
Abstract
A specific synopsis on how to send e-mails with attachments secured
using the popular GPG[2] system is presented for
users of Microsoft Windows e-mail systems.
Introduction
If you are to send confidential material to ZOIS by
e-mail it is worthwhile considering that e-mail is a very insecure
communication channel. E-mails are stored and forward by various
intermediary computers and never encrypted or protected. They are
therefore open to copying and alteration at any stage.
E-mail is too useful and widely implemented to ignore as a
communications channel, even with these concerns. Two major varieties
of secure e-mail do exist, but they are less than widespread. It is
therefore suggested that you secure your sensitive communication with
us by encrypting it and adding it as an attachment to a conventional
e-mail.
Materials and Platform
The program you'll need to do this is Gnu Privacy Guard, gpg[2], which is free and open-source. The narrative assumes that use of Microsoft Windows XP and that administrator privileges are available.
Gnu Privacy Guard (GPG) is an encryption program that uses
asymmetric cryptography. GPG uses a mathematical trick to allow text to
be encrypted with one key (the Public key) and then decrypted
with another key (the Private key). Only the Private key can
decipher what has been encrypted with the Public key (and vice-versa)
and thus the Public key can be widely disseminated (published in
e-mails, put on web-sites, public directories and so forth). The
Private key cannot be derived from the Public key but the Private key
must be kept safe and is frequently encrypted with a password.
Method
The program you'll need to do this is Windows XP version Gnu Privacy Guard, gpg.
Download the installation executable[3] using your
favourite browser and run it (it'll appear as an icon on your
desk-top, double-click on it). Accept all the defaults and that should
be more or less it. Gpg is a regular program and needs to be started
in a command-shell window. It is strongly recommended that you install
gpg on your %PATH% so that you can execute it with a
simple 'gpg' wherever you are in your file system. To do this you will
need administrator privileges. On Windows XP, click "start" then right-click
on "My Computer" and select "Properties". This gets you a
configuration panel. Click the "Advanced" tab and then the
"Environment variables" button (at the bottom). Select "Path" from the
list and then click on the "Edit" button. Add the following to the end
of displayed field (assuming that you've accepted the defaults when
you installed GPG):
;c:\Program Files\GPG\GnuPG |
Then click the various "Ok" buttons to save this.
You'll need to run the command-line interpreter when running gpg, which you'll find under "Accessories" in the "All Programs" menu, again from "start". Initially run GPG to create your Public/Private key pair. You will need to create your Public/Private key-pair at some stage and it has the added useful side-effect of setting everything else up:
gpg --gen-key |
You will be prompted for things like your familiar name, an e-mail address and some comments. Fill these in, they give an easy way of identifying your Public-key at some later stage. You will also be asked to move the mouse about. Bizarrely this helps with the secure key-generation process for it generates randomness. You'll also be asked for a "pass phrase". This is used to encrypt your Private-key as a precaution against accidental disclosure.
Now that GPG is set up, save the intended recipient's Public-key to a file (say martin.asc) and then use:
gpg --import martin.asc |
This saves the indented recipient's Public-key into a little
database quaintly called a "key ring". Once that has been done (and it
can be verified by gpg --list-keys) you can then encrypt
the desired file using this Public-key. Only the intended recipient
can decrypt it. As an example:
gpg -r Martin -e sensitive.file |
The encrypted file will be called 'sensitive.file.gpg'. You can
attach this to an e-mail and send it to us. To emphasise, only the
intended recipient will be able to decrypt this, and that anybody can
have their Public-key, including you, is immaterial.
Discussion
The author recommends that you send and will readily accept
sensitive data sent as e-mail attachments encrypted with his GPG
Public Key[4]. This paper has only addressed the
sending of sensitive data. to receive a similarly
encoded attachment for ZOIS then it is necessary to send
(or otherwise publish) your Public key. This key was generated
(together with your Private key) when GPG was initially set-up. It can
be retrieved to be published using:
gpg --armor --output file.asc --export <yourname> |
--armor flag is necessary to allow the key to be
exported in an easily transmittable form. Once you have produced an
exportable Public key you can send this to ZOIS and we
can encrypt sensitive data that is intended only for you. The
recipient (you) can then decrypt any file that ZOIS sends
to you as an attachment by:
gpg -d file.gpg >file |
References found in this section, and in particular the HTML links were correct at time of writing (2008-12-01).
$Date: 2008/12/18 15:12:23 $