Creating your PGP keys


How to use Enigmail to create a pair of keys needed before you can sign and encrypt your email [15 mins]

You are now ready to start encryption your mails with PGP. You can do this by using Enigmail within Thunderbird. Enigmail comes with a nice wizard to help you with the initial setup and the important aspect of creating a public/private key pair (see the chapter introducing PGP for an explanation). You can start the wizard at any time within Thunderbird by selecting OpenPGP > Setup Wizard from the menu on top. There is a non-wizard way of creating keys which is explained in the final task.

Step 1. This is what the wizard looks like. Please read the text on every window carefully. It provides useful information and helps you setup PGP to your personal preferences. In the first screen, click on Next to start the configuration.

Step 2. The wizard asks you whether you want to sign all your outgoing mail messages. If you do not chose to sign all your messages, you will have to specify per recipient if you want to sign your e-mail. Signing all your messages is a good choice. Click on the 'Next' button after you have made a decision.

Step 3. On the following screen, the wizard asks you whether you want to encrypt all your outgoing mail messages. Unlike signing of mails, encryption requires the recipient to have PGP software installed. Therefore you should answer 'no' to this question, to make sure you can still send normal mails. Only answer 'yes' here if you want to prevent Thunderbird from ever sending unencrypted mails. After you have made your decision, click on the 'Next' button.

Step 4: On the following screen the wizard asks if he can change some of your mail formatting settings to better work with PGP. It is a good choice to answer 'Yes' here. The only serious thing is that it will prevent you from doing is sending HTML mail messages. Click on the 'Next' button after you have made your decision.

Step 5: Now it is time to start creating the keys. In the following screen you can select one of your mail accounts, or the default one is selected for you if you have only one mail account. In the 'Passphrase' text box you have to give a password. This is a new password which is used to protect your private key. It is very important both to remember this password, because you cannot read your own encrypted emails any more when you lose it, and to make it a strong password. It should be at least 8 characters long, not contain any dictionary words and it should preferably be a unique password. Using the same password for multiple purposes severely increases the chance of it being intercepted at some point. After you have selected your account and created a passphrase, click on the 'Next' button.

Step 6: In the following screen the wizard basically wraps up what actions it will take to enable PGP encryption for your account. If you are satisfied with the options you chose in the previous windows, click on the 'Next' button.

Step 7: Your keys are being created by the wizard. Have some patience. The progress bar should slowly fill up to the right. The wizard will tell you when the keys have been successfully created, then you can click on the 'Next' button again.

Step 8: You now have your own PGP key-pair. The wizard will ask you if you also want to create a special file, called a 'Revocation certificate'. This file allows you to inform others that your key-pair should no longer be considered valid. Think of it as a 'kill switch' for your PGP identity. You can use this certificate in case you have generated a new set of keys, or in case your old key-pair has been compromised. It is a good idea to create the file and keep it somewhere in a safe place. Click on the 'Generate Certificate' button if you want to create the file, otherwise 'Skip'.

Step 9: Assuming you have decided to generate a revocation certificate, the wizard will ask you where the file should be saved. The dialog may appear a bit different on your particular operating system. It is a good idea to rename the file to something sensible like my_revocation_certificate. Click on 'Save' when you you have decided on a location.

Step 10: Assuming you have decided to generate a revocation certificate, the wizard informs you it has been successfully stored.

Step 11: The wizard will inform you it has completed its setup.


Task

Follow the instructions above to;

  • Create a PGP key pair
  • Create a revocation certificate

Task Discussion


  • Mohit Kumar said:

    Successfully created a PGP key and a revocation certificate for the same. It was as easy as a breeze.

    on March 18, 2013, 7:41 a.m.
  • ciderpunx said:

    This worked fine for me. I'm just running an ubuntu in virtualbox, given that it looks like that's where the screenshots are from.

    on June 20, 2012, 2:19 p.m.
  • boneidol said:

    Nothing on publishing keys to keyservers or getting them integrated into the web of trust.

     

    Maybe a section on that ( or perhaps a new course on keysigning party ? )

    on June 19, 2012, 8:14 a.m.

    Mick Fuzz said:

    I was saving that for the next lesson. Maybe you are right to at least mention it.

    I'll try to get an addition together.

    on June 19, 2012, 10:17 a.m. in reply to boneidol
  • boneidol said:

    Does enigmail allow you to set a expiration date on the gpg keys it generates ?

    I've found it useful to set an expiration date ( say 1 or 2 years on keys ). Then if you lose control of the  key ( example delete it or forget passphrase ) it doesn't hang around for ever.

    on June 19, 2012, 8:12 a.m.

    Mick Fuzz said:

    I think that's a good one for the next lesson too!

    I guess with this introduction it's all about what you can leave out rather than an encyclopedic approach. However let's not dumb down the process. Maybe it's good to have a taking it further section at the end of the tasks to link out to.

    So setting expiry date should definately be there.

    on June 19, 2012, 10:28 a.m. in reply to marker