Creating a basic PGP key

This article explains how to create and configure a PGP certificate using Enigmail, and use it to sign and recieve emails. This article assumes that you are using the Enigmail extension for version 1.5 of the Mozilla Thunderbird email client. If you do not have Enigmail installed, head over to the Enigmail development page for more detailed instructions on installation, because it requires that you install the OpenPGP toolkit.

Part 1: Creating the key

1. Start by navigating to the OpenPGP drop-down menu at the top of the screen. Then, in this menu, select Key Management.

2. This will open the Key Management window (see Screenshot 1.2). Then, click on the Generate drop-down menu at the top. Click on New Key Pair.

Screenshot 1.1: Key generation window

3. This will open a window similar to that pictured in Screenshot 1.1. Where it says Account / User ID, select the account that you would like to create a key for. Select the checkbox that says “Use generated key for the selected identity”.

4. Deselect the checkbox that says “No passphrase”. You should create a passphrase, because it increases the strength and security of your key. However, if you create a passphrase, you will be prompted each time you use the key. If you decide to create one, enter your phrase in the box.

5. Below, you have several options to customize your key. I set mine to expire in 3 years (the default is 5) and my key size is 2048. Leave the key type as “DSA & El Gamal”.

6. Once you have configured the settings for your key, you are ready to let the program create the key. Click on “Generate key”. As is says, it may take up to several minutes to complete, depending on your computer, so be patient and leave your computer alone while it does this.
Screenshot 1.2: Key management window

7. Once the program is done creating your key, it will notify you and return you to the Key Management window (Figure 1.2). Here, you should set your own key’s trust level to ultimate, by right clicking on the level of trust in the Owner Trust column. Now, you are ready to sign an email using your certificate.

Part 2: Sending a signed email

1. Sending a PGP-signed email message is relatively simple. First, open a new email message.

2. Click on the small arrow next to the OpenPGP button at the top.

Screenshot 2.1: OpenPGP email options button

3. On the menu that appears, click “Sign Message”.

4. Now, when the email is sent, and the recipient will see your PGP signature. You will be prompted for the passphrase that you set up earlier.

Part 3: Recieving a signed email

There is nothing overly complicated about recieving a signed email. The program will do all of the work for you. You will be alerted by a message above the email’s header information that the email is signed, and if the certificate is valid. (Note: until you have uploaded your certificate, your certificate will appear as unverified to other users.)

The message below (Screenshot 3.1) will appear when you recieve emails that have been signed and the identity verified. There will also be a pen icon that you can click on to find out more information about the signature.

Verified signature
Screenshot 3.1: This message will appear when you recieve a signed and verified message

Other users who are not using Enigmail will see the following:

—–BEGIN PGP SIGNED MESSAGE—–
Hash: SHA1

Message body

—–BEGIN PGP SIGNATURE—–
Version: GnuPG v1.4.2 (MingW32)
Comment: Using GnuPG with Mozilla – http://enigmail.mozdev.org

iD8DBQFEWSQFFuHddFt7TXERAo+uAJ9A8orrbj098Pbn6MHrGdzz/GOe7gCghX0A
ewi4Yp3rtmnYssWtWFCqD/U=
=kgYR
—–END PGP SIGNATURE—–

Part 4: Using keyservers

1. In order to allow others to verify that your key is authentic, you should upload your key to a public keyserver. Start by opening the Key Management window. Then, right click on your key. On the option menu that appears, click “Upload Public Keys to Keyserver”.

2. You will be prompted to choose a keyserver. You can use one of the options provided, or provide your own. I use pgp.mit.edu. Be sure to remember which keyserver(s) you use.

3. Click OK, and your key will be uploaded.

4. When you recieve a signed email from someone, you can set their trust level by clicking on the pen icon next to the headers of the email. When you set their trust level, they will be added to your Key Management console.

5. If you would like to sign their key, and let other people know that you trust that person’s key, then you can sign their key by right clicking on their name in the Key Management console (OpenPGP >> Key Management). You will be prompted to set their trust level again.

6. Once you sign their key, you will need to upload their key to the keyserver(s). This will let anyone else that is trying to verify their key to see your signature on the key, and it is like an endorsement of the authenticity of the key.

There are many more options and things you can do with Enigmail, but I just tried to cover a few basic functions that you would use after Enigmail is successfully installed. I plan on writing a how-to article on the installation of Enigmail, because it can be pretty tricky. I hope that this guide has been helpful, and if you have any comments or corrections, please feel free to leave a comment.

Read more blogs of Dragotown.