Setting up GnuPG Encryption For Email

There's a good chance this content may be outdated!

This post is 2 years old—a long time on the internet. Any content within is provided as-is and is not guaranteed to work on modern systems - your mileage may vary.

gpg2Let’s be perfectly real here: email in it’s vanilla form sucks. It’s insecure, it’s unreliable, and yet it’s our preferred communication method. What can we do? A good bit, actually. While we can’t fix the problems like including encryption from the get-go, we can add it to our emails now. We can also sign our emails so people will actually know it’s us. This is one of the reasons why spam is so wild – because it’s just so darn easy to send email. Unfortunately, this does require a bit of “classic” computing using a good old email client and a plugin. This tutorial is designed for Windows users and will work on any OS Windows XP or newer. However, the software being used is cross-platform so it will work on Mac OS X and Linux.


For this to work, we’re going to need the following

  • Thick email client such as Thunderbird (preferred) or Outlook
  • Gpg4win
    • If you’re using Outlook, Gpg4win has an Outlook plugin

1. Install Gpg4win

First, you should install Gpg4win. Download Gpg4win using the link above and then run the installer. Just accept all the defaults. Especially make sure that Kleopatra gets installed as this is how we will generate our GPG keys. Gpg4win is a next, next, next type of install. GnuPG is based on OpenPGP standard and is therefore compatible with PGP.

2. Create your key pair

At this point, you will want to launch Kleopatra. Once it’s open, go to File and New Certificate.

2016-02-21 19-16-30

Select the Certificate Format. For this, we will want to create a personal OpenPGP key pair.

2016-02-21 19-19-02

Fill out the form with your name and email address. The comment isn’t required. Click on the Advanced Settings… button.

2016-02-21 19-19-35

In the Advanced Settings, I’d recommend creating a 4096-bit key. This key is a lot larger which means it’s more difficult to crack. Though the bare minimum should be 2048. It’s important to note that 1024 bit keys are considered incredibly weak and therefore are no longer issued and many services reject them all together. That’s why the 1536 bit key exists, however this should never be used. 2048 or higher. Now a 2048 bit key is still secure and I don’t want you to think otherwise.

2016-02-21 19-20-11

Now we get to create the key.

2016-02-21 19-21-28

Once you press the button, you’ll be asked to create a keyphrase. This step is very important. Let me repeat: THIS STEP IS VERY IMPORTANT! This keyphrase CANNOT be recovered if you lose or forget it! It unlocks your private key to allow you to decrypt anything sent to you using your public key. It’s also required to send any encrypted email or sign any email. It should be long, complicated, and only something you’ll know.

Now, your key pair will be created. Type in the empty text box and move the window around. This just helps the cryptography out by generating random entropy. Once this is done, you’ll have your new key ready to go.

When the key pair has been created successfully, you’ll see the following window:


Make a backup of your key pair (note that this includes both your public and private key – if an attacker gets this file, they can essentially steal your online identity). This will be how you can import the key pair to another computer and send and receive encrypted messages from there as well.

The last function we also want to do is make our Public Key discover-able so we use a directory service. Just follow the prompts on how to do this. I’d recommend using key server. This one does sync up with other key servers.

3. Install Thunderbird

Install Thunderbird if it’s not already installed.

4. Install Enigmail

Install Enigmail in Thunderbird. When you configure it, use the Standard Configuration.

2016-02-21 20-23-39

Since you’ve already created your key pair, it’ll ask if this is the key pair you want to import. Import it. That’s it!

2016-02-21 20-25-45

5. Send a signed and/or encrypted email

Now, you can finally send a signed or encrypted email. Compose a new message and be sure to click the encrypt button. You can also sign the message too. It’s important to note that the subject line will be sent unencrypted. So don’t put anything you don’t want overlooking eyes to see in the subject. Save it for the body.

2016-02-21 20-36-29

When you send your message, provide your passphrase to unlock your private key. Then your message will be encrypted and sent. Here’s what the above message looks like encrypted:

2016-02-21 20-43-05

Now, when the person uses your public key to decrypt the message. Enigmail will then show a green bar and the full message:

2016-02-21 20-43-57

There you have it! Your first encrypted email!

6. Managing Your Key Pair

In Kleopatra, you’ll be able to easily manage your key pair as well as manage any keys that you import from other users. Here are a few important things to do now that you’ve got GPG setup.

Set an expiration date

It’s always good practice to set an expiration date. By default, Gpg4win will set it as 2 years. I usually go for less. The great thing about this is that you can change the expiration date of your key pair easily. Just alternate click on your key and select the change expiry date option.

2016-02-21 20-29-08

And then select a new date

2016-02-21 20-29-35


Sign/Encrypt Files

You can also sign and encrypt files on your hard drive too… perfect for sending taxes to your accountant!

2016-02-21 20-32-47

We will go over all the other very useful things you can do in another post.


About Author

Hi! I'm Travis and I love technology.

Leave A Reply

This site uses Akismet to reduce spam. Learn how your comment data is processed.