PGP 8.0 Platforms: Windows, Macintosh Components: PGPdisk Plug-ins: ICQ, Outlook, Outlook Express, Eudora, GroupWise Support encryption ciphers: AES, CAST, TripleDES, IDEA, Twofish Default algo: AES Note: The Windows freeware version 8.02, a limited version of the PGP.com software, was used to provide information in this section. Commercial users will use other versions that incorporate additional capabilities. Getting Started --------------- Note: this installation assumes no previous PGP keys have been created and that this software is being installed by a new PGP user. 1. unzip the PGP.com software distribution into a temporary folder. 2. Run the PGP8.exe file to start the installation. 3. Click the 'Next' button at the Welcome screen to install PGP. 4. If you accept the license agreement, click the 'Yes' button. 5. Click the 'Next' button after reviewing the Read Me documentation. 6. Select the 'No, I'm a New User' radio button and click the 'Next' button to continue. 7. Change the destination directory if desired, then click the 'Next' button to continue. 8. Select or de-select the PGP components you want installed. Then click the 'Next' button to continue. 9. Review the installation settings then click the 'Next' button to continue. 10. Set the 'Yes, I want to restart my computer now' checkbox as appropriate and click the 'Finish' button. If you choose not to restart your computer, you will have to eventually before you can use the PGP software. After rebooting, a PGP License Authorization window will appear. If you are using this software for non-commercial use, you can click the 'Later' button to bypass this process. 1. At the PGP key generation wizard screen, click the 'Expert' button to create a new key using custom parameters. Note: you may want to review the instructions below before proceeding through the installation. While you can correct mistakes, if you begin using PGP and widely publish your public key before realizing you would have liked to change some parameters, it may be very inconvient to do so (just as it would be to get everyone's telephone book updated with incorrect information). 2a. In the Full name field, enter your full name. 2b. In the Email address field, enter your email address. 2c. The default key type of Diffie-Hellman/DSS is probably your best bet, leave the key type at the default. 2d. The default key size of 2048 is OK, but if you feel more comfortable using a 1024 or 4096 key size, it is also OK to do so. If you will be using PGP to do a lot of encryption or you are using a very slow machine, larger keys can take longer to use. Note, a larger key is not necessarily more secure. It may be more secure to a certain class of attacks (e.g. brute force), but it is generally not seen as necessary for most users. 2e. If this is your first time using PGP or you are only testing the software, it may be useful to set an expiration date. Usually people set expiration date on yearly intervals, but if you know you will probably re-install or recreate your PGP key, you may want to set the expiration date to a few days or weeks. 2f. Click the 'Next' button to continue. 3. In the Passphrase: text box and in the Confirmation: text box you enter a secret password that only you will know. It is very important that this password be very strong, kept secret and not forgotten. Your PGP password should be among one of the most difficult to guess or brute force passwords you ever use. Use a large number of characters of mixed typed, including numbers and special characters. A good way to come up with a strong password is to use a unique phrase that only you would know. For example, a long sentence or a paragraph where the password characters are made up of the first, last or all characters in the phrase. You can use special characters for certain types of characters in the phrase, at the beginning or at the end to help make the password more difficult to crack. Click the 'Next' button to continue. 4. Once the key generation process is complete, click the 'Next' button to continue. 5. Click the 'Finish' button to exit the key generation program. GnuPG 1.2.x 1.2.0 config file = ~/gnupg/gpg.conf 1.2.0 - --pgp7 to ensure message will be usable by PGP 7.x user IDEA plug-in available Available from Supports: FreeBSD, GNU/Linux, MacOS X, NetBSD, OpenBSD, Windows and has been reported to run on many other systems such as AIX, HPUX, IRIX, SCO and Solaris. Supported encryption ciphers: 3DES, BLOWFISH, CAST5, IDEA (via plug-in), RIJNDAEL, RIJNDAEL192, RIJNDAEL256, TWOFISH Supported hash algorithms: MD5, RIPEMD160, SHA-1 Supported public key types: DSA, ELG, ELG-E, RSA, RSA-E, RSA-S Recommended configuration and usage: These are quick-start instructions. You are encouraged to read up on all the complete documentation and other tutorials before getting started. It is EXTREMELY IMPORTANT that this process be done on a secure machine. It is highly recommended that you perform this install and create your keys on a stand-alone machine that only you have root access to. New installation instructions for GnuPG 1.2.2 (source) ------------------------------------------------------ 1. Download the GnuPG 1.2.2 source and signature files from a reliable source. Visit for download information. 2. Make note of the MD5 hash (checksum) for the source tarball that you are downloading. Once you've downloaded the tarball, compute the MD5 hash and verify that it matches the one on the web page. md5sum gnupg-1.2.2.tar.[bz2|gz] To ensure you have the correct hash, as of this writing, it is: bz2: 4e1b357b22e1d45d14d340ce03d39b63 gz: 01cf9c6b949603d0511f6fc07bc758d2 Note: if you had a previous version of GnuPG installed and the package signer's key on your public key ring, you could also verify the package against the .sig file. This documentation however assumes GnuPG is not already installed. 3. Unpack the archive in a local user directory 4. cd into the unarchived package directory and run the following: ./configure make make check note: if any errors occur during the above process, proceed to normal troubleshooting procedures. RTFM for starters. 5. Switch to a privileged account (e.g. root) and install the package su - cd make install exit 6. Create a new private and public key pair. gpg --gen-key It will ask you for the type of key you want. The defaults are usually good. However, if you are feeling a little unsure of yourself, it might be a very good idea to make this key expire after a few days or weeks. You can always create another key pair later once you are comfortable with the process. It is of UTMOST IMPORTANCE that the passphrase you select for your private key be very strong. The longer the better and the more diverse characters you use the better. A good approach to choosing a relatively strong password is to come up with a long phrase or sentence that you will remember. Using punctuation, mixed case and special characters for letters (e.g. 2 for Z) you can build a password that is relatively complex. 7. Congratulations, you now have a PGP public/private key pair. The most important thing from now on is to keep your private key safe. Never copy it to any location where others may have access to it. This usually means only using PGP on a system that you have sole administrator control over. 8. To publish your key, you can upload it to a public key server. Perhaps the easiest way to do this is as follows: gpg --send-keys --keyserver In the above example, replace with your email address you used for your key and replace a well known keyserver that you trust for . A relatively trustworthy keyserver to use is pgp.mit.edu. Eventually your key will propagate to other key servers so you do not have to upload it to all of them unless for some reason the keyserver is not networked with others. Verifying and Signing Public Keys --------------------------------- In order to verify another person's public key, you should obtain a copy of the public key fingerprint in advance. Then at a face-to-face meeting, you should have the claimed owner of the key and associated fingerprint verify that the fingerprint is indeed their's. Then you must verify that the person claiming ownership of the fingerprint and key are who they say they are by validating a proper photo ID. If you accept the that the ID matches the person and their fingerprint, you can go back to your machine and sign their public key (which you should have gotten in the initial public key exchange or via a valid key server (be sure the public key you have matches the one you verified with the owner). Sign the key as follows: gpg --sign-key Replace with the email id of the person for whose key you're signing. While some may consider it inappropriate for the signer to submit signings to key servers, its become common practice to do so. Alternatively you can send the signed key to the key owner so they can import it into the key servers. If however you want to send the signature to the key server yourself, you can do so as follows: gpg --send-keys --keyserver