How to use OpenPGP to encrypt your email messages and files in the cloud
By Eric Geier
Putting sensitive data in email messages or cloud storage should give you the heebie-jeebies, but a good dose of cryptography can give you peace of mind. Pretty Good Privacy (PGP) or its open-source implementation, OpenPGP, is the gold standard of encryption online, and when used properly, has the potential to thwart even the likes of the NSA.
Encryption solutions like BitLocker and DiskCryptor don’t secure email messages or files in the cloud. OpenPGP’s industrial-strength encryption can ensure secure delivery of files and messages, as well as provide verification of who created or sent the message using a process called digital signing.
Using OpenPGP for communication requires participation by both the sender and recipient. You can also use OpenPGP to secure sensitive files when they’re stored in vulnerable places like mobile devices or in the cloud.
The trade-off for all this protection is that it’s a little more complicated to use. Follow these steps to get started.
The OpenPGP-compatible Windows program we’ll use is gpg4win (GNU Privacy Guard for Windows).
First, download and run the setup program. When prompted for which components you’d like to install, include the GPA (GNU Privacy Assistant) component in addition to others that are chosen by default. GPA is the program I recommend for managing your encryption keys, which I also cover in this article.
You’ll need to install gpg4win on all the computers you think you’ll have to encrypt or decrypt your files on.
If you plan to use the encryption on your mobile devices, consider downloading the APG app for Android or the oPenGP app for iOS.
Creating the OpenPGP keys
To use OpenPGP, you have to generate at least two keys: a public key and a private key. Keys are just very small files containing encrypted text. Your public key can be handed out to anyone to send you an encrypted message or file. Your private key is passphrase-protected, and is required to decrypt the message or file.
To create your keys, open GPA and click Keys > New Key…, enter your name, and click Forward.
Next, enter your email address and click Forward.
If you’d like to back up your key pair (highly recommended), select Create backup copy.
If you lose your private key or forget the passphrase, you’ll be toast! You won’t be able to decrypt any messages or files that require your private key. Additionally, if your private key and passphrase are compromised, the attacker will have access to everything you’ve encrypted.
Consider backing up the key pair onto a flash drive, and storing it somewhere safe. Treat your private key file like a digital Social Security card: Never store it in the cloud or on the storage of an internet-connected computer or device.
Once the certificate is created, you can choose a location to back up the key pair.
Finally, you’ll be prompted to enter a passphrase for your private key. Use a strong, long and mixed-character passphrase, and never use words that are in a dictionary.
Exporting or distributing your public keys
Once you’ve generated your key pair, you can export and distribute the public key to receive encrypted messages and files from others. Just right-click the key in GPA, select Export Keys, and save.
You can include your public key in your email signature or publicize it on your blog or website. You can distribute the file or just the plain text that you see when you open the file in a text editor.
If you’d like the public to find and download you public key on a public server, right-click your key and select Send Keys.
Importing PGP keys
You may want to import the public or private keys to another PC or device.
Remember, the private key is very sensitive. Import it only to computers and devices that will need it to decrypt files. Conversely, feel free to load your public key onto any device that you’ll need to encrypt files on.
To send encrypted messages or files to friends that use PGP, you’ll have to import their public keys onto your desired PCs or devices.
To import a public key in text format, you can copy the entire raw key block–including the beginning and ending labels and dashes–and paste it into the GPA application.
Importing keys to GNU Privacy Assistant (GPA) on Windows
To import a key, open GPA and click Import. Next, browse to and select the desired key, and click Open.
Importing keys to Android Privacy Guard (APG)
To import keys to APG in Android, copy the key file or raw key text onto the device.
When importing your private key, use a secure method, like connecting your device to your computer via USB or using an OTG cable to attach a USB stick with your key pair. Don’t email yourself your private key. Just don’t do it.
Open the APG app, tap the key icon in the upper left to open the menu, and tap Import Keys. If you’re looking for a public key, you can search public servers. Otherwise, select the drop-down menu on top to import a key from a file, QR Code, clipboard, or NFC.
Once the key is loaded, tap Import selected keys.
Now that your keys are ready where you need them, here’s how to encrypt and decrypt your messages and files.
Encrypting and decrypting files in Windows
When you install gpg4win, it installs an extension in the Windows Explorer shell that lets you encrypt one or more files or folders on your system with a right-click. Files will be added to a TAR archive file and compressed before they are encrypted.
Encrypting with gpg4win
To begin, right-click your selection and select Sign and Encrypt. The ‘sign’ part confirms for the recipient that you’re the one who encrypted the file. Check Remove unencrypted original file when done if you want the original files to be removed. Click Next to continue.
Select the recipients’ public keys, click the Add button to put them on the list, and click Next. You may want to add yourself as well, so you can decrypt the file if needed.
If you selected to sign (or sign and encrypt) the file, next you need to select which private key you’d like to sign the file with, if there’s more than one installed on the PC. Click Next and you’ll have to enter that private key’s passphrase as well.
Once you’re done, you’ll have an encrypted file with extension .gpg that you can email or send to others.
Decrypting with gpg4win
To decrypt files using gpg4win, right-click the encrypted file and select Decrypt and Verify.
The first two options (related to the signature and archive) should automatically default to the correct configuration. You can also choose to save the decrypted file to another location.
Click the Decrypt/Verify button and enter the passphrase for your private key.
Encrypting and decrypting files on Android
Once you get a hang of encrypting and decrypting on a PC, you’ll have no problem doing it on your Android device.
Encrypting with APG
First, open the APG app, tap the key icon in the upper left to open the menu, and tap Encrypt.
For enhanced security, select the Sign option, if you have your private key imported on the device.
Tap the Select button so you can specify the certificates of those whom you’ve chosen to decrypt the file. From there, you can type a text-based message or tap the arrow to select file encryption. Tap the Show advanced settings to set compression and other settings.
When you’re ready, tap Encrypt File (if encrypting a file) or Share with (if encrypting a message) to access the Android’s native sharing options. You can tap Clipboard to paste it into another app.
Decrypting with APG
To decrypt a file with APG, tap the key icon in the upper left to open the menu, and tap Decrypt.
If APG detects you’ve previously copied an encrypted message from any app, it will automatically try to decrypt it. To decrypt a text-based message using a raw block, paste it into the message box.
To decrypt a file, tap the arrow to select File decryption, tap the folder icon to browse for the file. You can choose to delete the encrypted copy when you’re done by selecting Delete After Decryption.
Tap the Decrypt button and enter the passphrase for the private key that the file was encrypted for.
Encrypting and decrypting email messages in Windows
There are a few email clients that offer OpenPGP-compatible add-ons. If your email program doesn’t have such a feature, you can still encrypt and decrypt messages manually—inside of files, or using the Clipboard feature of GPA or a similar feature on mobile apps like APG.
When using the Clipboard feature of GPA, you can generate encrypted text messages that you can then paste inside emails, instant messages, or other forms of communication.
Open GPA and click the Clipboard button. Type or paste in the text you’d like to encrypt and then click Encrypt. Next, choose the certificates of those whom you’d like to decrypt the file. Then you can distribute the entire raw message block, including the beginning and ending labels and dashes.
To decrypt, paste in the entire raw message block including the beginning and ending labels and dashes. You’ll be prompted for the passphrase of the private key associated with the message.
While OpenPGP isn’t quite “set it and forget it” technology, it is very effective—so effective, in fact, that instead of trying to crack the encryption, some government agencies have resorted to issuing subpoenas for private keys and passwords.
While this tutorial doesn’t provide you with an NSA-defeating level of protection (you still have much to learn, grasshopper), you now have the basics for keeping your information private from most casual attacks.