Gnu's Not UNIX (GNU) Privacy Guard (GnuPG) is a powerful, free security tool that complies with the OpenPGP standard and emulates pretty good privacy (PGP) functionality. You can use GnuPG to create and manage key pairs, encrypt and decrypt data, digitally sign documents, and validate signed data. (For more information about GnuPG's history and functions, see the sidebar "All About GnuPG.") However, GnuPG was developed as a command-line program for use on UNIX machines, and the product's Windows port (which operates on Windows 98 and later) maintains the command-line approach. Most Windows users are unlikely to use command-line tools for an intangible (albeit important) benefit such as increased security.
To counteract this problem, you can install Windows Privacy Tools (WinPT)—a free GnuPG Windows GUI front end. You must install WinPT locally on each user's system. I tested the software on Windows 2000, but you can also run WinPT on Windows NT or Win98 (the software should also work on Windows Server 2003 and Windows XP). WinPT is a docked applet that works with Windows Explorer to control GnuPG behind the scenes, letting users create and manage key pairs and encrypt and decrypt files. WinPT also provides clipboard functionality and keyboard shortcuts for signature, verification, encryption, and decryption tasks. The program offers automatically and manually installable plugins for most popular email programs. Another plugin is GnuPG-Relay, software that can automatically sign or encrypt all outgoing email messages. Table 1 lists the supported email programs and plugin download locations.
With WinPT and GnuPG, users can easily improve the security of their files and email messages; managers especially prize the ability to digitally sign messages. As an administrator, I often digitally sign software that I send to users. You can use these free tools to create, publish, import, and validate keys as well as to encrypt, decrypt, sign, and verify files. Each user creates a public key and a private key, collectively known as a key pair. Each user can freely share his or her public key through Web pages, email messages, or special public databases known as keyservers. The private key must remain solely in the possession of the user who created it. When you use a public key to encrypt a file, that file can be decrypted only by using the corresponding private key. You can also use a private key to sign files or messages; anyone with possession of the corresponding public key can verify that you signed the data. GnuPG supports many encryption algorithms, including Advanced Encryption Standard (AES) and Triple Data Encryption Standard (3DES), so many experts consider GnuPG to be secure. GnuPG can verify and decode signatures and encrypted files made with PGP, and vice versa. After you understand the basics of how the tools work, you can put them to use—and teach your users to do the same.
Installing WinPT and GnuPG
If you download WinPT from http://winpt.sourceforge.net, the software installs GnuPG for you. For simplicity's sake, I'll refer throughout this article to WinPT, even though WinPT carries out functions through GnuPG running in the background. WinPT supports numerous languages, including English, French, German, Italian, and Spanish (the WinPT system tray application supports a half-dozen others, including Chinese and Russian). Download the WinPT - Windows Privacy Tools complete package (as of this writing, the most recent version is WinPT 1.0rc2, a release candidate—RC). After the download is finished, verify the download's success, as the sidebar "Verifying the Download" explains.
Next, double-click the WinPT installer executable to start the installation process. Be sure to read the GNU General Public License (GPL) agreement carefully before accepting it. After agreeing to the license, the program prompts you to choose an installation path and the WinPT components that you want to install. In addition to the WinPT system tray application, you can install a copy of the WinPT handbook, email plugins for Microsoft Outlook Express and Qualcomm Eudora, language files, and WinPT Explorer extensions, which enable Windows Explorer context-menu options for GnuPG functions. The installation program then prompts you to choose the startup options and program language that you want WinPT to use.
Next, the program presents advanced installation options, as Figure 1 shows. You can choose between two GnuPG versions: the Official GnuPG build, which is the recommended option and which the information in this article deals with, or the Nullify build. Either build is interoperable with other OpenPGP software, but the Nullify build includes three additional algorithms—International Data Encryption Algorithm (IDEA), Tiger, and Secure Hash Algorithm-2 (SHA-2)—and is compiled with a native Visual C++ (VC++) compiler, increasing efficiency and speed. However, IDEA is patented in the United States and Europe, so you can't use the Nullify build for commercial purposes. After you choose the GnuPG version, select a secure, backed-up folder in which to keep your key pairs. Then, click Install and let the installation wizard do its magic.
After the installation is finished, you need to start WinPT. When you do so, the WinPT icon, which looks like a key combined with the at (@) symbol, will appear in the system tray. The WinPT system tray application controls all GnuPG functions.
Creating and Publishing Keys
To begin using WinPT, double-click the system tray icon. This action opens the Key Manager window, which will be empty because you haven't yet created any keys. To create a key pair, select Key, Generate from the menu bar. In the Key Generation dialog box, which Figure 2 shows, choose a key type; the default type (i.e., digital signature algorithm—DSA—and El Gamal algorithm—ELG) is cryptographically secure and more efficient than RSA. The default subkey size in bits (i.e., 1792) is also sufficient to defend against most potential adversaries.