Commit | Line | Data |
---|---|---|
3a0ce704 TG |
1 | <!-- include virtual="head.html" --> |
2 | ||
3 | <!-- ~~~~~~~~~ GnuPG Header and introduction text ~~~~~~~~~ --> | |
4 | <header class="row" id="header"><div> | |
5 | ||
6 | <h1>Email Self-Defense</h1> | |
7 | ||
8 | <!-- include virtual="translist.html" --> | |
9 | ||
10 | <ul id="menu" class="os"> | |
11 | <!-- START DELETION 01, KEEP IN index --> | |
12 | <li class="spacer"><a href="index.html" class="current">GNU/Linux</a></li> | |
13 | <li><a href="mac.html">Mac OS</a></li> | |
14 | <li><a href="windows.html">Windows</a></li> | |
ecceeff6 | 15 | <li class="spacer"><a href="workshops.html">Teach your friends</a></li> |
3a0ce704 TG |
16 | <!-- END DELETION 01 --> |
17 | <!-- START DELETION 02, KEEP IN mac --> | |
18 | <li class="spacer"><a href="index.html">GNU/Linux</a></li> | |
19 | <li><a href="mac.html" class="current">Mac OS</a></li> | |
20 | <li><a href="windows.html">Windows</a></li> | |
ecceeff6 | 21 | <li class="spacer"><a href="workshops.html">Teach your friends</a></li> |
3a0ce704 TG |
22 | <!-- END DELETION 02 --> |
23 | <!-- START DELETION 03, KEEP IN windows --> | |
24 | <li class="spacer"><a href="index.html">GNU/Linux</a></li> | |
25 | <li><a href="mac.html">Mac OS</a></li> | |
26 | <li><a href="windows.html" class="current">Windows</a></li> | |
ecceeff6 | 27 | <li class="spacer"><a href="workshops.html">Teach your friends</a></li> |
3a0ce704 TG |
28 | <!-- END DELETION 03 --> |
29 | <li class="spacer"><a | |
30 | href="https://fsf.org/share?u=https://u.fsf.org/zb&t=Email encryption for everyone via %40fsf"> | |
31 | Share | |
32 | <img src="//static.fsf.org/nosvn/enc-dev0/img/gnu-social.png" class="share-logo" | |
33 | alt="[GNU Social]" /> | |
34 | <img src="//static.fsf.org/nosvn/enc-dev0/img/pump.io.png" class="share-logo" | |
35 | alt="[Pump.io]" /> | |
36 | <img src="//static.fsf.org/nosvn/enc-dev0/img/reddit-alien.png" class="share-logo" | |
37 | alt="[Reddit]" /> | |
38 | <img src="//static.fsf.org/nosvn/enc-dev0/img/hacker-news.png" class="share-logo" | |
39 | alt="[Hacker News]" /></a></li> | |
40 | </ul> | |
41 | ||
42 | <!-- ~~~~~~~~~ FSF Introduction ~~~~~~~~~ --> | |
43 | <div id="fsf-intro"> | |
44 | ||
45 | <h3><a href="http://u.fsf.org/ys"><img | |
46 | alt="Free Software Foundation" | |
ecceeff6 TG |
47 | src="//static.fsf.org/nosvn/enc-dev0/img/fsf-logo.png" /> |
48 | </a></h3> | |
3a0ce704 TG |
49 | |
50 | <div class="fsf-emphasis"> | |
51 | ||
ecceeff6 TG |
52 | <p>We fight for computer users' rights, and promote the development of free (as |
53 | in freedom) software. Resisting bulk surveillance is very important to us.</p> | |
3a0ce704 | 54 | |
ecceeff6 TG |
55 | <p><strong>Please donate to support Email Self-Defense. We need to keep |
56 | improving it, and making more materials, for the benefit of people around | |
57 | the world taking the first step towards protecting their privacy.</strong></p> | |
3a0ce704 TG |
58 | |
59 | </div> | |
60 | ||
ecceeff6 TG |
61 | <p><a |
62 | href="https://crm.fsf.org/civicrm/contribute/transact?reset=1&id=14&pk_campaign=email_self_defense&pk_kwd=guide_donate"><img | |
3a0ce704 TG |
63 | alt="Donate" |
64 | src="//static.fsf.org/nosvn/enc-dev0/img/en/donate.png" /></a></p> | |
65 | ||
66 | </div><!-- End #fsf-intro --> | |
67 | ||
68 | <!-- ~~~~~~~~~ Guide Introduction ~~~~~~~~~ --> | |
69 | <div class="intro"> | |
70 | ||
71 | <p><a id="infographic" href="infographic.html"><img | |
72 | src="//static.fsf.org/nosvn/enc-dev0/img/en/infographic-button.png" | |
ecceeff6 TG |
73 | alt="View & share our infographic →" /></a> |
74 | Bulk surveillance violates our fundamental rights and makes free speech | |
dc99427b TG |
75 | risky. This guide will teach you a basic surveillance self-defense skill: email |
76 | encryption. Once you've finished, you'll be able to send and receive emails | |
77 | that are scrambled to make sure a surveillance agent or thief intercepting | |
78 | your email can't read them. All you need is a computer with an Internet | |
79 | connection, an email account, and about forty minutes.</p> | |
ecceeff6 TG |
80 | |
81 | <p>Even if you have nothing to hide, using encryption helps protect the privacy | |
82 | of people you communicate with, and makes life difficult for bulk surveillance | |
83 | systems. If you do have something important to hide, you're in good company; | |
84 | these are the same tools that whistleblowers use to protect their identities | |
85 | while shining light on human rights abuses, corruption and other crimes.</p> | |
86 | ||
87 | <p>In addition to using encryption, standing up | |
88 | to surveillance requires fighting politically for a <a | |
89 | href="http://gnu.org/philosophy/surveillance-vs-democracy.html">reduction | |
90 | in the amount of data collected on us</a>, but the essential first step is | |
91 | to protect yourself and make surveillance of your communication as difficult | |
92 | as possible. This guide helps you do that. It is designed for beginners, but | |
93 | if you already know the basics of GnuPG or are an experienced free software | |
94 | user, you'll enjoy the advanced tips and the <a href="workshops.html">guide | |
95 | to teaching your friends</a>.</p> | |
3a0ce704 TG |
96 | |
97 | </div><!-- End .intro --> | |
98 | </div></header><!-- End #header --> | |
99 | ||
100 | <!-- ~~~~~~~~~ Section 1: Get the pieces ~~~~~~~~~ --> | |
101 | <section class="row" id="section1"><div> | |
102 | ||
103 | <!-- ~~~~~~~~~ section introduction: interspersed text ~~~~~~~~~ --> | |
104 | <div class="section-intro"> | |
105 | ||
106 | <h2><em>#1</em> Get the pieces</h2> | |
107 | ||
108 | <!-- START DELETION 04, KEEP IN index --> | |
ecceeff6 TG |
109 | <p class="notes">This guide relies on software which is <a |
110 | href="https://www.gnu.org/philosophy/free-sw.html">freely licensed</a>; | |
111 | it's completely transparent and anyone can copy it or make their | |
112 | own version. This makes it safer from surveillance than proprietary | |
113 | software (like Windows). Learn more about free software at <a | |
114 | href="https://u.fsf.org/ys">fsf.org</a>.</p> | |
115 | ||
116 | <p>Most GNU/Linux operating systems come with GnuPG installed on them, | |
117 | so you don't have to download it. Before configuring GnuPG though, you'll | |
118 | need the IceDove desktop email program installed on your computer. Most | |
119 | GNU/Linux distributions have IceDove installed already, though it may be | |
120 | under the alternate name "Thunderbird." Email programs are another way to | |
121 | access the same email accounts you can access in a browser (like Gmail), | |
122 | but provide extra features.</p> | |
3a0ce704 TG |
123 | <!-- END DELETION 04 --> |
124 | <!-- START DELETION 05, KEEP IN mac windows --> | |
ecceeff6 TG |
125 | <p class="notes">This guide relies on software which is <a |
126 | href="https://www.gnu.org/philosophy/free-sw.html">freely licensed</a>; it's | |
127 | completely transparent and anyone can copy it or make their own version. This | |
128 | makes it safer from surveillance than proprietary software (like Windows or Mac | |
129 | OS). To defend your freedom as well as protect yourself from surveillance, we | |
130 | recommend you switch to a free software operating system like GNU/Linux. Learn | |
131 | more about free software at <a href="https://u.fsf.org/ys">fsf.org</a>.</p> | |
132 | ||
133 | <p>To get started, you'll need the IceDove desktop email program installed | |
134 | on your computer. For your system, IceDove may be known by the alternate name | |
135 | "Thunderbird." Email programs are another way to access the same email accounts | |
136 | you can access in a browser (like Gmail), but provide extra features.</p> | |
3a0ce704 TG |
137 | <!-- END DELETION 05 --> |
138 | ||
ecceeff6 TG |
139 | <p>If you already have an email program, you can skip to <a |
140 | href="#step-1b">Step 1.b</a>.</p> | |
3a0ce704 TG |
141 | |
142 | </div><!-- End .section-intro --> | |
143 | ||
144 | <!-- ~~~~~~~~~ a div for each step ~~~~~~~~~ --> | |
145 | <div id="step-1a" class="step"> | |
146 | <div class="sidebar"> | |
147 | ||
ecceeff6 TG |
148 | <p><img |
149 | src="//static.fsf.org/nosvn/enc-dev0/img/en/screenshots/step1a-install-wizard.png" | |
3a0ce704 TG |
150 | alt="Step 1.A: Install Wizard" /></p> |
151 | ||
152 | </div><!-- /.sidebar --> | |
153 | <div class="main"> | |
154 | ||
ecceeff6 TG |
155 | <h3><em>Step 1.a</em> Set up your email program with your email account</h3> |
156 | ||
157 | <p>Open your email program and follow the wizard (step-by-step walkthrough) | |
158 | that sets it up with your email account.</p> | |
3a0ce704 | 159 | |
ecceeff6 TG |
160 | <p>Look for the letters SSL, TLS, or STARTTLS to the right of the servers |
161 | when you're setting up your account. If you don't see them, you will still | |
162 | be able to use encryption, but this means that the people running your email | |
163 | system are running behind the industry standard in protecting your security | |
164 | and privacy. We recommend that you send them a friendly email asking them | |
165 | to enable SSL, TLS, or STARTTLS for your email server. They will know what | |
166 | you're talking about, so it's worth making the request even if you aren't | |
167 | an expert on these security systems.</p> | |
3a0ce704 TG |
168 | |
169 | <!-- ~~~~~~~~~ Troubleshooting ~~~~~~~~~ --> | |
170 | <div class="troubleshooting"> | |
171 | ||
172 | <h4>Troubleshooting</h4> | |
173 | ||
174 | <dl> | |
175 | <dt>The wizard doesn't launch</dt> | |
ecceeff6 TG |
176 | <dd>You can launch the wizard yourself, but the menu option for doing so is |
177 | named differently in each email program. The button to launch it will be in | |
178 | the program's main menu, under "New" or something similar, titled something | |
179 | like "Add account" or "New/Existing email account."</dd> | |
3a0ce704 TG |
180 | |
181 | <dt>The wizard can't find my account or isn't downloading my mail</dt> | |
ecceeff6 TG |
182 | <dd>Before searching the Web, we recommend you start by asking other people |
183 | who use your email system, to figure out the correct settings.</dd> | |
3a0ce704 TG |
184 | |
185 | <dt class="feedback">Don't see a solution to your problem?</dt> | |
ecceeff6 TG |
186 | <dd class="feedback">Please let us know on the <a |
187 | href="https://libreplanet.org/wiki/GPG_guide/Public_Review">feedback | |
188 | page</a>.</dd> | |
3a0ce704 TG |
189 | </dl> |
190 | ||
191 | </div><!-- /.troubleshooting --> | |
192 | </div><!-- End .main --> | |
193 | </div><!-- End #step1-a .step --> | |
194 | ||
195 | <!-- START DELETION 06, KEEP IN mac --> | |
196 | <!-- ~~~~~~~~~ a div for each step ~~~~~~~~~ --> | |
197 | <div id="step-1b" class="step"> | |
198 | <div class="main"> | |
199 | ||
200 | <h3><em>Step 1.b</em> Get GnuPG by downloading GPGTools</h3> | |
201 | ||
ecceeff6 TG |
202 | <p>GPGTools is a software package that includes GnuPG. <a |
203 | href="https://gpgtools.org/#gpgsuite">Download</a> and install it, choosing | |
204 | default options whenever asked. After it's installed, you can close any | |
205 | windows that it creates.</p> | |
3a0ce704 | 206 | |
1c445281 TG |
207 | <p>There are major security flaws in versions of GnuPG provided by GPGTools |
208 | prior to 2018.3. Make sure you have GPGTools 2018.3 or later.</p> | |
209 | ||
3a0ce704 TG |
210 | </div><!-- End .main --> |
211 | </div><!-- End #step1-b .step --> | |
212 | <!-- END DELETION 06 --> | |
213 | <!-- START DELETION 07, KEEP IN windows --> | |
214 | <!-- ~~~~~~~~~ a div for each step ~~~~~~~~~ --> | |
215 | <div id="step-1b" class="step"> | |
216 | <div class="main"> | |
217 | ||
218 | <h3><em>Step 1.b</em> Get GnuPG by downloading GPG4Win</h3> | |
219 | ||
ecceeff6 TG |
220 | <p>GPG4Win is a software package that includes GnuPG. <a |
221 | href="https://www.gpg4win.org/">Download</a> and install it, choosing default | |
222 | options whenever asked. After it's installed, you can close any windows that | |
223 | it creates.</p> | |
3a0ce704 | 224 | |
1c445281 TG |
225 | <p>There are major security flaws in versions of GnuPG provided by GPG4Win |
226 | prior to 3.1.2. Make sure you have GPG4Win 3.1.2 or later.</p> | |
227 | ||
3a0ce704 TG |
228 | </div><!-- End .main --> |
229 | </div><!-- End #step1-b .step --> | |
230 | <!-- END DELETION 07 --> | |
231 | <!-- START DELETION 08, KEEP IN index --> | |
232 | <!-- ~~~~~~~~~ a div for each step ~~~~~~~~~ --> | |
233 | <div id="step-1b" class="step"> | |
234 | <div class="sidebar"> | |
235 | <ul class="images"> | |
236 | <li><img src="//static.fsf.org/nosvn/enc-dev0/img/en/screenshots/step1b-01-tools-addons.png" | |
237 | alt="Step 1.B: Tools -> Add-ons" /></li> | |
238 | <li><img src="//static.fsf.org/nosvn/enc-dev0/img/en/screenshots/step1b-02-search.png" | |
239 | alt="Step 1.B: Search Add-ons" /></li> | |
240 | <li><img src="//static.fsf.org/nosvn/enc-dev0/img/en/screenshots/step1b-03-install.png" | |
241 | alt="Step 1.B: Install Add-ons" /></li> | |
242 | </ul> | |
243 | ||
244 | </div><!-- /.sidebar --> | |
245 | <div class="main"> | |
246 | ||
247 | <h3><em>Step 1.b</em> Install the Enigmail plugin for your email program</h3> | |
1c445281 TG |
248 | |
249 | <p>In your email program's menu, select Add-ons (it may be in the Tools | |
250 | section). Make sure Extensions is selected on the left. Do you see Enigmail? | |
251 | Make sure it's the latest version. If so, skip this step.</p> | |
252 | ||
253 | <p>If not, search "Enigmail" with the search bar in the upper right. You | |
254 | can take it from here. Restart your email program when you're done.</p> | |
255 | ||
256 | <p>There are major security flaws in versions of GnuPG prior to 2.2.8, and | |
257 | Enigmail prior to 2.0.7. Make sure you have GnuPG 2.2.8 and Enigmail 2.0.7, | |
258 | or later versions.</p> | |
259 | ||
3a0ce704 TG |
260 | <!-- END DELETION 08 --> |
261 | <!-- START DELETION 09, KEEP IN mac windows --> | |
262 | ||
263 | <!-- ~~~~~~~~~ a div for each step ~~~~~~~~~ --> | |
264 | <div id="step-1c" class="step"> | |
265 | <div class="sidebar"> | |
266 | <ul class="images"> | |
267 | <li><img src="//static.fsf.org/nosvn/enc-dev0/img/en/screenshots/step1b-01-tools-addons.png" | |
268 | alt="Step 1.C: Tools -> Add-ons" /></li> | |
269 | <li><img src="//static.fsf.org/nosvn/enc-dev0/img/en/screenshots/step1b-02-search.png" | |
270 | alt="Step 1.C: Search Add-ons" /></li> | |
271 | <li><img src="//static.fsf.org/nosvn/enc-dev0/img/en/screenshots/step1b-03-install.png" | |
272 | alt="Step 1.C: Install Add-ons" /></li> | |
273 | </ul> | |
274 | ||
275 | </div><!-- /.sidebar --> | |
276 | <div class="main"> | |
277 | ||
278 | <h3><em>Step 1.c</em> Install the Enigmail plugin for your email program</h3> | |
3a0ce704 | 279 | |
ecceeff6 | 280 | <p>In your email program's menu, select Add-ons (it may be in the Tools |
1c445281 TG |
281 | section). Make sure Extensions is selected on the left. Do you see Enigmail? |
282 | Make sure it's the latest version. If so, skip this step.</p> | |
3a0ce704 | 283 | |
ecceeff6 TG |
284 | <p>If not, search "Enigmail" with the search bar in the upper right. You |
285 | can take it from here. Restart your email program when you're done.</p> | |
3a0ce704 | 286 | |
1c445281 TG |
287 | <p>There are major security flaws in Enigmail prior to version 2.0.7. Make |
288 | sure you have Enigmail 2.0.7 or later.</p> | |
6edab4fd | 289 | |
1c445281 | 290 | <!-- END DELETION 09 --> |
3a0ce704 TG |
291 | <!-- ~~~~~~~~~ Troubleshooting ~~~~~~~~~ --> |
292 | <div class="troubleshooting"> | |
293 | ||
294 | <h4>Troubleshooting</h4> | |
295 | ||
296 | <dl> | |
297 | <dt>I can't find the menu.</dt> | |
ecceeff6 TG |
298 | <dd>In many new email programs, the main menu is represented by an image of |
299 | three stacked horizontal bars.</dd> | |
3a0ce704 | 300 | |
ecceeff6 TG |
301 | <dt>My email looks weird</dt> |
302 | <dd>Enigmail doesn't tend to play nice with HTML, which is used to format | |
303 | emails, so it may disable your HTML formatting automatically. To send an | |
304 | HTML-formatted email without encryption or a signature, hold down the Shift | |
305 | key when you select compose. You can then write an email as if Enigmail | |
306 | wasn't there.</dd> | |
3a0ce704 TG |
307 | |
308 | <dt class="feedback">Don't see a solution to your problem?</dt> | |
ecceeff6 TG |
309 | <dd class="feedback">Please let us know on the <a |
310 | href="https://libreplanet.org/wiki/GPG_guide/Public_Review">feedback | |
311 | page</a>.</dd> | |
3a0ce704 TG |
312 | </dl> |
313 | ||
314 | </div><!-- /.troubleshooting --> | |
315 | </div><!-- End .main --> | |
316 | </div><!-- End #step-1b .step --> | |
317 | </div></section><!-- End #section1 --> | |
318 | ||
319 | <!-- ~~~~~~~~~ Section 2: Make your keys ~~~~~~~~~ --> | |
320 | <section class="row" id="section2"><div> | |
321 | ||
322 | <!-- ~~~~~~~~~ section introduction: interspersed text ~~~~~~~~~ --> | |
323 | <div class="section-intro"> | |
324 | ||
325 | <h2><em>#2</em> Make your keys</h2> | |
326 | ||
ecceeff6 TG |
327 | <p>To use the GnuPG system, you'll need a public key and a private key (known |
328 | together as a keypair). Each is a long string of randomly generated numbers | |
329 | and letters that are unique to you. Your public and private keys are linked | |
330 | together by a special mathematical function.</p> | |
3a0ce704 | 331 | |
ecceeff6 TG |
332 | <p>Your public key isn't like a physical key, because it's stored in the open |
333 | in an online directory called a keyserver. People download it and use it, | |
334 | along with GnuPG, to encrypt emails they send to you. You can think of the | |
335 | keyserver as a phonebook; people who want to send you encrypted email can | |
336 | look up your public key.</p> | |
3a0ce704 | 337 | |
ecceeff6 TG |
338 | <p>Your private key is more like a physical key, because you keep it to |
339 | yourself (on your computer). You use GnuPG and your private key together to | |
340 | descramble encrypted emails other people send to you. <span style="font-weight: | |
341 | bold;">You should never share you private key with anyone, under any | |
342 | circumstances.</span></p> | |
343 | ||
344 | <p>In addition to encryption and decryption, you can also use these keys to | |
345 | sign messages and check the authenticity of other people's signatures. We'll | |
346 | discuss this more in the next section.</p> | |
3a0ce704 TG |
347 | |
348 | </div><!-- End .section-intro --> | |
349 | ||
350 | <!-- ~~~~~~~~~ a div for each step ~~~~~~~~~ --> | |
351 | <div id="step-2a" class="step"> | |
352 | <div class="sidebar"> | |
353 | ||
ecceeff6 TG |
354 | <p><img |
355 | src="//static.fsf.org/nosvn/enc-dev0/img/en/screenshots/step2a-01-make-keypair.png" | |
3a0ce704 TG |
356 | alt="Step 2.A: Make a Keypair" /></p> |
357 | ||
358 | </div><!-- /.sidebar --> | |
359 | <div class="main"> | |
360 | ||
361 | <h3><em>Step 2.a</em> Make a keypair</h3> | |
362 | ||
ecceeff6 TG |
363 | <p>The Enigmail Setup wizard may start automatically. If it doesn't, select |
364 | Enigmail → Setup Wizard from your email program's menu. You don't need | |
365 | to read the text in the window that pops up unless you'd like to, but it's | |
366 | good to read the text on the later screens of the wizard. Click Next with | |
367 | the default options selected, except in these instances, which are listed | |
368 | in the order they appear:</p> | |
3a0ce704 TG |
369 | |
370 | <ul> | |
ecceeff6 TG |
371 | <li>On the screen titled "Encryption," select "Encrypt all of my messages |
372 | by default, because privacy is critical to me."</li> | |
373 | ||
374 | <li>On the screen titled "Signing," select "Don't sign my messages by | |
375 | default."</li> | |
376 | ||
377 | <li>On the screen titled "Key Selection," select "I want to create a new | |
378 | key pair for signing and encrypting my email."</li> | |
379 | ||
380 | <li>On the screen titled "Create Key," pick a strong password! You can | |
381 | do it manually, or you can use the Diceware method. Doing it manually | |
382 | is faster but not as secure. Using Diceware takes longer and requires | |
1ed1c6a3 | 383 | dice, but creates a password that is much harder for attackers to figure |
ecceeff6 TG |
384 | out. To use it, read the section "Make a secure passphrase with Diceware" in <a |
385 | href="https://theintercept.com/2015/03/26/passphrases-can-memorize-attackers-cant-guess/"> | |
386 | this article</a> by Micah Lee.</li> | |
3a0ce704 TG |
387 | </ul> |
388 | ||
ecceeff6 TG |
389 | <p>If you'd like to pick a password manually, come up with something |
390 | you can remember which is at least twelve characters long, and includes | |
391 | at least one lower case and upper case letter and at least one number or | |
392 | punctuation symbol. Never pick a password you've used elsewhere. Don't use | |
393 | any recognizable patterns, such as birthdays, telephone numbers, pets' names, | |
394 | song lyrics, quotes from books, and so on.</p> | |
395 | ||
396 | <p class="notes">The program will take a little while to finish the next | |
397 | step, the "Key Creation" screen. While you wait, do something else with your | |
398 | computer, like watching a movie or browsing the Web. The more you use the | |
399 | computer at this point, the faster the key creation will go.</p> | |
400 | ||
401 | <p><span style="font-weight: bold;">When the "Key Generation Completed" screen | |
402 | pops up, select Generate Certificate and choose to save it in a safe place on | |
403 | your computer (we recommend making a folder called "Revocation Certificate" | |
404 | in your home folder and keeping it there). This step is essential for your | |
405 | email self-defense, as you'll learn more about in <a href="#section5">Section | |
406 | 5</a>.</span></p> | |
3a0ce704 TG |
407 | |
408 | <!-- ~~~~~~~~~ Troubleshooting ~~~~~~~~~ --> | |
409 | <div class="troubleshooting"> | |
410 | ||
411 | <h4>Troubleshooting</h4> | |
412 | ||
413 | <dl> | |
414 | <dt>I can't find the Enigmail menu.</dt> | |
ecceeff6 TG |
415 | <dd>In many new email programs, the main menu is represented by an image |
416 | of three stacked horizontal bars. Enigmail may be inside a section called | |
417 | Tools.</dd> | |
3a0ce704 | 418 | |
5288ce68 | 419 | <!-- START DELETION 12, KEEP IN index --> |
3a0ce704 | 420 | <dt>The wizard says that it cannot find GnuPG.</dt> |
ecceeff6 TG |
421 | <dd>Open whatever program you usually use for installing software, and search |
422 | for GnuPG, then install it. Then restart the Enigmail setup wizard by going | |
423 | to Enigmail → Setup Wizard.</dd> | |
424 | ||
5288ce68 | 425 | <!-- END DELETION 12, KEEP IN index --> |
ecceeff6 TG |
426 | <dt>More resources</dt> |
427 | <dd>If you're having trouble with our | |
428 | instructions or just want to learn more, check out <a | |
d03b24db | 429 | href="https://www.enigmail.net/documentation/Key_Management#Generating_your_own_key_pair"> |
ecceeff6 | 430 | Enigmail's wiki instructions for key generation</a>.</dd> |
3a0ce704 | 431 | |
3a0ce704 | 432 | <dt class="feedback">Don't see a solution to your problem?</dt> |
ecceeff6 TG |
433 | <dd class="feedback">Please let us know on the <a |
434 | href="https://libreplanet.org/wiki/GPG_guide/Public_Review">feedback | |
435 | page</a>.</dd> | |
436 | </dl> | |
437 | ||
438 | </div><!-- /.troubleshooting --> | |
3a0ce704 | 439 | |
ecceeff6 TG |
440 | <!-- ~~~~~~~~~ Troubleshooting ~~~~~~~~~ --> |
441 | <div class="troubleshooting"> | |
442 | ||
443 | <h4>Advanced</h4> | |
444 | ||
445 | <dl> | |
446 | <dt>Command line key generation</dt> | |
447 | <dd>If you prefer using the command line for a higher | |
448 | degree of control, you can follow the documentation from <a | |
449 | href="https://www.gnupg.org/gph/en/manual/c14.html#AEN25">The GNU Privacy | |
450 | Handbook</a>. Make sure you stick with "RSA and RSA" (the default), | |
451 | because it's newer and more secure than the algorithms the documentation | |
452 | recommends. Also make sure your key is at least 2048 bits, or 4096 if you | |
453 | want to be extra secure.</dd> | |
454 | ||
455 | <dt>Advanced key pairs</dt> | |
456 | <dd>When GnuPG creates a new keypair, it compartmentalizes | |
457 | the encryption function from the signing function through <a | |
458 | href="https://wiki.debian.org/Subkeys">subkeys</a>. If you use | |
459 | subkeys carefully, you can keep your GnuPG identity much more | |
460 | secure and recover from a compromised key much more quickly. <a | |
461 | href="https://alexcabal.com/creating-the-perfect-gpg-keypair/">Alex Cabal</a> | |
462 | and <a href="http://keyring.debian.org/creating-key.html">the Debian wiki</a> | |
463 | provide good guides for setting up a secure subkey configuration.</dd> | |
3a0ce704 TG |
464 | </dl> |
465 | ||
466 | </div><!-- /.troubleshooting --> | |
467 | </div><!-- End .main --> | |
468 | </div><!-- End #step-2a .step --> | |
469 | ||
470 | <!-- ~~~~~~~~~ a div for each step ~~~~~~~~~ --> | |
471 | <div id="step-2b" class="step"> | |
472 | <div class="main"> | |
473 | ||
474 | <h3><em>Step 2.b</em> Upload your public key to a keyserver</h3> | |
475 | ||
476 | <p>In your email program's menu, select Enigmail → Key Management.</p> | |
477 | ||
ecceeff6 TG |
478 | <p>Right click on your key and select Upload Public Keys to Keyserver. Use |
479 | the default keyserver in the popup.</p> | |
3a0ce704 | 480 | |
ecceeff6 TG |
481 | <p class="notes">Now someone who wants to send you an encrypted message can |
482 | download your public key from the Internet. There are multiple keyservers | |
483 | that you can select from the menu when you upload, but they are all copies | |
484 | of each other, so it doesn't matter which one you use. However, it sometimes | |
485 | takes a few hours for them to match each other when a new key is uploaded.</p> | |
3a0ce704 TG |
486 | |
487 | <!-- ~~~~~~~~~ Troubleshooting ~~~~~~~~~ --> | |
488 | <div class="troubleshooting"> | |
489 | ||
490 | <h4>Troubleshooting</h4> | |
491 | ||
492 | <dl> | |
ecceeff6 TG |
493 | <dt>The progress bar never finishes</dt> |
494 | <dd>Close the upload popup, make sure you are connected to the Internet, | |
495 | and try again. If that doesn't work, try again, selecting a different | |
496 | keyserver.</dd> | |
3a0ce704 | 497 | |
ecceeff6 | 498 | <dt>My key doesn't appear in the list</dt> |
3a0ce704 TG |
499 | <dd>Try checking "Display All Keys by Default."</dd> |
500 | ||
ecceeff6 TG |
501 | <dt>More documentation</dt> |
502 | <dd>If you're having trouble with our | |
503 | instructions or just want to learn more, check out <a | |
73a33f45 | 504 | href="https://www.enigmail.net/documentation/Key_Management#Distributing_your_public_key"> |
ecceeff6 TG |
505 | Enigmail's documentation</a>.</dd> |
506 | ||
3a0ce704 | 507 | <dt class="feedback">Don't see a solution to your problem?</dt> |
ecceeff6 TG |
508 | <dd class="feedback">Please let us know on the <a |
509 | href="https://libreplanet.org/wiki/GPG_guide/Public_Review">feedback | |
510 | page</a>.</dd> | |
511 | </dl> | |
512 | ||
513 | </div><!-- /.troubleshooting --> | |
3a0ce704 | 514 | |
ecceeff6 TG |
515 | <!-- ~~~~~~~~~ Troubleshooting ~~~~~~~~~ --> |
516 | <div class="troubleshooting"> | |
517 | ||
518 | <h4>Advanced</h4> | |
519 | ||
520 | <dl> | |
521 | <dt>Uploading a key from the command line</dt> | |
522 | <dd>You can also upload your keys to a keyserver through the <a | |
523 | href="https://www.gnupg.org/gph/en/manual/x457.html">command line</a>. <a | |
524 | href="https://sks-keyservers.net/overview-of-pools.php">The sks Web site</a> | |
525 | maintains a list of highly interconnected keyservers. You can also <a | |
526 | href="https://www.gnupg.org/gph/en/manual/x56.html#AEN64">directly export | |
527 | your key</a> as a file on your computer.</dd> | |
3a0ce704 TG |
528 | </dl> |
529 | ||
530 | </div><!-- /.troubleshooting --> | |
531 | </div><!-- End .main --> | |
532 | </div><!-- End #step-2b .step --> | |
533 | ||
534 | <!-- ~~~~~~~~~ a div for each step ~~~~~~~~~ --> | |
535 | <div id="terminology" class="step"> | |
536 | <div class="main"> | |
537 | ||
538 | <h3>GnuPG, OpenPGP, what?</h3> | |
539 | ||
ecceeff6 TG |
540 | <p>In general, the terms GnuPG, GPG, GNU Privacy Guard, OpenPGP and PGP |
541 | are used interchangeably. Technically, OpenPGP (Pretty Good Privacy) is the | |
542 | encryption standard, and GNU Privacy Guard (often shortened to GPG or GnuPG) | |
543 | is the program that implements the standard. Enigmail is a plug-in program | |
544 | for your email program that provides an interface for GnuPG.</p> | |
3a0ce704 TG |
545 | |
546 | </div><!-- End .main --> | |
547 | </div><!-- End #terminology.step--> | |
548 | </div></section><!-- End #section2 --> | |
549 | ||
550 | <!-- ~~~~~~~~~ Section 3: Try it out ~~~~~~~~~ --> | |
551 | <section class="row" id="section3"><div> | |
552 | ||
553 | <!-- ~~~~~~~~~ section introduction: interspersed text ~~~~~~~~~ --> | |
554 | <div class="section-intro"> | |
555 | ||
556 | <h2><em>#3</em> Try it out!</h2> | |
557 | ||
ecceeff6 TG |
558 | <p>Now you'll try a test correspondence with a computer program named Edward, |
559 | who knows how to use encryption. Except where noted, these are the same | |
560 | steps you'd follow when corresponding with a real, live person.</p> | |
3a0ce704 | 561 | |
ecceeff6 TG |
562 | <!-- <p>NOTE: Edward is currently having some technical difficulties, so he |
563 | may take a long time to respond, or not respond at all. We're sorry about | |
564 | this and we're working hard to fix it. Your key will still work even without | |
565 | testing with Edward.</p> --> | |
3a0ce704 TG |
566 | </div><!-- End .section-intro --> |
567 | ||
568 | <!-- ~~~~~~~~~ a div for each step ~~~~~~~~~ --> | |
569 | <div id="step-3a" class="step"> | |
570 | <div class="sidebar"> | |
571 | ||
ecceeff6 TG |
572 | <p><img |
573 | src="//static.fsf.org/nosvn/enc-dev0/img/en/screenshots/section3-try-it-out.png" | |
3a0ce704 TG |
574 | alt="Try it out." /></p> |
575 | ||
576 | </div><!-- /.sidebar --> | |
577 | <div class="main"> | |
578 | ||
579 | <h3><em>Step 3.a</em> Send Edward your public key</h3> | |
580 | ||
ecceeff6 TG |
581 | <p>This is a special step that you won't have to do when corresponding |
582 | with real people. In your email program's menu, go to Enigmail → Key | |
583 | Management. You should see your key in the list that pops up. Right click | |
584 | on your key and select Send Public Keys by Email. This will create a new | |
585 | draft message, as if you had just hit the Write button.</p> | |
3a0ce704 | 586 | |
ecceeff6 TG |
587 | <p>Address the message to <a |
588 | href="mailto:edward-en@fsf.org">edward-en@fsf.org</a>. Put at least one word | |
589 | (whatever you want) in the subject and body of the email. Don't send yet.</p> | |
3a0ce704 | 590 | |
ecceeff6 TG |
591 | <p>The lock icon in the top left should be yellow, meaning encryption is |
592 | turned on. We want this first special message to be unencrypted, so | |
593 | click the icon once to turn it off. The lock should become grey, with a | |
594 | blue dot on it (to alert you that the setting has been changed from the | |
595 | default). Once encryption is off, hit Send.</p> | |
3a0ce704 | 596 | |
ecceeff6 TG |
597 | <p class="notes">It may take two or three minutes for Edward to |
598 | respond. In the meantime, you might want to skip ahead and check out the <a | |
599 | href="#section5">Use it Well</a> section of this guide. Once he's responded, | |
600 | head to the next step. From here on, you'll be doing just the same thing as | |
601 | when corresponding with a real person.</p> | |
3a0ce704 | 602 | |
ecceeff6 TG |
603 | <p>When you open Edward's reply, GnuPG may prompt you for your password |
604 | before using your private key to decrypt it.</p> | |
3a0ce704 TG |
605 | |
606 | </div><!-- End .main --> | |
607 | </div><!-- End #step-3a .step --> | |
608 | ||
609 | <!-- ~~~~~~~~~ a div for each step ~~~~~~~~~ --> | |
610 | <div id="step-3b" class="step"> | |
611 | <div class="main"> | |
612 | ||
613 | <h3><em>Step 3.b</em> Send a test encrypted email</h3> | |
614 | ||
ecceeff6 TG |
615 | <p>Write a new email in your email program, addressed to <a |
616 | href="mailto:edward-en@fsf.org">edward-en@fsf.org</a>. Make the subject | |
617 | "Encryption test" or something similar and write something in the body.</p> | |
3a0ce704 | 618 | |
ecceeff6 TG |
619 | <p>The lock icon in the top left of the window should be yellow, meaning |
620 | encryption is on. This will be your default from now on.</p> | |
3a0ce704 | 621 | |
ecceeff6 TG |
622 | <p class="notes">Next to the lock, you'll notice an icon of a pencil. We'll |
623 | get to this in a moment.</p> | |
3a0ce704 | 624 | |
ecceeff6 TG |
625 | <p>Click Send. Enigmail will pop up a window that says "Recipients not valid, |
626 | not trusted or not found."</p> | |
3a0ce704 | 627 | |
ecceeff6 TG |
628 | <p>To encrypt an email to Edward, you need his public key, so now you'll have |
629 | Enigmail download it from a keyserver. Click Download Missing Keys and use | |
630 | the default in the pop-up that asks you to choose a keyserver. Once it finds | |
631 | keys, check the first one (Key ID starting with C), then select ok. Select | |
632 | ok in the next pop-up.</p> | |
3a0ce704 | 633 | |
ecceeff6 TG |
634 | <p>Now you are back at the "Recipients not valid, not trusted or not found" |
635 | screen. Check the box in front of Edward's key and click Send.</p> | |
3a0ce704 | 636 | |
ecceeff6 TG |
637 | <p class="notes">Since you encrypted this email with Edward's public key, |
638 | Edward's private key is required to decrypt it. Edward is the only one with | |
639 | his private key, so no one except him can decrypt it.</p> | |
3a0ce704 TG |
640 | |
641 | <!-- ~~~~~~~~~ Troubleshooting ~~~~~~~~~ --> | |
642 | <div class="troubleshooting"> | |
643 | ||
644 | <h4>Troubleshooting</h4> | |
645 | ||
646 | <dl> | |
647 | <dt>Enigmail can't find Edward's key</dt> | |
ecceeff6 TG |
648 | <dd>Close the pop-ups that have appeared since you clicked Send. Make sure |
649 | you are connected to the Internet and try again. If that doesn't work, repeat | |
650 | the process, choosing a different keyserver when it asks you to pick one.</dd> | |
651 | ||
652 | <dt>Unscrambled messages in the Sent folder</dt> | |
653 | <dd>Even though you can't decrypt messages encrypted to someone else's key, | |
654 | your email program will automatically save a copy encrypted to your public key, | |
655 | which you'll be able to view from the Sent folder like a normal email. This | |
656 | is normal, and it doesn't mean that your email was not sent encrypted.</dd> | |
657 | ||
658 | <dt>More resources</dt> | |
659 | <dd>If you're still having trouble with our | |
660 | instructions or just want to learn more, check out <a | |
73a33f45 | 661 | href="https://www.enigmail.net/documentation/Signature_and_Encryption#Encrypting_a_message"> |
ecceeff6 | 662 | Enigmail's wiki</a>.</dd> |
3a0ce704 TG |
663 | |
664 | <dt class="feedback">Don't see a solution to your problem?</dt> | |
ecceeff6 TG |
665 | <dd class="feedback">Please let us know on the <a |
666 | href="https://libreplanet.org/wiki/GPG_guide/Public_Review">feedback | |
667 | page</a>.</dd> | |
668 | </dl> | |
669 | ||
670 | </div><!-- /.troubleshooting --> | |
671 | ||
672 | <!-- ~~~~~~~~~ Troubleshooting ~~~~~~~~~ --> | |
673 | <div class="troubleshooting"> | |
674 | ||
675 | <h4>Advanced</h4> | |
3a0ce704 | 676 | |
ecceeff6 TG |
677 | <dl> |
678 | <dt>Encrypt messages from the command line</dt> | |
679 | <dd>You can also encrypt and decrypt messages and files from the <a | |
680 | href="https://www.gnupg.org/gph/en/manual/x110.html">command line</a>, | |
681 | if that's your preference. The option --armor makes the encrypted output | |
682 | appear in the regular character set.</dd> | |
3a0ce704 TG |
683 | </dl> |
684 | ||
685 | </div><!-- /.troubleshooting --> | |
686 | </div><!-- End .main --> | |
687 | </div><!-- End #step-3b .step --> | |
688 | ||
689 | <!-- ~~~~~~~~~ a div for each step ~~~~~~~~~ --> | |
690 | <div id="step-headers_unencrypted" class="step"> | |
691 | <div class="main"> | |
692 | ||
693 | <h3><em>Important:</em> Security tips</h3> | |
694 | ||
ecceeff6 TG |
695 | <p>Even if you encrypt your email, the subject line is not encrypted, so |
696 | don't put private information there. The sending and receiving addresses | |
697 | aren't encrypted either, so a surveillance system can still figure out who | |
698 | you're communicating with. Also, surveillance agents will know that you're | |
699 | using GnuPG, even if they can't figure out what you're saying. When you | |
700 | send attachments, Enigmail will give you the choice to encrypt them or not, | |
701 | independent of the actual email.</p> | |
3a0ce704 | 702 | |
6edab4fd TG |
703 | <!-- START DELETION 10, KEEP IN index --> |
704 | <p>For greater security against potential attacks, you can turn off | |
705 | HTML. Instead, you can render the message body as plain text. In order | |
706 | to do this in Thunderbird, go to View > Message Body As > Plain | |
707 | Text.</p> | |
708 | <!-- END DELETION 10 --> | |
709 | <!-- START DELETION 11, KEEP IN mac windows --> | |
710 | <p>For greater security against potential attacks, you can turn off | |
711 | HTML. Instead, you can render the message body as plain text.</p> | |
712 | <!-- END DELETION 11 --> | |
713 | ||
3a0ce704 TG |
714 | </div><!-- End .main --> |
715 | </div><!-- End #step-headers_unencrypted .step--> | |
716 | ||
717 | <!-- ~~~~~~~~~ a div for each step ~~~~~~~~~ --> | |
718 | <div id="step-3c" class="step"> | |
719 | <div class="main"> | |
720 | ||
721 | <h3><em>Step 3.c</em> Receive a response</h3> | |
722 | ||
ecceeff6 TG |
723 | <p>When Edward receives your email, he will use his private key to decrypt |
724 | it, then use your public key (which you sent him in <a href="#step-3a">Step | |
725 | 3.A</a>) to encrypt his reply to you.</p> | |
3a0ce704 | 726 | |
ecceeff6 TG |
727 | <p class="notes">It may take two or three minutes for Edward to |
728 | respond. In the meantime, you might want to skip ahead and check out the <a | |
729 | href="#section5">Use it Well</a> section of this guide.</p> | |
3a0ce704 | 730 | |
ecceeff6 TG |
731 | <p>When you receive Edward's email and open it, Enigmail will automatically |
732 | detect that it is encrypted with your public key, and then it will use your | |
733 | private key to decrypt it.</p> | |
3a0ce704 | 734 | |
ecceeff6 TG |
735 | <p>Notice the bar that Enigmail shows you above the message, with information |
736 | about the status of Edward's key.</p> | |
3a0ce704 TG |
737 | |
738 | </div><!-- End .main --> | |
739 | </div><!-- End #step-3c .step --> | |
740 | ||
ecceeff6 TG |
741 | <!-- ~~~~~~~~~ a div for each step ~~~~~~~~~ --> |
742 | <div id="step-3d" class="step"> | |
3a0ce704 TG |
743 | <div class="main"> |
744 | ||
ecceeff6 | 745 | <h3><em>Step 3.d</em> Send a test signed email</h3> |
3a0ce704 | 746 | |
ecceeff6 TG |
747 | <p>GnuPG includes a way for you to sign messages and files, verifying that |
748 | they came from you and that they weren't tampered with along the way. These | |
749 | signatures are stronger than their pen-and-paper cousins -- they're impossible | |
750 | to forge, because they're impossible to create without your private key | |
751 | (another reason to keep your private key safe).</p> | |
3a0ce704 | 752 | |
ecceeff6 TG |
753 | <p>You can sign messages to anyone, so it's a great way to make people |
754 | aware that you use GnuPG and that they can communicate with you securely. If | |
755 | they don't have GnuPG, they will be able to read your message and see your | |
756 | signature. If they do have GnuPG, they'll also be able to verify that your | |
757 | signature is authentic.</p> | |
3a0ce704 | 758 | |
ecceeff6 TG |
759 | <p>To sign an email to Edward, compose any message to him and click the |
760 | pencil icon next to the lock icon so that it turns gold. If you sign a | |
761 | message, GnuPG may ask you for your password before it sends the message, | |
762 | because it needs to unlock your private key for signing.</p> | |
3a0ce704 | 763 | |
ecceeff6 TG |
764 | <p>With the lock and pencil icons, you can choose whether each message will |
765 | be encrypted, signed, both, or neither.</p> | |
766 | ||
767 | </div> | |
3a0ce704 | 768 | </div> |
ecceeff6 TG |
769 | |
770 | <!-- ~~~~~~~~~ a div for each step ~~~~~~~~~ --> | |
771 | <div id="step-3e" class="step"> | |
772 | <div class="main"> | |
773 | ||
774 | <h3><em>Step 3.e</em> Receive a response</h3> | |
775 | ||
776 | <p>When Edward receives your email, he will use your public key (which you | |
777 | sent him in <a href="#step-3a">Step 3.A</a>) to verify that your signature | |
778 | is authentic and the message you sent has not been tampered with.</p> | |
779 | ||
780 | <p class="notes">It may take two or three minutes for Edward to | |
781 | respond. In the meantime, you might want to skip ahead and check out the <a | |
782 | href="#section5">Use it Well</a> section of this guide.</p> | |
783 | ||
784 | <p>Edward's reply will arrive encrypted, because he prefers to use encryption | |
785 | whenever possible. If everything goes according to plan, it should say | |
786 | "Your signature was verified." If your test signed email was also encrypted, | |
787 | he will mention that first.</p> | |
788 | ||
789 | </div><!-- End .main --> | |
790 | </div><!-- End #step-3e .step --> | |
791 | </div></section> | |
3a0ce704 TG |
792 | |
793 | <!-- ~~~~~~~~~ Section 4: Learn the Web of Trust ~~~~~~~~~ --> | |
794 | <section class="row" id="section4"><div> | |
795 | ||
796 | <!-- ~~~~~~~~~ section introduction: interspersed text ~~~~~~~~~ --> | |
797 | <div class="section-intro"> | |
798 | ||
799 | <h2><em>#4</em> Learn the Web of Trust</h2> | |
800 | ||
ecceeff6 TG |
801 | <p>Email encryption is a powerful technology, but it has a weakness; |
802 | it requires a way to verify that a person's public key is actually | |
803 | theirs. Otherwise, there would be no way to stop an attacker from making | |
804 | an email address with your friend's name, creating keys to go with it and | |
805 | impersonating your friend. That's why the free software programmers that | |
806 | developed email encryption created keysigning and the Web of Trust.</p> | |
3a0ce704 | 807 | |
ecceeff6 TG |
808 | <p>When you sign someone's key, you are publicly saying that you've verified |
809 | that it belongs to them and not someone else.</p> | |
3a0ce704 | 810 | |
ecceeff6 TG |
811 | <p>Signing keys and signing messages use the same type of mathematical |
812 | operation, but they carry very different implications. It's a good practice | |
813 | to generally sign your email, but if you casually sign people's keys, you | |
814 | may accidently end up vouching for the identity of an imposter.</p> | |
3a0ce704 | 815 | |
ecceeff6 TG |
816 | <p>People who use your public key can see who has signed it. Once you've |
817 | used GnuPG for a long time, your key may have hundreds of signatures. You | |
818 | can consider a key to be more trustworthy if it has many signatures from | |
819 | people that you trust. The Web of Trust is a constellation of GnuPG users, | |
820 | connected to each other by chains of trust expressed through signatures.</p> | |
3a0ce704 TG |
821 | |
822 | </div><!-- End .section-intro --> | |
823 | ||
824 | <!-- ~~~~~~~~~ a div for each step ~~~~~~~~~ --> | |
825 | <div id="step-4a" class="step"> | |
826 | <div class="sidebar"> | |
827 | ||
ecceeff6 TG |
828 | <p><img |
829 | src="//static.fsf.org/nosvn/enc-dev0/img/en/screenshots/section4-web-of-trust.png" | |
3a0ce704 TG |
830 | alt="Section 4: Web of Trust" /></p> |
831 | ||
832 | </div><!-- /.sidebar --> | |
833 | <div class="main"> | |
834 | ||
835 | <h3><em>Step 4.a</em> Sign a key</h3> | |
836 | ||
837 | <p>In your email program's menu, go to Enigmail → Key Management.</p> | |
838 | ||
ecceeff6 TG |
839 | <p>Right click on Edward's public key and select Sign Key from the context |
840 | menu.</p> | |
3a0ce704 TG |
841 | |
842 | <p>In the window that pops up, select "I will not answer" and click ok.</p> | |
843 | ||
ecceeff6 TG |
844 | <p>Now you should be back at the Key Management menu. Select Keyserver → |
845 | Upload Public Keys and hit ok.</p> | |
3a0ce704 | 846 | |
ecceeff6 TG |
847 | <p class="notes">You've just effectively said "I trust that Edward's public |
848 | key actually belongs to Edward." This doesn't mean much because Edward isn't | |
849 | a real person, but it's good practice.</p> | |
3a0ce704 TG |
850 | |
851 | <!--<div id="pgp-pathfinder"> | |
852 | ||
ecceeff6 TG |
853 | <form enctype="application/x-www-form-urlencoded" action="/mk_path.cgi" |
854 | method="get"> | |
3a0ce704 | 855 | |
360881f1 | 856 | <p><strong>From:</strong><input type="text" value="xD41A008" |
ecceeff6 | 857 | name="FROM"></p> |
3a0ce704 | 858 | |
360881f1 | 859 | <p><strong>To:</strong><input type="text" value="50BD01x4" name="TO"></p> |
3a0ce704 | 860 | |
ecceeff6 TG |
861 | <p class="buttons"><input type="submit" value="trust paths" name="PATHS"><input |
862 | type="reset" value="reset" name=".reset"></p> | |
3a0ce704 TG |
863 | |
864 | </form> | |
865 | ||
ecceeff6 | 866 | </div>End #pgp-pathfinder --> |
3a0ce704 TG |
867 | </div><!-- End .main --> |
868 | </div><!-- End #step-4a .step --> | |
869 | ||
870 | <!-- ~~~~~~~~~ a div for each step ~~~~~~~~~ --> | |
ecceeff6 | 871 | <div id="step-identify_keys" class="step"> |
3a0ce704 TG |
872 | <div class="main"> |
873 | ||
ecceeff6 TG |
874 | <h3>Identifying keys: Fingerprints and IDs</h3> |
875 | ||
876 | <p>People's public keys are usually identified by their key fingerprint, | |
877 | which is a string of digits like F357AA1A5B1FA42CFD9FE52A9FF2194CC09A61E8 | |
878 | (for Edward's key). You can see the fingerprint for your public key, and | |
879 | other public keys saved on your computer, by going to Enigmail → Key | |
880 | Management in your email program's menu, then right clicking on the key | |
881 | and choosing Key Properties. It's good practice to share your fingerprint | |
882 | wherever you share your email address, so that people can double-check that | |
883 | they have the correct public key when they download yours from a keyserver.</p> | |
884 | ||
1c445281 TG |
885 | <p class="notes">You may also see public keys referred to by a shorter |
886 | key ID. This key ID is visible directly from the Key Management | |
887 | window. These eight character key IDs were previously used for | |
888 | identification, which used to be safe, but is no longer reliable. You | |
889 | need to check the full fingerprint as part of verifying you have the | |
890 | correct key for the person you are trying to contact. Spoofing, in | |
891 | which someone intentionally generates a key with a fingerprint whose | |
892 | final eight characters are the same as another, is unfortunately | |
893 | common.</p> | |
ecceeff6 TG |
894 | |
895 | </div><!-- End .main --> | |
896 | </div><!-- End #step-identify_keys .step--> | |
897 | ||
898 | <!-- ~~~~~~~~~ a div for each step ~~~~~~~~~ --> | |
899 | <div id="check-ids-before-signing" class="step"> | |
900 | <div class="main"> | |
901 | ||
902 | <h3><em>Important:</em> What to consider when signing keys</h3> | |
903 | ||
904 | <p>Before signing a person's key, you need to be confident that it actually | |
905 | belongs to them, and that they are who they say they are. Ideally, this | |
906 | confidence comes from having interactions and conversations with them over | |
907 | time, and witnessing interactions between them and others. Whenever signing | |
908 | a key, ask to see the full public key fingerprint, and not just the shorter | |
909 | key ID. If you feel it's important to sign the key of someone you've just | |
910 | met, also ask them to show you their government identification, and make | |
911 | sure the name on the ID matches the name on the public key. In Enigmail, | |
912 | answer honestly in the window that pops up and asks "How carefully have you | |
913 | verified that the key you are about to sign actually belongs to the person(s) | |
914 | named above?"</p> | |
915 | ||
916 | <!-- ~~~~~~~~~ Troubleshooting ~~~~~~~~~ --> | |
917 | <div class="troubleshooting"> | |
3a0ce704 | 918 | |
ecceeff6 | 919 | <h4>Advanced</h4> |
3a0ce704 | 920 | |
ecceeff6 TG |
921 | <dl> |
922 | <dt>Master the Web of Trust</dt> | |
923 | <dd>Unfortunately, trust does not spread between users the way <a | |
924 | href="http://fennetic.net/irc/finney.org/~hal/web_of_trust.html">many people | |
925 | think</a>. One of best ways to strengthen the GnuPG community is to deeply <a | |
926 | href="https://www.gnupg.org/gph/en/manual/x334.html">understand</a> the Web of | |
927 | Trust and to carefully sign as many people's keys as circumstances permit.</dd> | |
928 | ||
929 | <dt>Set ownertrust</dt> | |
930 | <dd>If you trust someone enough to validate other people's keys, you can assign | |
931 | them an ownertrust level through Enigmails's key management window. Right | |
932 | click on the other person's key, go to the "Select Owner Trust" menu option, | |
933 | select the trustlevel and click OK. Only do this once you feel you have a | |
934 | deep understanding of the Web of Trust.</dd> | |
935 | </dl> | |
936 | ||
937 | </div><!-- /.troubleshooting --> | |
3a0ce704 | 938 | </div><!-- End .main --> |
ecceeff6 | 939 | </div><!-- End #check-ids-before-signing .step--> |
3a0ce704 TG |
940 | </div></section><!-- End #section4 --> |
941 | ||
942 | <!-- ~~~~~~~~~ Section 5: Use it well ~~~~~~~~~ --> | |
943 | <section id="section5" class="row"><div> | |
944 | ||
945 | <!-- ~~~~~~~~~ section introduction: interspersed text ~~~~~~~~~ --> | |
946 | <div class="section-intro"> | |
947 | ||
948 | <h2><em>#5</em> Use it well</h2> | |
949 | ||
ecceeff6 TG |
950 | <p>Everyone uses GnuPG a little differently, but it's important to follow |
951 | some basic practices to keep your email secure. Not following them, you | |
952 | risk the privacy of the people you communicate with, as well as your own, | |
953 | and damage the Web of Trust.</p> | |
3a0ce704 TG |
954 | |
955 | </div><!-- End .section-intro --> | |
956 | ||
957 | <!-- ~~~~~~~~~ a div for each step ~~~~~~~~~ --> | |
958 | <div id="step-5a" class="step"> | |
959 | <div class="sidebar"> | |
960 | ||
ecceeff6 TG |
961 | <p><img |
962 | src="//static.fsf.org/nosvn/enc-dev0/img/en/screenshots/section5-01-use-it-well.png" | |
3a0ce704 TG |
963 | alt="Section 5: Use it Well (1)" /></p> |
964 | ||
965 | </div><!-- /.sidebar --> | |
966 | <div class="main"> | |
967 | ||
ecceeff6 | 968 | <h3>When should I encrypt? When should I sign?</h3> |
3a0ce704 | 969 | |
ecceeff6 TG |
970 | <p>The more you can encrypt your messages, the better. If you only encrypt |
971 | emails occasionally, each encrypted message could raise a red flag for | |
972 | surveillance systems. If all or most of your email is encrypted, people | |
973 | doing surveillance won't know where to start. That's not to say that only | |
974 | encrypting some of your email isn't helpful -- it's a great start and it | |
975 | makes bulk surveillance more difficult.</p> | |
3a0ce704 | 976 | |
ecceeff6 TG |
977 | <p>Unless you don't want to reveal your own identity (which requires other |
978 | protective measures), there's no reason not to sign every message, whether or | |
979 | not you are encrypting. In addition to allowing those with GnuPG to verify | |
980 | that the message came from you, signing is a non-intrusive way to remind | |
981 | everyone that you use GnuPG and show support for secure communication. If you | |
982 | often send signed messages to people that aren't familiar with GnuPG, it's | |
983 | nice to also include a link to this guide in your standard email signature | |
984 | (the text kind, not the cryptographic kind).</p> | |
3a0ce704 TG |
985 | |
986 | </div><!-- End .main --> | |
987 | </div><!-- End #step-5a .step --> | |
988 | ||
989 | <!-- ~~~~~~~~~ a div for each step ~~~~~~~~~ --> | |
990 | <div id="step-5b" class="step"> | |
991 | <div class="sidebar"> | |
992 | ||
ecceeff6 TG |
993 | <p><img |
994 | src="//static.fsf.org/nosvn/enc-dev0/img/en/screenshots/section5-02-use-it-well.png" | |
3a0ce704 TG |
995 | alt="Section 5: Use it Well (2)" /></p> |
996 | ||
997 | </div><!-- /.sidebar --> | |
998 | <div class="main"> | |
999 | ||
ecceeff6 | 1000 | <h3>Be wary of invalid keys</h3> |
3a0ce704 | 1001 | |
ecceeff6 TG |
1002 | <p>GnuPG makes email safer, but it's still important to watch out for invalid |
1003 | keys, which might have fallen into the wrong hands. Email encrypted with | |
1004 | invalid keys might be readable by surveillance programs.</p> | |
3a0ce704 | 1005 | |
ecceeff6 TG |
1006 | <p>In your email program, go back to the first encrypted email that Edward |
1007 | sent you. Because Edward encrypted it with your public key, it will have a | |
1008 | message from Enigmail at the top, which most likely says "Enigmail: Part of | |
1009 | this message encrypted."</p> | |
3a0ce704 | 1010 | |
ecceeff6 | 1011 | <p><b>When using GnuPG, make a habit of glancing at that bar. The program |
0f3c2a99 | 1012 | will warn you there if you get an email signed with a key that can't |
ecceeff6 | 1013 | be trusted.</b></p> |
3a0ce704 TG |
1014 | |
1015 | </div><!-- End .main --> | |
1016 | </div><!-- End #step-5b .step --> | |
1017 | ||
1018 | <!-- ~~~~~~~~~ a div for each step ~~~~~~~~~ --> | |
1019 | <div id="step-5c" class="step"> | |
1020 | <div class="main"> | |
1021 | ||
1022 | <h3>Copy your revocation certificate to somewhere safe</h3> | |
1023 | ||
ecceeff6 TG |
1024 | <p>Remember when you created your keys and saved the revocation certificate |
1025 | that GnuPG made? It's time to copy that certificate onto the safest digital | |
1026 | storage that you have -- the ideal thing is a flash drive, disk, or hard | |
1027 | drive stored in a safe place in your home, not on a device you carry with | |
1028 | you regularly.</p> | |
3a0ce704 | 1029 | |
ecceeff6 TG |
1030 | <p>If your private key ever gets lost or stolen, you'll need this certificate |
1031 | file to let people know that you are no longer using that keypair.</p> | |
3a0ce704 TG |
1032 | |
1033 | </div><!-- End .main --> | |
1034 | </div><!-- End #step-5c .step --> | |
1035 | ||
1036 | <!-- ~~~~~~~~~ a div for each step ~~~~~~~~~ --> | |
1037 | <div id="step-lost_key" class="step"> | |
1038 | <div class="main"> | |
1039 | ||
1040 | <h3><em>Important:</em> act swiftly if someone gets your private key</h3> | |
1041 | ||
ecceeff6 TG |
1042 | <p>If you lose your private key or someone else gets ahold |
1043 | of it (say, by stealing or cracking your computer), it's | |
1044 | important to revoke it immediately before someone else uses | |
1045 | it to read your encrypted email or forge your signature. This | |
1046 | guide doesn't cover how to revoke a key, but you can follow these <a | |
1047 | href="https://www.hackdiary.com/2004/01/18/revoking-a-gpg-key/">instructions</a>. | |
1048 | After you're done revoking, make a new key and send an email to everyone | |
1049 | with whom you usually use your key to make sure they know, including a copy | |
1050 | of your new key.</p> | |
3a0ce704 TG |
1051 | |
1052 | </div><!-- End .main --> | |
1053 | </div><!-- End #step-lost_key .step--> | |
1054 | ||
ecceeff6 TG |
1055 | <!-- ~~~~~~~~~ a div for each step ~~~~~~~~~ --> |
1056 | <!---<div id="transfer-key" class="step"> | |
1057 | <div class="main"> | |
1058 | ||
1059 | <h3>Transferring you key</h3> | |
1060 | ||
1061 | <p>You can use Enigmail's <a | |
73a33f45 | 1062 | href="https://www.enigmail.net/documentation/Key_Management">key management |
ecceeff6 TG |
1063 | window</a> to import and export keys. If you want to be able to read |
1064 | your encrypted email on a different computer, you will need to export | |
1065 | your secret key from here. Be warned, if you transfer the key without <a | |
1066 | href="https://help.ubuntu.com/community/EncryptedFilesystemsOnRemovableStorage">encrypting</a> | |
1067 | the drive it's on the transfer will be dramatically less secure.</p> | |
1068 | ||
1069 | </div>--><!-- End .main | |
1070 | </div> End #transfer-key .step--> | |
1071 | ||
1072 | <!-- ~~~~~~~~~ a div for each step ~~~~~~~~~ --> | |
1073 | <div id="webmail-and-GnuPG" class="step"> | |
1074 | <div class="main"> | |
1075 | ||
1076 | <h3>Webmail and GnuPG</h3> | |
1077 | ||
1078 | <p>When you use a web browser to access your email, you're using webmail, | |
1079 | an email program stored on a distant website. Unlike webmail, your desktop | |
1080 | email program runs on your own computer. Although webmail can't decrypt | |
1081 | encrypted email, it will still display it in its encrypted form. If you | |
1082 | primarily use webmail, you'll know to open your email client when you receive | |
1083 | a scrambled email.</p> | |
1084 | ||
1085 | </div><!-- End .main --> | |
1086 | </div><!-- End #webmail-and-GnuPG .step--> | |
1087 | ||
3a0ce704 TG |
1088 | <!-- ~~~~~~~~~ a div for each step ~~~~~~~~~ |
1089 | <div id="step-5d" class="step"> | |
1090 | <div class="main"> | |
1091 | ||
1092 | <h3>Make your public key part of your online identity</h3> | |
1093 | ||
ecceeff6 TG |
1094 | <p> First add your public key fingerprint to your email signature, then |
1095 | compose an email to at least five of your friends, telling them you just | |
1096 | set up GnuPG and mentioning your public key fingerprint. Link to this guide | |
1097 | and ask them to join you. Don't forget that there's also an awesome <a | |
1098 | href="infographic.html">infographic to share.</a></p> | |
3a0ce704 | 1099 | |
ecceeff6 TG |
1100 | <p class="notes">Start writing your public key fingerprint anywhere someone |
1101 | would see your email address: your social media profiles, blog, Website, | |
1102 | or business card. (At the Free Software Foundation, we put ours on our | |
1103 | <a href="https://fsf.org/about/staff">staff page</a>.) We need to get our | |
1104 | culture to the point that we feel like something is missing when we see an | |
1105 | email address without a public key fingerprint.</p> | |
3a0ce704 | 1106 | |
ecceeff6 | 1107 | </div>--><!-- End .main |
3a0ce704 TG |
1108 | </div> End #step-5d .step--> |
1109 | </div></section><!-- End #section5 --> | |
1110 | ||
1111 | <!-- ~~~~~~~~~ Section 6: Next steps ~~~~~~~~~ --> | |
1112 | <section class="row" id="section6"> | |
1113 | <div id="step-click_here" class="step"> | |
1114 | <div class="main"> | |
1115 | ||
1116 | <h2><a href="next_steps.html">Great job! Check out the next steps.</a></h2> | |
1117 | ||
1118 | </div><!-- End .main --> | |
1119 | </div><!-- End #step-click_here .step--> | |
1120 | </section><!-- End #section6 --> | |
1121 | ||
1122 | <!-- ~~~~~~~~~ FAQ ~~~~~~~~~ --> | |
ecceeff6 TG |
1123 | <!-- When un-commenting this section go to main.css and search |
1124 | for /* Guide Sections Background */ then add #faq to the desired color | |
1125 | <section class="row" id="faq"><div> | |
3a0ce704 TG |
1126 | <div class="sidebar"> |
1127 | ||
1128 | <h2>FAQ</h2> | |
1129 | ||
1130 | </div> | |
1131 | <div class="main"> | |
1132 | ||
1133 | <dl> | |
1134 | <dt>My key expired</dt> | |
3a0ce704 TG |
1135 | <dd>Answer coming soon.</dd> |
1136 | ||
1137 | <dt>Who can read encrypted messages? Who can read signed ones?</dt> | |
3a0ce704 TG |
1138 | <dd>Answer coming soon.</dd> |
1139 | ||
ecceeff6 TG |
1140 | <dt>My email program is opening at times I don't want it to open/is now my |
1141 | default program and I don't want it to be.</dt> | |
3a0ce704 TG |
1142 | <dd>Answer coming soon.</dd> |
1143 | </dl> | |
1144 | ||
1145 | </div> | |
1146 | </div> | |
1147 | </section> --><!-- End #faq --> | |
1148 | ||
1149 | <!-- include virtual="footer.html" --> | |
1150 | ||
1151 | <!-- include virtual="javascript.html" --> |