From: zoe1 Date: Thu, 8 Jul 2021 00:37:50 +0000 (+0200) Subject: images & final changes X-Git-Url: https://vcs.fsf.org/?a=commitdiff_plain;h=8b0ae813cdf437f54a47872051c545f910e50b62;p=enc-live.git images & final changes --- diff --git a/en/confirmation.html b/en/confirmation.html index ffe2a6e..40685a1 100644 --- a/en/confirmation.html +++ b/en/confirmation.html @@ -63,7 +63,7 @@ href="index.html">Email Self-Defense

alt="Free Software Foundation" src="//static.fsf.org/nosvn/enc-dev0/img/fsf-logo.png" /> -

Copyright © 2014-2016 Copyright © 2014-2021 Free Software Foundation, Inc. Privacy Policy. Please support our work by joining us as an associate diff --git a/en/emailselfdefense_source.zip b/en/emailselfdefense_source.zip index f1fb156..e8d6442 100644 Binary files a/en/emailselfdefense_source.zip and b/en/emailselfdefense_source.zip differ diff --git a/en/index.html b/en/index.html index e212027..d0c05f9 100644 --- a/en/index.html +++ b/en/index.html @@ -676,7 +676,7 @@ is the program that implements the standard. Most email programs provide an inte

#2 Make your keys

To use the GnuPG system, you'll need a public key and a private key (known together as a keypair). Each is a long string of randomly generated numbers @@ -983,7 +983,7 @@ page.

#4 Try it out!

Illustration of a person in a house with a cat connected to a server

Now you'll try a test correspondence with a computer program named Edward, who knows how to use encryption. Except where noted, these are the same steps you'd follow when corresponding with a real, live person.

@@ -1233,7 +1233,7 @@ then it will use your private key to decrypt it.

#5 Learn the Web of Trust

Illustration of keys all interconnected with a web of lines

Email encryption is a powerful technology, but it has a weakness; it requires a way to verify that a person's public key is actually @@ -1380,7 +1380,7 @@ and damage the Web of Trust.

@@ -1412,7 +1412,7 @@ nice to also include a link to this guide in your standard email signature diff --git a/en/infographic.html b/en/infographic.html index ca9e43d..e99561c 100644 --- a/en/infographic.html +++ b/en/infographic.html @@ -45,7 +45,7 @@ with the hashtag #EmailSelfDefense

View & share our infographic

← Read the full guide

diff --git a/en/mac.html b/en/mac.html deleted file mode 100644 index 56a9e75..0000000 --- a/en/mac.html +++ /dev/null @@ -1,1166 +0,0 @@ - - - - -Email Self-Defense - a guide to fighting surveillance with GnuPG -encryption - - - - - - - -

Due to Enigmail's PGP functionality being migrated into Icedove and Thunderbird, steps 2 and 3 of the guide are currently out of date.

Thank you for your patience while we're working on a new round of updates.

- - -

- -

Email Self-Defense

- - -

- - - - -

- -

-

- -

We fight for computer users' rights, and promote the development of free (as -in freedom) software. Resisting bulk surveillance is very important to us.

- -

Please donate to support Email Self-Defense. We need to keep -improving it, and making more materials, for the benefit of people around -the world taking the first step towards protecting their privacy.

- -

- - -

- -

-Bulk surveillance violates our fundamental rights and makes free speech -risky. This guide will teach you a basic surveillance self-defense skill: email -encryption. Once you've finished, you'll be able to send and receive emails -that are scrambled to make sure a surveillance agent or thief intercepting -your email can't read them. All you need is a computer with an Internet -connection, an email account, and about forty minutes.

- -

Even if you have nothing to hide, using encryption helps protect the privacy -of people you communicate with, and makes life difficult for bulk surveillance -systems. If you do have something important to hide, you're in good company; -these are the same tools that whistleblowers use to protect their identities -while shining light on human rights abuses, corruption and other crimes.

- -

In addition to using encryption, standing up -to surveillance requires fighting politically for a reduction -in the amount of data collected on us, but the essential first step is -to protect yourself and make surveillance of your communication as difficult -as possible. This guide helps you do that. It is designed for beginners, but -if you already know the basics of GnuPG or are an experienced free software -user, you'll enjoy the advanced tips and the guide -to teaching your friends.

- -

- - -

- -

#1 Get the pieces

- -

This guide relies on software which is freely licensed; it's -completely transparent and anyone can copy it or make their own version. This -makes it safer from surveillance than proprietary software (like Windows or Mac -OS). To defend your freedom as well as protect yourself from surveillance, we -recommend you switch to a free software operating system like GNU/Linux. Learn -more about free software at fsf.org.

- -

To get started, you'll need the IceDove desktop email program installed -on your computer. For your system, IceDove may be known by the alternate name -"Thunderbird." Email programs are another way to access the same email accounts -you can access in a browser (like Gmail), but provide extra features.

- -

If you already have an email program, you can skip to Step 1.b.

- -

- - -

- -

Step 1.a Set up your email program with your email account

- -

Open your email program and follow the wizard (step-by-step walkthrough) -that sets it up with your email account.

- -

Look for the letters SSL, TLS, or STARTTLS to the right of the servers -when you're setting up your account. If you don't see them, you will still -be able to use encryption, but this means that the people running your email -system are running behind the industry standard in protecting your security -and privacy. We recommend that you send them a friendly email asking them -to enable SSL, TLS, or STARTTLS for your email server. They will know what -you're talking about, so it's worth making the request even if you aren't -an expert on these security systems.

- - -

- -

Troubleshooting

- -

The wizard doesn't launch: You can launch the wizard yourself, but the menu option for doing so is -named differently in each email program. The button to launch it will be in -the program's main menu, under "New" or something similar, titled something -like "Add account" or "New/Existing email account."
The wizard can't find my account or isn't downloading my mail: Before searching the Web, we recommend you start by asking other people -who use your email system, to figure out the correct settings.
Don't see a solution to your problem?: Please let us know on the feedback -page.

- -

- - -

- -

Step 1.b Get GnuPG by downloading GPGTools

- -

GPGTools is a software package that includes GnuPG. Download and install it, choosing -default options whenever asked. After it's installed, you can close any -windows that it creates.

- -

There are major security flaws in versions of GnuPG provided by GPGTools -prior to 2018.3. Make sure you have GPGTools 2018.3 or later.

- -

- - -

- -

Step 1.c Install the Enigmail plugin for your email program

- -

In your email program's menu, select Add-ons (it may be in the Tools -section). Make sure Extensions is selected on the left. Do you see Enigmail? -Make sure it's the latest version. If so, skip this step.

- -

If not, search "Enigmail" with the search bar in the upper right. You -can take it from here. Restart your email program when you're done.

- -

There are major security flaws in Enigmail prior to version 2.0.7. Make -sure you have Enigmail 2.0.7 or later.

- - -

- -

Troubleshooting

- -

I can't find the menu.: In many new email programs, the main menu is represented by an image of -three stacked horizontal bars.
My email looks weird: Enigmail doesn't tend to play nice with HTML, which is used to format -emails, so it may disable your HTML formatting automatically. To send an -HTML-formatted email without encryption or a signature, hold down the Shift -key when you select compose. You can then write an email as if Enigmail -wasn't there.
Don't see a solution to your problem?: Please let us know on the feedback -page.

- -

- - -

- -

#2 Make your keys

- -

To use the GnuPG system, you'll need a public key and a private key (known -together as a keypair). Each is a long string of randomly generated numbers -and letters that are unique to you. Your public and private keys are linked -together by a special mathematical function.

- -

Your public key isn't like a physical key, because it's stored in the open -in an online directory called a keyserver. People download it and use it, -along with GnuPG, to encrypt emails they send to you. You can think of the -keyserver as a phonebook; people who want to send you encrypted email can -look up your public key.

- -

Your private key is more like a physical key, because you keep it to -yourself (on your computer). You use GnuPG and your private key together to -descramble encrypted emails other people send to you. You should never share your private key with anyone, under any -circumstances.

- -

In addition to encryption and decryption, you can also use these keys to -sign messages and check the authenticity of other people's signatures. We'll -discuss this more in the next section.

- -

- - -

- -

Step 2.a Make a keypair

- -

The Enigmail Setup wizard may start automatically. If it doesn't, select -Enigmail → Setup Wizard from your email program's menu. You don't need -to read the text in the window that pops up unless you'd like to, but it's -good to read the text on the later screens of the wizard. Click Next with -the default options selected, except in these instances, which are listed -in the order they appear:

- -

On the screen titled "Encryption," select "Encrypt all of my messages -by default, because privacy is critical to me."
On the screen titled "Signing," select "Don't sign my messages by -default."
On the screen titled "Key Selection," select "I want to create a new -key pair for signing and encrypting my email."
On the screen titled "Create Key," pick a strong password! You can -do it manually, or you can use the Diceware method. Doing it manually -is faster but not as secure. Using Diceware takes longer and requires -dice, but creates a password that is much harder for attackers to figure -out. To use it, read the section "Make a secure passphrase with Diceware" in -this article by Micah Lee.

- -

If you'd like to pick a password manually, come up with something -you can remember which is at least twelve characters long, and includes -at least one lower case and upper case letter and at least one number or -punctuation symbol. Never pick a password you've used elsewhere. Don't use -any recognizable patterns, such as birthdays, telephone numbers, pets' names, -song lyrics, quotes from books, and so on.

- -

The program will take a little while to finish the next -step, the "Key Creation" screen. While you wait, do something else with your -computer, like watching a movie or browsing the Web. The more you use the -computer at this point, the faster the key creation will go.

- -

When the "Key Generation Completed" screen -pops up, select Generate Certificate and choose to save it in a safe place on -your computer (we recommend making a folder called "Revocation Certificate" -in your home folder and keeping it there). This step is essential for your -email self-defense, as you'll learn more about in Section -5.

- - -

- -

Troubleshooting

- -

I can't find the Enigmail menu.: In many new email programs, the main menu is represented by an image -of three stacked horizontal bars. Enigmail may be inside a section called -Tools.
More resources: If you're having trouble with our -instructions or just want to learn more, check out -Enigmail's wiki instructions for key generation.
Don't see a solution to your problem?: Please let us know on the feedback -page.

- -

- - -

- -

Advanced

- -

Command line key generation: If you prefer using the command line for a higher -degree of control, you can follow the documentation from The GNU Privacy -Handbook. Make sure you stick with "RSA and RSA" (the default), -because it's newer and more secure than the algorithms the documentation -recommends. Also make sure your key is at least 2048 bits, or 4096 if you -want to be extra secure.
Advanced key pairs: When GnuPG creates a new keypair, it compartmentalizes -the encryption function from the signing function through subkeys. If you use -subkeys carefully, you can keep your GnuPG identity much more -secure and recover from a compromised key much more quickly. Alex Cabal -and the Debian wiki -provide good guides for setting up a secure subkey configuration.

- -

- - -

- -

Step 2.b Upload your public key to a keyserver

- -

In your email program's menu, select Enigmail → Key Management.

- -

Right click on your key and select Upload Public Keys to Keyserver. You -don't have to use the default keyserver. If, after research, you would like -to change to a different default keyserver, you can change that setting -manually in the Enigmail preferences.

- -

Now someone who wants to send you an encrypted message can -download your public key from the Internet. There are multiple keyservers -that you can select from the menu when you upload, but they are all copies -of each other, so it doesn't matter which one you use. However, it sometimes -takes a few hours for them to match each other when a new key is uploaded.

- - -

- -

Troubleshooting

- -

The progress bar never finishes: Close the upload popup, make sure you are connected to the Internet, -and try again. If that doesn't work, try again, selecting a different -keyserver.
My key doesn't appear in the list: Try checking "Display All Keys by Default."
More documentation: If you're having trouble with our -instructions or just want to learn more, check out -Enigmail's documentation.
Don't see a solution to your problem?: Please let us know on the feedback -page.

- -

- - -

- -

Advanced

- -

Uploading a key from the command line: You can also upload your keys to a keyserver through the command line. The sks Web site -maintains a list of highly interconnected keyservers. You can also directly export -your key as a file on your computer.

- -

- - -

- -

GnuPG, OpenPGP, what?

- -

In general, the terms GnuPG, GPG, GNU Privacy Guard, OpenPGP and PGP -are used interchangeably. Technically, OpenPGP (Pretty Good Privacy) is the -encryption standard, and GNU Privacy Guard (often shortened to GPG or GnuPG) -is the program that implements the standard. Enigmail is a plug-in program -for your email program that provides an interface for GnuPG.

- -

- - -

- -

#3 Try it out!

- -

Now you'll try a test correspondence with a computer program named Edward, -who knows how to use encryption. Except where noted, these are the same -steps you'd follow when corresponding with a real, live person.

- - -

- -

Step 3.a Send Edward your public key

- -

This is a special step that you won't have to do when corresponding -with real people. In your email program's menu, go to Enigmail → Key -Management. You should see your key in the list that pops up. Right click -on your key and select Send Public Keys by Email. This will create a new -draft message, as if you had just hit the Write button.

- -

Address the message to edward-en@fsf.org. Put at least one word -(whatever you want) in the subject and body of the email. Don't send yet.

- -

The lock icon in the top left should be yellow, meaning encryption is -turned on. We want this first special message to be unencrypted, so -click the icon once to turn it off. The lock should become grey, with a -blue dot on it (to alert you that the setting has been changed from the -default). Once encryption is off, hit Send.

- -

It may take two or three minutes for Edward to -respond. In the meantime, you might want to skip ahead and check out the Use it Well section of this guide. Once he's responded, -head to the next step. From here on, you'll be doing just the same thing as -when corresponding with a real person.

- -

When you open Edward's reply, GnuPG may prompt you for your password -before using your private key to decrypt it.

- -

- - -

- -

Step 3.b Send a test encrypted email

- -

Write a new email in your email program, addressed to edward-en@fsf.org. Make the subject -"Encryption test" or something similar and write something in the body.

- -

The lock icon in the top left of the window should be yellow, meaning -encryption is on. This will be your default from now on.

- -

Next to the lock, you'll notice an icon of a pencil. We'll -get to this in a moment.

- -

Click Send. Enigmail will pop up a window that says "Recipients not valid, -not trusted or not found."

- -

To encrypt an email to Edward, you need his public key, so now you'll have -Enigmail download it from a keyserver. Click Download Missing Keys and use -the default in the pop-up that asks you to choose a keyserver. Once it finds -keys, check the first one (Key ID starting with C), then select ok. Select -ok in the next pop-up.

- -

Now you are back at the "Recipients not valid, not trusted or not found" -screen. Check the box in front of Edward's key and click Send.

- -

Since you encrypted this email with Edward's public key, -Edward's private key is required to decrypt it. Edward is the only one with -his private key, so no one except him can decrypt it.

- - -

- -

Troubleshooting

- -

Enigmail can't find Edward's key: Close the pop-ups that have appeared since you clicked Send. Make sure -you are connected to the Internet and try again. If that doesn't work, repeat -the process, choosing a different keyserver when it asks you to pick one.
Unscrambled messages in the Sent folder: Even though you can't decrypt messages encrypted to someone else's key, -your email program will automatically save a copy encrypted to your public key, -which you'll be able to view from the Sent folder like a normal email. This -is normal, and it doesn't mean that your email was not sent encrypted.
More resources: If you're still having trouble with our -instructions or just want to learn more, check out -Enigmail's wiki.
Don't see a solution to your problem?: Please let us know on the feedback -page.

- -

- - -

- -

Advanced

- -

Encrypt messages from the command line: You can also encrypt and decrypt messages and files from the command line, -if that's your preference. The option --armor makes the encrypted output -appear in the regular character set.

- -

- - -

- -

Important: Security tips

- -

Even if you encrypt your email, the subject line is not encrypted, so -don't put private information there. The sending and receiving addresses -aren't encrypted either, so a surveillance system can still figure out who -you're communicating with. Also, surveillance agents will know that you're -using GnuPG, even if they can't figure out what you're saying. When you -send attachments, Enigmail will give you the choice to encrypt them or not, -independent of the actual email.

- -

For greater security against potential attacks, you can turn off -HTML. Instead, you can render the message body as plain text.

- -

- - -

- -

Step 3.c Receive a response

- -

When Edward receives your email, he will use his private key to decrypt -it, then reply to you.

- -

It may take two or three minutes for Edward to -respond. In the meantime, you might want to skip ahead and check out the Use it Well section of this guide.

- -

- - -

- -

Step 3.d Send a test signed email

- -

GnuPG includes a way for you to sign messages and files, verifying that -they came from you and that they weren't tampered with along the way. These -signatures are stronger than their pen-and-paper cousins -- they're impossible -to forge, because they're impossible to create without your private key -(another reason to keep your private key safe).

- -

You can sign messages to anyone, so it's a great way to make people -aware that you use GnuPG and that they can communicate with you securely. If -they don't have GnuPG, they will be able to read your message and see your -signature. If they do have GnuPG, they'll also be able to verify that your -signature is authentic.

- -

To sign an email to Edward, compose any message to him and click the -pencil icon next to the lock icon so that it turns gold. If you sign a -message, GnuPG may ask you for your password before it sends the message, -because it needs to unlock your private key for signing.

- -

With the lock and pencil icons, you can choose whether each message will -be encrypted, signed, both, or neither.

- -

- - -

- -

Step 3.e Receive a response

- -

When Edward receives your email, he will use your public key (which -you sent him in Step 3.A) to verify the message -you sent has not been tampered with and to encrypt his reply to you.

- -

It may take two or three minutes for Edward to -respond. In the meantime, you might want to skip ahead and check out the Use it Well section of this guide.

- -

Edward's reply will arrive encrypted, because he prefers to use encryption -whenever possible. If everything goes according to plan, it should say -"Your signature was verified." If your test signed email was also encrypted, -he will mention that first.

- -

When you receive Edward's email and open it, Enigmail will -automatically detect that it is encrypted with your public key, and -then it will use your private key to decrypt it.

- -

Notice the bar that Enigmail shows you above the message, with -information about the status of Edward's key.

- -

- - -

- -

#4 Learn the Web of Trust

- -

Email encryption is a powerful technology, but it has a weakness; -it requires a way to verify that a person's public key is actually -theirs. Otherwise, there would be no way to stop an attacker from making -an email address with your friend's name, creating keys to go with it and -impersonating your friend. That's why the free software programmers that -developed email encryption created keysigning and the Web of Trust.

- -

When you sign someone's key, you are publicly saying that you've verified -that it belongs to them and not someone else.

- -

Signing keys and signing messages use the same type of mathematical -operation, but they carry very different implications. It's a good practice -to generally sign your email, but if you casually sign people's keys, you -may accidently end up vouching for the identity of an imposter.

- -

People who use your public key can see who has signed it. Once you've -used GnuPG for a long time, your key may have hundreds of signatures. You -can consider a key to be more trustworthy if it has many signatures from -people that you trust. The Web of Trust is a constellation of GnuPG users, -connected to each other by chains of trust expressed through signatures.

- -

- - -

- -

Step 4.a Sign a key

- -

In your email program's menu, go to Enigmail → Key Management.

- -

Right click on Edward's public key and select Sign Key from the context -menu.

- -

In the window that pops up, select "I will not answer" and click ok.

- -

Now you should be back at the Key Management menu. Select Keyserver → -Upload Public Keys and hit ok.

- -

You've just effectively said "I trust that Edward's public -key actually belongs to Edward." This doesn't mean much because Edward isn't -a real person, but it's good practice.

- - -

- -

Identifying keys: Fingerprints and IDs

- -

People's public keys are usually identified by their key fingerprint, -which is a string of digits like F357AA1A5B1FA42CFD9FE52A9FF2194CC09A61E8 -(for Edward's key). You can see the fingerprint for your public key, and -other public keys saved on your computer, by going to Enigmail → Key -Management in your email program's menu, then right clicking on the key -and choosing Key Properties. It's good practice to share your fingerprint -wherever you share your email address, so that people can double-check that -they have the correct public key when they download yours from a keyserver.

- -

You may also see public keys referred to by a shorter -key ID. This key ID is visible directly from the Key Management -window. These eight character key IDs were previously used for -identification, which used to be safe, but is no longer reliable. You -need to check the full fingerprint as part of verifying you have the -correct key for the person you are trying to contact. Spoofing, in -which someone intentionally generates a key with a fingerprint whose -final eight characters are the same as another, is unfortunately -common.

- -

- - -

- -

Important: What to consider when signing keys

- -

Before signing a person's key, you need to be confident that it actually -belongs to them, and that they are who they say they are. Ideally, this -confidence comes from having interactions and conversations with them over -time, and witnessing interactions between them and others. Whenever signing -a key, ask to see the full public key fingerprint, and not just the shorter -key ID. If you feel it's important to sign the key of someone you've just -met, also ask them to show you their government identification, and make -sure the name on the ID matches the name on the public key. In Enigmail, -answer honestly in the window that pops up and asks "How carefully have you -verified that the key you are about to sign actually belongs to the person(s) -named above?"

- - -

- -

Advanced

- -

Master the Web of Trust: Unfortunately, trust does not spread between users the way many people -think. One of best ways to strengthen the GnuPG community is to deeply understand the Web of -Trust and to carefully sign as many people's keys as circumstances permit.
Set ownertrust: If you trust someone enough to validate other people's keys, you can assign -them an ownertrust level through Enigmails's key management window. Right -click on the other person's key, go to the "Select Owner Trust" menu option, -select the trustlevel and click OK. Only do this once you feel you have a -deep understanding of the Web of Trust.

- -

- - -

- -

#5 Use it well

- -

Everyone uses GnuPG a little differently, but it's important to follow -some basic practices to keep your email secure. Not following them, you -risk the privacy of the people you communicate with, as well as your own, -and damage the Web of Trust.

- -

- - -

- -

When should I encrypt? When should I sign?

- -

The more you can encrypt your messages, the better. If you only encrypt -emails occasionally, each encrypted message could raise a red flag for -surveillance systems. If all or most of your email is encrypted, people -doing surveillance won't know where to start. That's not to say that only -encrypting some of your email isn't helpful -- it's a great start and it -makes bulk surveillance more difficult.

- -

Unless you don't want to reveal your own identity (which requires other -protective measures), there's no reason not to sign every message, whether or -not you are encrypting. In addition to allowing those with GnuPG to verify -that the message came from you, signing is a non-intrusive way to remind -everyone that you use GnuPG and show support for secure communication. If you -often send signed messages to people that aren't familiar with GnuPG, it's -nice to also include a link to this guide in your standard email signature -(the text kind, not the cryptographic kind).

- -

- - -

- -

Be wary of invalid keys

- -

GnuPG makes email safer, but it's still important to watch out for invalid -keys, which might have fallen into the wrong hands. Email encrypted with -invalid keys might be readable by surveillance programs.

- -

In your email program, go back to the first encrypted email that Edward -sent you. Because Edward encrypted it with your public key, it will have a -message from Enigmail at the top, which most likely says "Enigmail: Part of -this message encrypted."

- -

When using GnuPG, make a habit of glancing at that bar. The program -will warn you there if you get an email signed with a key that can't -be trusted.

- -

- - -

- -

Copy your revocation certificate to somewhere safe

- -

Remember when you created your keys and saved the revocation certificate -that GnuPG made? It's time to copy that certificate onto the safest digital -storage that you have -- the ideal thing is a flash drive, disk, or hard -drive stored in a safe place in your home, not on a device you carry with -you regularly.

- -

If your private key ever gets lost or stolen, you'll need this certificate -file to let people know that you are no longer using that keypair.

- -

- - -

- -

Important: act swiftly if someone gets your private key

- -

If you lose your private key or someone else gets ahold -of it (say, by stealing or cracking your computer), it's -important to revoke it immediately before someone else uses -it to read your encrypted email or forge your signature. This -guide doesn't cover how to revoke a key, but you can follow these instructions. -After you're done revoking, make a new key and send an email to everyone -with whom you usually use your key to make sure they know, including a copy -of your new key.

- -

- - - - - -

- -

Webmail and GnuPG

- -

When you use a web browser to access your email, you're using webmail, -an email program stored on a distant website. Unlike webmail, your desktop -email program runs on your own computer. Although webmail can't decrypt -encrypted email, it will still display it in its encrypted form. If you -primarily use webmail, you'll know to open your email client when you receive -a scrambled email.

- -

- - -

- -

Great job! Check out the next steps.

- -

- - - - - - - - - - - - - - - - - - diff --git a/en/windows.html b/en/windows.html deleted file mode 100644 index dcd6810..0000000 --- a/en/windows.html +++ /dev/null @@ -1,1166 +0,0 @@ - - - - -Email Self-Defense - a guide to fighting surveillance with GnuPG -encryption - - - - - - - -

Due to Enigmail's PGP functionality being migrated into Icedove and Thunderbird, steps 2 and 3 of the guide are currently out of date.

Thank you for your patience while we're working on a new round of updates.

- - -

- -

Email Self-Defense

- - -

- - - - -

- -

-

- -

We fight for computer users' rights, and promote the development of free (as -in freedom) software. Resisting bulk surveillance is very important to us.

- -

- - -

- -

- - -

- -

#1 Get the pieces

- -

If you already have an email program, you can skip to Step 1.b.

- -

- - -

- -

Step 1.a Set up your email program with your email account

- -

Open your email program and follow the wizard (step-by-step walkthrough) -that sets it up with your email account.

- -

- - -

- -

Troubleshooting

- -

The wizard doesn't launch: You can launch the wizard yourself, but the menu option for doing so is -named differently in each email program. The button to launch it will be in -the program's main menu, under "New" or something similar, titled something -like "Add account" or "New/Existing email account."
The wizard can't find my account or isn't downloading my mail: Before searching the Web, we recommend you start by asking other people -who use your email system, to figure out the correct settings.
Don't see a solution to your problem?: Please let us know on the feedback -page.

- -

- - -

- -

Step 1.b Get GnuPG by downloading GPG4Win

- -

GPG4Win is a software package that includes GnuPG. Download and install it, choosing default -options whenever asked. After it's installed, you can close any windows that -it creates.

- -

There are major security flaws in versions of GnuPG provided by GPG4Win -prior to 3.1.2. Make sure you have GPG4Win 3.1.2 or later.

- -

- - -

- -

Step 1.c Install the Enigmail plugin for your email program

- -

If not, search "Enigmail" with the search bar in the upper right. You -can take it from here. Restart your email program when you're done.

- -

There are major security flaws in Enigmail prior to version 2.0.7. Make -sure you have Enigmail 2.0.7 or later.

- - -

- -

Troubleshooting

- -

I can't find the menu.: In many new email programs, the main menu is represented by an image of -three stacked horizontal bars.
My email looks weird: Enigmail doesn't tend to play nice with HTML, which is used to format -emails, so it may disable your HTML formatting automatically. To send an -HTML-formatted email without encryption or a signature, hold down the Shift -key when you select compose. You can then write an email as if Enigmail -wasn't there.
Don't see a solution to your problem?: Please let us know on the feedback -page.

- -

- - -

- -

#2 Make your keys

- -

In addition to encryption and decryption, you can also use these keys to -sign messages and check the authenticity of other people's signatures. We'll -discuss this more in the next section.

- -

- - -

- -

Step 2.a Make a keypair

- -

On the screen titled "Encryption," select "Encrypt all of my messages -by default, because privacy is critical to me."
On the screen titled "Signing," select "Don't sign my messages by -default."
On the screen titled "Key Selection," select "I want to create a new -key pair for signing and encrypting my email."
On the screen titled "Create Key," pick a strong password! You can -do it manually, or you can use the Diceware method. Doing it manually -is faster but not as secure. Using Diceware takes longer and requires -dice, but creates a password that is much harder for attackers to figure -out. To use it, read the section "Make a secure passphrase with Diceware" in -this article by Micah Lee.

- -

- - -

- -

Troubleshooting

- -

I can't find the Enigmail menu.: In many new email programs, the main menu is represented by an image -of three stacked horizontal bars. Enigmail may be inside a section called -Tools.
More resources: If you're having trouble with our -instructions or just want to learn more, check out -Enigmail's wiki instructions for key generation.
Don't see a solution to your problem?: Please let us know on the feedback -page.

- -

- - -

- -

Advanced

- -

Command line key generation: If you prefer using the command line for a higher -degree of control, you can follow the documentation from The GNU Privacy -Handbook. Make sure you stick with "RSA and RSA" (the default), -because it's newer and more secure than the algorithms the documentation -recommends. Also make sure your key is at least 2048 bits, or 4096 if you -want to be extra secure.
Advanced key pairs: When GnuPG creates a new keypair, it compartmentalizes -the encryption function from the signing function through subkeys. If you use -subkeys carefully, you can keep your GnuPG identity much more -secure and recover from a compromised key much more quickly. Alex Cabal -and the Debian wiki -provide good guides for setting up a secure subkey configuration.

- -

- - -

- -

Step 2.b Upload your public key to a keyserver

- -

In your email program's menu, select Enigmail → Key Management.

- -

- - -

- -

Troubleshooting

- -

The progress bar never finishes: Close the upload popup, make sure you are connected to the Internet, -and try again. If that doesn't work, try again, selecting a different -keyserver.
My key doesn't appear in the list: Try checking "Display All Keys by Default."
More documentation: If you're having trouble with our -instructions or just want to learn more, check out -Enigmail's documentation.
Don't see a solution to your problem?: Please let us know on the feedback -page.

- -

- - -

- -

Advanced

- -

Uploading a key from the command line: You can also upload your keys to a keyserver through the command line. The sks Web site -maintains a list of highly interconnected keyservers. You can also directly export -your key as a file on your computer.

- -

- - -

- -

GnuPG, OpenPGP, what?

- -

- - -

- -

#3 Try it out!

- -

- - -

- -

Step 3.a Send Edward your public key

- -

Address the message to edward-en@fsf.org. Put at least one word -(whatever you want) in the subject and body of the email. Don't send yet.

- -

When you open Edward's reply, GnuPG may prompt you for your password -before using your private key to decrypt it.

- -

- - -

- -

Step 3.b Send a test encrypted email

- -

Write a new email in your email program, addressed to edward-en@fsf.org. Make the subject -"Encryption test" or something similar and write something in the body.

- -

The lock icon in the top left of the window should be yellow, meaning -encryption is on. This will be your default from now on.

- -

Next to the lock, you'll notice an icon of a pencil. We'll -get to this in a moment.

- -

Click Send. Enigmail will pop up a window that says "Recipients not valid, -not trusted or not found."

- -

Now you are back at the "Recipients not valid, not trusted or not found" -screen. Check the box in front of Edward's key and click Send.

- -

Since you encrypted this email with Edward's public key, -Edward's private key is required to decrypt it. Edward is the only one with -his private key, so no one except him can decrypt it.

- - -

- -

Troubleshooting

- -

Enigmail can't find Edward's key: Close the pop-ups that have appeared since you clicked Send. Make sure -you are connected to the Internet and try again. If that doesn't work, repeat -the process, choosing a different keyserver when it asks you to pick one.
Unscrambled messages in the Sent folder: Even though you can't decrypt messages encrypted to someone else's key, -your email program will automatically save a copy encrypted to your public key, -which you'll be able to view from the Sent folder like a normal email. This -is normal, and it doesn't mean that your email was not sent encrypted.
More resources: If you're still having trouble with our -instructions or just want to learn more, check out -Enigmail's wiki.
Don't see a solution to your problem?: Please let us know on the feedback -page.

- -

- - -

- -

Advanced

- -

Encrypt messages from the command line: You can also encrypt and decrypt messages and files from the command line, -if that's your preference. The option --armor makes the encrypted output -appear in the regular character set.

- -

- - -

- -

Important: Security tips

- -

For greater security against potential attacks, you can turn off -HTML. Instead, you can render the message body as plain text.

- -

- - -

- -

Step 3.c Receive a response

- -

When Edward receives your email, he will use his private key to decrypt -it, then reply to you.

- -

It may take two or three minutes for Edward to -respond. In the meantime, you might want to skip ahead and check out the Use it Well section of this guide.

- -

- - -

- -

Step 3.d Send a test signed email

- -

With the lock and pencil icons, you can choose whether each message will -be encrypted, signed, both, or neither.

- -

- - -

- -

Step 3.e Receive a response

- -

When Edward receives your email, he will use your public key (which -you sent him in Step 3.A) to verify the message -you sent has not been tampered with and to encrypt his reply to you.

- -

It may take two or three minutes for Edward to -respond. In the meantime, you might want to skip ahead and check out the Use it Well section of this guide.

- -

When you receive Edward's email and open it, Enigmail will -automatically detect that it is encrypted with your public key, and -then it will use your private key to decrypt it.

- -

Notice the bar that Enigmail shows you above the message, with -information about the status of Edward's key.

- -

- - -

- -

#4 Learn the Web of Trust

- -

When you sign someone's key, you are publicly saying that you've verified -that it belongs to them and not someone else.

- -

- - -

- -

Step 4.a Sign a key

- -

In your email program's menu, go to Enigmail → Key Management.

- -

Right click on Edward's public key and select Sign Key from the context -menu.

- -

In the window that pops up, select "I will not answer" and click ok.

- -

Now you should be back at the Key Management menu. Select Keyserver → -Upload Public Keys and hit ok.

- -

You've just effectively said "I trust that Edward's public -key actually belongs to Edward." This doesn't mean much because Edward isn't -a real person, but it's good practice.

- - -

- -

Identifying keys: Fingerprints and IDs

- -

- - -

- -

Important: What to consider when signing keys

- -

- - -

- -

Advanced

- -

Master the Web of Trust: Unfortunately, trust does not spread between users the way many people -think. One of best ways to strengthen the GnuPG community is to deeply understand the Web of -Trust and to carefully sign as many people's keys as circumstances permit.
Set ownertrust: If you trust someone enough to validate other people's keys, you can assign -them an ownertrust level through Enigmails's key management window. Right -click on the other person's key, go to the "Select Owner Trust" menu option, -select the trustlevel and click OK. Only do this once you feel you have a -deep understanding of the Web of Trust.

- -

- - -

- -

#5 Use it well

- -

- - -

- -

When should I encrypt? When should I sign?

- -

- - -

- -

Be wary of invalid keys

- -

When using GnuPG, make a habit of glancing at that bar. The program -will warn you there if you get an email signed with a key that can't -be trusted.

- -

- - -

- -

Copy your revocation certificate to somewhere safe

- -

If your private key ever gets lost or stolen, you'll need this certificate -file to let people know that you are no longer using that keypair.

- -

- - -

- -

Important: act swiftly if someone gets your private key

- -

- - - - - -

- -

Webmail and GnuPG

- -

- - -

- -

Great job! Check out the next steps.

- -

- - - - - - - - - - - - - - - - - -