1. How Do I Use GPG for Encryption?
  2. How to Share Encrypted Information
Reading Time: 7 minutes

This article will discuss the methods to send information securely over email using GPG/PGP as the main encryption tool. The difference between PGP and GPG is mainly that PGP is a proprietary solution controlled by Symantec, and GPG is the open-source standard that is defined by RFC 4880. Functionally, each format is virtually identical due to GPG being the offspring of the original PGP standard. Because there are numerous email clients, specific GPG settings will vary. For this tutorial, we will use Gmail and Thunderbird as examples. 

Typically, there are several methods to send encrypted information. 

  1. Encrypt an individual file and then attaching that document to an email.
  2. Encrypting the email message itself (using a stand-alone client like Thunderbird, which comes with the ability to encrypt emails automatically).
  3. Using a browser plugin that interacts with web-based email like these extensions. 

How Does GPG/PGP Encryption Work?

Using secure encryption is not as difficult as it seems once you understand the basic ideas behind the concept. Using GPG we create a public and private key and the user we want to send information to also creates a public and private key. We simply use that user's public key to encrypt our message to him, and he uses his private key to decrypt it. When he replies, he does the same with us. Ensuring private communications is a requirement today to share sensitive information easily across an insecure network.

How PGP Encryption Works
varonis.com

Encrypt A File

Simple Encryption/Decryption

To begin, we can use a simple method to encrypt a single file in order to transfer our data securely. The first method is called Symmetric Encryption and uses a password know to both users. To accomplish this, we use the following gpg commands on a Linux server.

root@host:~# gpg -c file.txt
┌──────────────────────────────────────────────────────┐
│ Enter passphrase                                     │
│                                                      │
│                                                      │
│ Passphrase: ____________________________             │
│                                                      │
│      <Ok>                           <Cancel>         |
│                                                      |
└──────────────────────────────────────────────────────┘
 
 gpg: directory '/root/.gnupg' created
 gpg: keybox '/root/.gnupg/pubring.kbx' created
root@merovingian2:~#

When we use the -c flag, gpg prompts us to enter a passphrase twice. In this case, because there is a new encryption used, a new keyring is also created.

We can then send that file to someone who uses the same passphrase to decrypt it.

root@host2:~# gpg file.txt.gpg
┌──────────────────────────────────────────────────────┐
│ Enter passphrase                                     │
│                                                      │
│                                                      │
│ Passphrase: ____________________________             │
│                                                      │
│      <Ok>                           <Cancel>         |
│                                                      |
└──────────────────────────────────────────────────────┘
 
 gpg: AES256 encrypted data
 gpg: encrypted with 1 passphrase
root@host2:~# ll
-rw-r--r--  1 root root    934 Dec 11 09:55 file.txt
-rw-r--r--  1 user user    491 Dec 11 09:54 file.txt.gpg

As you can see, the decryption left the gpg file in place along with the new file it created on the receiving server.

Encrypt a File Using a Public Key

In the following set of commands, we encrypt a file using an external user's public key that we have already stored locally. The first command encrypts and signs the file with the remote user’s public key. The ‘--armor’ flag creates an ASCII armored output text, and the ‘-r’ flag encrypts the message specifically for the user’s name or ID. We would then attach that file to an email and send it. The recipient will then need to download the file and decrypt it using their private key.

root@host:~# gpg --encrypt --sign --armor -r user@domain.com mysecret.txt

root@host:~# gpg --decrypt mysecret.asc > mysecret.txt

The second command decrypts the file on the users end and outputs it to a specific filename. This method can be used across any platform.

Encrypt Email in Thunderbird

This method uses the native OpenPGP functionality built into Thunderbird that is now integrated into its application. In the image below, you can see that we have downloaded, installed and begin with the latest Thunderbird email application 78.5.1. 

encryptemail1

Setup Account and Add External Keys

Step 1. Create an Email Account. 

In the first step, we create an email address. Click on the Email button to start the process.

encryptemail2

This opens the Thunderbird account setup window. 

Step 2. Add Info

Now, we add our name, email address, and password information. Next, click on the Configure manually button to enter our server information connection details. You can find this specific information in your cPanel account under Email Accounts > List Email Accounts > Connect Devices.

encryptemail3

Then click on the Re-test button to verify the connection settings. If successful, you will see a green check, followed by “The following settings were found by probing the given server.” This message indicates the connection was successful. Click on the Done button to complete the setup. 

You will then see the app doing a password check. Checking password...

encryptemail4

If successful, we will then be returned to the main window. You should now see a new email address in the top-left corner of the Local Folders tab.

encryptemail5

Step 3. Check Encryption

Next, we will go into the Account settings > End-to-end encryption tab to set up our personal key. 

encryptemail6

Step 4. Add PGP Key

As you can see, I do not have a personal key set up for this email address. Let’s do that now. Click on the “Add key” button. A new window will pop up, asking us if we would like to create a new key or import an existing key. Here we will create a new key. Select the checkbox “Create a new OpenPGP key” and click continue. 

encryptemail7

This open a new window allowing us to choose the identity was want to use. It also prompts us to select the length of time our key will be active. This setting defaults to three years but can be any timeframe you choose. Next, we decided on the RSA option. 

encryptemail8

We now click on the Generate key button. This opens a new window with info on key generation. Click on the confirm button, and the key generation process will continue. 

This process will take several minutes to complete! 

encryptemail9

Once the process completes, the updated settings window will be shown, letting us know our key has been created successfully.

encryptemail10

From this point, we scroll down and select the Require encryption by default checkbox to send the encrypted message to selected recipients. 

encryptemail11

We can now close the setting tab and proceed to our next step. 

Step 5. Add Public Keys

To send an encrypted message to a recipient, we need to import their public key. This allows us to encrypt the message using that key. Once encrypted, the message cannot be read unless they have the correct private key that corresponds to the public key we used to encrypt the message. To locate someone’s public key, we can get it from them face to face, via email, or search for their email address at one of the locations below.

Once we have imported their key, we should select the trust level for the individual. If they match their ID, and we can verify it, we then import it into our PGP key stores. 

Now, we can send our encrypted message to them. Click on the Write button to create a new email to our recipient. 

encryptemail12

Once the editing window opens, we can click the top menu dropdown to verify our settings. Once everything looks correct, and our message is completed, we click send to deliver the message.

And when the message is received, the email client will automatically decrypt it. 

encryptemail14

On the receiving end, the message looks similar to any other email message except, if you look at the full email, you will see the public encryption key has been added after the initial message. 

encryptemail13

Note: It is imperative to create a backup of your OpenPGP key and store it in a secure location, apart from your local computer. Once you have a personal key configured, you can control the use of encryption or digital signing in an individual message that you send.

Requirements to Send an Encrypted Message

  • Your personal key must be set up and selected.
  • You must have the public key for each recipient you are sending an encrypted message. Public keys can be attached to an email message of a correspondent or located in one of the public key stores located online. 
  • You must verify that the public keys of your recipients belong to them. If you accept someone’s public key without verifying it, you can expose yourself to a Man In The Middle attack (MITM).
  • If you do not have a public key for each recipient, the message will be blocked, and Thunderbird alerts us. At this point, we can choose between not sending the message at all or disabling encryption and sending the message without protection.

Web-Based Clients

The second method is to use web-based email clients like Gmail. Both Firefox and Chrome browsers provide the ability to install extensions that can assist us with this task. Two of the best options are:

Alternative Options

Other options for sending secure emails are ProtonMail and Tutanola. Both of these online email services allow a user to send encrypted emails.

Conclusion

Using encryption does not have to be a complicated issue. It can be used in multiple ways to encrypt and decrypt files in order to transfer data securely over an insecure network. Our Support Teams are filled with experienced Linux technicians and talented system administrators who have intimate knowledge of multiple web hosting technologies, especially those discussed in this article.

Should you have any questions regarding this information, we are always available to answer any inquiries with issues related to this article, 24 hours a day, 7 days a week 365 days a year.

Series Navigation
<< Previous Article
Avatar for David Singer

About the Author: David Singer

I am a g33k, Linux blogger, developer, student, and former Tech Writer for Liquidweb.com. My passion for all things tech drives my hunt for all the coolz. I often need a vacation after I get back from vacation....

Latest Articles

Blocking IP or whitelisting IP addresses with UFW

Read Article

CentOS Linux 7 end of life migrations

Read Article

Use ChatGPT to diagnose and resolve server issues

Read Article

What is SDDC VMware?

Read Article

Best authentication practices for email senders

Read Article