HOME Decrypting an email Top Encrypting emailsAttaching a key to your key ring

Attaching a key to your key ring

You can store your friends' public keys on your "key ring" so they do not have to send you their public key every time they write to you.

First Option:

To import a public key (ie. attach it to your key ring), you can save the key as a text block, much like you did with your own key.

To do this:

Highlight the public key portion of the email you received, from

-----BEGIN PGP PUBLIC KEY BLOCK-----

to

-----END PGP PUBLIC KEY BLOCK-----

and use Copy & Paste to insert it into your text editor. We recommend using a file and folder name that is easily found later; e.g. adeles-key.asc in folder My Documents.

2nd Option:

The key is sent to you as a file attachment to the email. No matter which mail program you use, you can always save attachments onto your hard drive. Do this now (again using names you will easily recognize and find later on, e.g. My Documents).

It does not matter whether you save the key as text or directly as an email attachment, as both methods import the key into your GnuPG-"Key Ring".

This is how it works:

Start the GNU Privacy Assistant (GPA) from Windows (this is necessary only if you shut it down after the previous practice session).

Click on Import, then select and load the key file.

You have now imported someone else's (in this case Adele's) public key and attached it to your key ring. Now you can use this key to send encrypted messages to the owner of that public key, as well as to verify his or her signature.

Before continuing, it is important to address the following concern:
It is possible that the email was sent by someone else using Adele's

name, therefore how do you know that the public key sent to you is really Adele's key?

==> Chapter 9 ("Key Verification") in the "Gpg4win for Advanced Users" manual deals with this important question. You may want to read that section now before continuing with this manual.

Chapter 9 of the manual "Gpg4win for Advanced Users" shows you how to validate a key as well as how to sign a message (i.e. attach a signature) using your private key.

Chapter 10 of the advanced manual also discusses ways to attach a signature to email messages. This is the equivalent of attaching an electronic seal to your message, allowing the recipient to verify whether the email has been altered during transmission and that the email definitely came from you).

The signature verification process is simple. For this, you need the sender's public key on your Gpg4win-"key ring" (see Chapter 8 of "Gpg4win for Advanced Users" for more information).

You can tell whether an email has been electronically signed if the text of the email is framed with the sender's signature (like a border). It will look something like this:

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

and ends email-message with

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.2 (MingW32)

iEYEARECAAYFAjxeqy0ACgkQcwePex+3Ivs79wCfW8u
ytRsEXgzCrfPnjGrDDtb7QZIAn17B8l8gFQ3WIUUDCMfA5cQajHcm
=O6lY
-----END PGP SIGNATURE-----

Highlight the text starting from BEGIN PGP SIGNED MESSAGE to END PGP SIGNATURE and copy it (using Ctrl-C) to your clipboard.

Now continue to decrypt the email as shown in Chapter 7 of this manual.

Right-click on the WinPT icon on your Windows taskbar and select
Clipboard -> Decrypt/Verify.

You should see the following window:

If the status line on the window displays the message Invalid Signatureit means that the message has been altered after being sent. This does not always mean that a third party has altered the message; it could also have been altered by a technical error during transmission through the Internet.

==> Before continuing, you may want to read Chapter 10 of the manual "Gpg4win for Advanced Users" which contains additional information on how to deal with invalid signatures.


HOME Decrypting an email Top Encrypting emailsAttaching a key to your key ring