« Thank Goodness for Wikipedia | Main | How to Convert a YouTube Video to an Animated GIF »
June 06, 2007
Firefox, Gmail, and GPG Encryption with FireGPG
FireGPG is a FireFox extension that hooks into GPG to allow you to encrypt, decrypt, sign, and verify text in the browser using various encryption keys. Though it can work with any text in the Firefox browser, there are also special buttons that appear specifically in Gmail.
For those who don't know, GPG is a GNU version of PGP, which allows data to be encrypted and sign via public and private keys (among other features). GPG is command-line software, but FireGPG hooks it into Firefox in a completely graphical way.
The first step to getting started is to install GPG on your computer. It is available for many operating systems, and can be downloaded here. Make sure to download the binaries for your specific operating system. As an alternative to installing on a Windows machine, you can also install Cygwin and add the GPG package during the Cygwin installation.
Once GPG is installed, you should install FireGPG. The install is very similar to other Firefox extension installs. Make sure to restart the browser when you are finished.
Now that you have both pieces of software installed, you need to make sure that the Firefox extension has the proper path of your GPG install. In Firefox, go to Tools --> FireGPG --> Options. If you get a message about how GPG cannot be found, manually change the path in the options window to the 'gpg' (or gpg.exe in Windows) command in your filesystem. The other options can be left alone, though you can definitely edit them if you have a need.
Now that the Firefox extension is configured properly, we need to generate a private / public key combination for you. Once this is done, you can give other people your public key and they can encrypt messages and send them to you. Only you will be able to decrypt them since you have the private key (and the password you will create). In addition, you can sign a message with your private key and when you send it to others, they will be able to verify that it actually came from you with the public key.
From the command line (in Windows, click on Start --> Run and then type 'cmd' and click 'OK'), change to the GPG directory (in Windows, type:
cd "\Program Files\GNU\GnuPG"). Then, type 'gpg --gen-key'. Follow the instructions to generate your key. You can always hit Enter to accept the default, which is probably a good idea unless you know what you are doing. Make sure to enter your real name and email address. The comment on the key is optional. Once you finish following the prompts, your key will be stored in the GPG keystore. You can now close the command line window.
Now that you have your own key, you want to give others your public key so that they can send you messages. Open Firefox and go to Tools --> FireGPG --> Export, choose the key you just created and click OK. Your public key will be displayed in a new window. Copy the entire thing and paste it into an email, document, etc. in order to give your key to others.
Likewise, other people will most likely be giving their public keys to you so you can send them encrypted messages and verify their signature. To import a key, highlight it on a page in the browser. You can use my signature as an example. Right-click on the selection and choose FireGPG --> Import. Assuming the key is valid, you will see a message that it was imported successfully.
To send someone an encrypted message, highlight some text in the browser, right-click and choose FireGPG --> Crypt. A window will appear asking you to choose which public key. Choose the public key of the person you are sending the message. The encrypted text will appear. Copy the entire thing into your message and send it to them. If you are using Gmail, you can use the new buttons that appear while creating a message for encrypting, signing, etc.
If someone sends you an encrypted message with your public key, you can use your private key to decrypt it by highlighting the message, right-clicking, and choosing FireGPG --> Decrypt.
FireGPG also makes it very easy to sign messages and verify other messages that are signed. To sign a message with your private key, highlight the message, right-click, and choose FireGPG --> Sign. To verify a message that someone has signed with their private key, highlight the signed message, right-click and choose Verify. The window will then prompt you to choose the public key of the person that signed it. Assuming the message verifies, you will get a message saying the signature is valid.
Keep in mind that while FireGPG works great as is, it is still actively being developed, so new features and fixes should be released regularly. There is an active forum that people participate in for troubleshooting and bug reporting. For instance, users have requested to be able to sign and encrypt a message at the same time. In addition, many users do not like the command prompt windows that open and close quickly when using FireGPG with Windows.
As you can see, FireGPG makes it very easy to encrypt / decrypt and sign / verify messages in Firefox, as well as import public keys. Give it a try and you will see how easy it is to use FireGPG once it is installed. Feel free to send me a message using my public key to chuck at chuckcaplan d o t com and I will respond.
Posted by Chuck at June 6, 2007 01:09 PM