How to Get Started with PGP

*** Archived page, last updated August 2003

These are the steps to getting started with PGP:

• Install PGP software on Windows or Mac OS
• Generate a key
• Send a test message to yourself. Encrypt and Sign it.
• Verify incoming mail with decrypt/verify.
• Learn to examine PGP-validated mail for Invalid or bad signatures.

1. Install PGP Freeware on Windows (see below for Mac OS)
   1. Go to MIT's PGP Freeware distribution site. Scroll down to the table that lists versions of software, locate PGP Freeware v6.5.8, Windows 95/98/NT/2000, and click on Download.
   2. On the PGP Distribution Authorization page, scroll down to the web form, answer the questions, then click the Submit button. Wait for the software to download.
   3. To unpack the downloaded file, you'll need a utility like TurboZIP Express that handles ZIP files.
   4. Exit other Windows applications before starting the installer.
   5. Run the file named Setup.exe in the PGP package.
      1. First is a "Welcome" window. Click Next >.
      2. Next is a "Software License Agreement" window. Scroll down to read all the terms of the agreement. Click Yes if you accept the terms.
      3. Next is a "What's New" window. You can scroll down and read this information here, or you can read it on MIT's web site or after you install the software.
      4. The fourth window asks you to enter your full name and company, then click Next >.
      5. The fifth window states that by default the files will be installed in C:\Program Files\Network Associates\PGP. Click Next >.
      6. The sixth window asks you to choose the PGP components you wish to install. All the components are selected to start; click in the check box next to any component you do not wish to install. For example, you don't need the plug-in for any e-mail program you don't use.
      7. The seventh window summarizes what you have selected. Click Next >.
      8. You will see a series of status windows as the installation proceeds.
      9. The next window asks you to select a network adapter.
      10. The next window asks whether you have existing keyrings you wish to use. If you have never used PGP before, click No.
      11. The last window advises you to restart your computer to make the new settings take effect. Click Finish.
   6. Skip ahead to the Create a key section.

   Install PGP software for Mac OS (see above for Windows)

   1. Go to MIT's PGP Freeware distribution site. Scroll down to the table that lists versions of software, locate PGP Freeware v6.5.8, MacOS, and click on Download.
   2. On the PGP Distribution Authorization page, scroll down to the web form, answer the questions, then click the Submit button.
   3. On the MIT PGP Freeware Download Center page, click MacOS 7.6.1+. Choose a location on your hard drive, and click the Save button. Wait for the software to download.
   4. The file should uncompress automatically if you have StuffIt Expander installed. If it doesn't, double-click on it; the file's name is PGPFW658Mac.sit.bin.
   5. Open the PGPFW658Mac Folder on your desktop, and double-click on the PGP 6.5.8 icon.
   6. A License window opens. Scroll down to read all the terms of the agreement. Click Accept if you accept the terms.
   7. A What's New window opens. You can scroll down and read this information here, or read it later on MIT's web site or on your own hard drive after you install the software. Click Continue.
   8. In the installation window, illustrated below, click Install.

      

      You'll see a series of installation in progress windows, but you don't need to click anything.

      The next window asks you to select a folder where PGP plug-ins for your e-mail software will be installed. By default, the location chosen corresponds to your default e-mail application.

      

   9. A final window recommends that you restart your computer. You don't need to restart yet, so click the Continue button.
   10. Restart your computer.

2. Generate a key pair for yourself. A key pair consists of a public key, which you share with other PGP users, and a private key, which you never share with anyone.
   1. Start the PGPkeys application.
   2. The first time you open this application, you will be asked to personalize your copy of PGP by entering your name and company (Cornell University).
   3. A dialog box states that your Key files could not be found, and offers a choice of creating new keys or searching for existing ones. Click the New Key Files button. (If you don't see this dialog, choose New Key... from the Keys menu in the PGPkeys window.
   4. A Key Generation Wizard window opens. Click Next.
   5. In the next window, enter your name and e-mail address, then click Next.
      
   6. Click Next in the next three windows (type, size, and expiration date of your new keys). You do not need to alter any settings.
   7. Choose a passphrase to protect your new keys. A passphrase can have blanks and special characters in it for added security. Enter the passphrase twice to confirm that you have typed it correctly, then click Next.
      
      Wait for PGP to finish generating your keys, then click Next again.
   8. The next window suggests that you send your new public key to the key server. Check the box labeled "Send my key to the root server now," then click Next. Wait for the key to be sent, click Next again.
   9. Click Finish (on Windows) or Done (on a Macintosh).

3. Send a test message to yourself. Encrypt and Sign it.
• Encrypt a message: Encryption protects the contents of a message so that no one except the PGP user to whom you are sending the message can decode it (the message is encrypted with the intended recipient's public key, and can only be decrypted with that person's private key).
• Sign a message: A PGP signature is not related to the signature files that you usually use with e-mail. A message signed by your PGP key, backed by the authority of the Cornell PGP Admin key signer, proves to the recipient that the message was authentically sent by your NetID.
• You may choose to encrypt some messages and sign others; you do not always need to do both.

On Windows:
1. In Eudora, start composing a message to yourself.
2. In the message window, just to the left of the Send button, you should see two new icons.
   The icon with a padlock above an envelope is the PGP Encrypt command.
   The icon with a pencil writing on a page is the PGP Sign command.

On a Macintosh:
1. In Eudora, compose a brief message to yourself.
2. From the Edit menu, choose Message Plug-ins, then choose one of the PGP options:
   • PGP Sign (Command-2)
   • PGP Encrypt (Command-3)
   • PGP Encrypt/Sign (Command-4)
4. Verify incoming mail with decrypt/verify.
1. When you receive the test message you just sent yourself, it will appear as gobbledygook.
2. On Windows, look for the Decrypt/Verify icon shown at left, which should appear in the topmost row of Eudora icons, to the right of the Help question mark. On a Macintosh, open the Edit menu and choose Message Plug-ins then PGP Decrypt/Verify. Alternatively, you can open the PGPtools application and copy the encrypted or signed text onto the clipboard, or drag the text onto the icon.
3. You will be asked to enter your passphrase, to prove that you are the person for whom this message was meant. Then you should see something like this:

   *** PGP Signature Status: good
   *** Signer: Your Name Here  
   *** Signed: 11/20/02 1:20:58 PM
   *** Verified: 11/20/02 1:24:03 PM
   *** BEGIN PGP DECRYPTED/VERIFIED MESSAGE ***
   
   
   this is a test message
   
   
   *** END PGP DECRYPTED/VERIFIED MESSAGE ***
   

5. Learn to examine PGP-validated mail for Invalid or bad signatures.
• The PGP FAQ page has some information about this.
• If someone sends you a message that is signed but not encrypted, you will see two lines like these at the top of the message:

  -----BEGIN PGP SIGNED MESSAGE-----
  Hash: SHA1
  

  This means the PGP digital signature has been encrypted using an algorithm called SHA1, which stands for Secure Hash Algorithm. More information about this algorithm is available in the Internet RFC Archives.

Last modified: August 15, 2003