Penn Computing

Penn Computing

Computing Menu Computing A-Z
Computing Home Information Systems & Computing Penn


Monday, December 11, 2017

  New Resources
Travel Tips for Data Security
Free Security/Privacy Training Resources
Two-step verification
Combating Malware
Phishing Archive
Cloud Computing and Data Outsourcing
Best Practices for Applications with Confidential University Data
  Security "Greatest Hits"
Managing Passwords
E-mail Harassment & Forgery
Hoaxes, frauds & scams
Wireless Networking
Encryption & digital signatures
  Best Practices
Secure desktop computing
Secure servers
Secure data deletion
Securing printers
Tips for safe computing
Computing policies
  More in-depth information for
Local support providers
System administrators
  Security initiatives
Critical host compliance
Authentication & authorization
Penn Security & Privacy Assessment (SPIA)
Security Liaisons (Restricted Access)
Secure Share
Secure Space
Vulnerability Scanner
  Related links
Electronic privacy
Worms, trojans, backdoors

Secure Electronic Messaging & File Encryption: PGP

Is secure email possible?

PGP ("Pretty Good Privacy") and GPG ("GNU Privacy Guard") are both implementations of OpenPGP (as defined by RFC4880), which you can use to encrypt your email as well as digitally "sign" it so you don't have to worry about forgery.

Encryption: when you encrypt an email message using PGP, you use the public portion of each recipient's PGP key. Only the intended recipient(s) can decrypt the message, since only they have the corresponding private portion of their respective PGP key(s). PGP-encrypted email provides end-to-end assurance that the email will be readable only by its intended recipient, and cannot be altered in transit or while in the recipient's mailbox.

Signing: whereas the sender information of an email message can be forged trivially, using PGP to "sign" an email message provides assurance that the message really was sent by the person whose key was used to sign the message.

We recommend that Local Support Providers (LSPs) review the issues below and use their judgment regarding whether a deployment makes sense for their unit.

Some issues

Email encryption using PGP and GPG are not supported at Penn. There is presently no infrastructure for supporting the sharing of PGP keys, though ISC Information Security is available to hold key-signing parties for local units. Key-signing parties also are held after SUG and Security-SIG meetings. You should plan on an investment of time up front for installing and learning it. The following instructions are intended for use by LSPs only.

PGP is not integrated with webmail. If an Outlook Web Access or Zimbra user receives an encrypted message, it would have to be saved locally and decrypted using a local installation of PGP.

PGP is not compatible with all handhelds. While PGP Corporation does offer a PGP Support Package for BlackBerry, they do not support PGP for the Apple iPhone. Windows Mobile devices can use PGP Mobile, but it has limited functionality - email integration is not available.

Use of PGP encryption requires that both sender and recipient have PGP. Depending on the use case, other solutions may be implemented more easily, such as Secure Share or a shared file server.

PGP is subject to export restrictions. PGP may not be exported to Cuba, Iran, Iraq, North Korea, Sudan, and Syria or to disclosed to foreign nationals from those countries. For more details, see the PGP Corporation FAQ or the Export Administration Regulations.

If you want to use PGP to encrypt files on your computer, make sure you don't lose the key. Once encrypted, data can probably never be recovered without the key. It may be years before the file is needed, and if the key is forgotten, the file is worthless. Don't rely on your memory. Make sure that keys are stored some place safe before encrypting important information.

Installing PGP or GPG

Email Client Integration

DRAFT documentation for integrating PGP and GPG with Penn-supported email clients is below:

Mac OS Windows
Thunderbird (GPG) Thunderbird (GPG)
Mail (GPG) Outlook 2003 & 2007 (PGP)
Entourage 2004 & 2008
(not supported by PGP except in POP/IMAP mode)

PGP Basics

Click here to view a web version of a PowerPoint presentation on basics of PGP

PGP Terminology

There are a few terms in PGP you will need to become familiar with:

Public Key
The public half of the keypair which is shared openly. To encrypt mail to someone, you encrypt the message with their public key. The message can only be decrypted with that person's private key. Public keys are generally shared widely by publishing them on home pages, in mail signature files and on specialized PGP key servers.
Private Key
The private half of the keypair. This must be known by the user alone. You use your private key to decrypt mail that was encrypted with your public key.
Pass Phrase
Private keys are long strings of seemingly random characters, and are not easily memorized. For ease of use, PGP saves you from having to type in your private key. Instead, it stores your private key wherever you specify (on your hard drive, or better yet on a removable diskette) protected with your pass phrase. PGP will ask you for your pass phrase whenever it needs your private key.
Key Rings
PGP stores your keys on key rings. Public keys are stored on public key rings, and secret keys are stored on secret key rings. You may have many keys on your public key ring (one for each person you correspond with using PGP), but typically you will only have one key on your secret key ring - your own.

Other References

PGP Key Signing Party Procedures

Last updated: Thursday, June 12, 2014


Information Systems and Computing
University of Pennsylvania
Comments & Questions

Penn Computing University of Pennsylvania
Information Systems and Computing, University of Pennsylvania