GnuPG Setup Guide

Step-by-step GnuPG Installation and Configuration on Windows

This document aims to provide information on how to install and configure GnuPG in a Windows environment. These instructions are to be used only with GnuPG versions that come with the graphical installer (gnupg.org binary Windows installer versions ≥ 1.4.1).

  1. Getting started and where to obtain a recent GnuPG installer
  2. Back up the program, keyrings, and configuration files
  3. Delete any old program and home directories and registry settings
  4. Install the program and make it accessible from everywhere
  5. Test the installation and restore keyrings and configuration
  6. Creating a key pair and its revocation certificate
  7. Make your key available on a public keyserver
  8. Whom to ask for troubleshooting and related topics
  9. You're done with GnuPG! What's next?


Getting started and where to obtain a recent GnuPG installer

This document was written for new users who have never installed or used GnuPG before and have not perhaps done any reading but just wish to "dive right in and get started" using signing and encryption. If this is the case, please take your time to read through the whole document first skipping the update instructions (which make up significant portions of the document now). Be sure that you are comfortable with all the terms etc. before doing anything! If you are unsure of any part, write to the GnuPG-Users or PGP-Basics lists for help before you begin. They're really nice folks and are glad to help.

Obviously the first thing to do is to obtain a copy of GnuPG. You can download the latest binary version for Windows from the GnuPG Website. The file linked from there is the latest official release and gnupg.org is the primary source for all GnuPG versions.

Back up the program, keyrings, and configuration files

If you are absolutely sure that you never had any version of GnuPG installed on your system -or- that you already followed all of these steps once and now just want to upgrade that installation, you may skip this and proceed with the installation.

As we regularly encounter users who think they only have one GnuPG version installed on their system but in fact they have more than one, please start with a file search on all local drives for  gpg.exe . If you find one, please back up the whole directory it resides in as you might want to copy some of these files after the installation of the new program. If you found more than one  gpg.exe 's, please back up all of them. We will refer to the (most recent) backed up directory as the program backup.

Your GnuPG HomeDir contains your secret keys (secring.gpg)*, your public keys and the public keys from other users you collected (pubring.gpg)*, your trust database (trustdb.gpg) and your GnuPG configuration (gpg.conf). To find out where your GnuPG HomeDir is, run  gpg --version  and check the  Home:  line. If you are unsure about other possible older HomeDirs, please search for  secring.gpg  and back them all up.

If you found more than one keyring in the previous step, please locate the most current GnuPG program and use it to import all older keyrings using  gpg --import <keyring_files> . Also back up the keyrings files residing in the current HomeDir (now containing all your keys), the trust database and the configuration file. We will refer to that backup of the (most recent) HomeDir as the keyring backup.

*) Note that PGP also uses a (normally separate) keyring directory. Those files are binary compatible but have different names:  secring.skr  and  pubring.pkr . You may have one same HomeDir for GnuPG and PGP as long as you don't use PGP 9.x's transparent encryption (proxy) feature which locks the keyrings permanently.

Delete any old program and home directories and registry settings

Except for the backups you created above, we suggest that you delete all GnuPG program directories and all HomeDir's in order to have a non-ambiguous setup later on.

This guide assumes that have a recent Windows version and that you are about to use the default HomeDir location: $APPDATA$\GnuPG. This localised default path is effective since GnuPG version 1.4.1 (see  NEWS.txt ) which resolves to  C:\Documents and Settings\<USER>\Application Data\GnuPG  on an english Windows XP default installation. If you can use that default HomeDir, then you do not need any Registry settings for GnuPG at all. So we suggest that you issue these two commands (or save and execute this script to remove all GnuPG related registry settings):  reg delete HKLM\Software\GNU\GnuPG /va  and  reg delete HKCU\Software\GNU\GnuPG /va . Note that if you have values set for each user, you will need to execute the second  reg  command logged in as each of them.

Install the program and make it accessible from everywhere

Here comes the easy part: just run the installer you downloaded, select your language and ensure that it completes correctly. Do not change the default installation target directory (which defaults to  C:\Program files\GNU\GnuPG  on an English Windows XP default installation) or adapt the instructions below accordingly.

If you already followed these steps once before in a previous installation and you are now only upgrading that installation, then you may skip all the rest of this page – your update should be complete.

If you had installed Lib\idea.dll in your old installation directory, you might now want to copy it from the program backup to the program installation directory that contains gpg.exe.

It is handy to be able to execute  gpg.exe  from within any directory without having to provide the full path. This is accomplished by the  PATH  environment variable. Unfortunately the original gnupg.org Windows installer does not modify the  PATH , so you must do it manually: on a Windows NT/2000/XP system, open Settings → System → Advanced → Environment Variables and edit the  PATH  variable under System variables. In the edit field, add  ;C:\Program Files\GNU\GnuPG  to the end of the Path and then click OK three times. On a Windows 9x system, edit  C:\AUTOEXEC.BAT  and add  ;C:\Progra~1\GNU\GnuPG  to the end of the  PATH  statement.

Test the installation and restore keyrings and configuration

To verify that GnuPG is installed correctly and works as expected, we ask that you run some simple tests. Open a Command/DOS Prompt: Start → Run, Enter  cmd  (Windows NT/2000/XP/2003) or  command  (Windows 9x/ME) and click OK. At the prompt, (without changing to the new program installation directory) type  gpg --version . You should see a screen of information which should look similar to this:

    gpg (GnuPG) 1.4.1
    Copyright (C) 2005 Free Software Foundation, Inc.
    This program comes with ABSOLUTELY NO WARRANTY.
    This is free software, and you are welcome to redistribute it
    under certain conditions. See the file COPYING for details.

    Home: C:/Documents and Settings/bporter/Application Data/GnuPG
    Supported algorithms:
    Pubkey: RSA, RSA-E, RSA-S, ELG-E, DSA
    Cipher: 3DES, CAST5, BLOWFISH, AES, AES192, AES256, TWOFISH
    Hash: MD5, SHA1, RIPEMD160, SHA256, SHA384, SHA512
    Compression: Uncompressed, ZIP, ZLIB, BZIP2

If you get the error  Wrong command or file name , then you did not set up the  PATH  correctly. If it works fine, type  gpg --list-keys  at the prompt. If you did not have a keyring in the GnuPG HomeDir (shown in the  Home:  line as above) before, you will get a message telling you that the keyring files were created there. If you backed up your keyrings and config file from a different location before, then copy the keyring backup to the path created, overwriting the (empty) keyrings.

GnuPG user defaults can be set in the plain text configuration file  gpg.conf  which resides in the GnuPG HomeDir. Based on our experience we suggest the following entries, but you may choose to add or remove entries based on your reading:

  default-recipient-self
  keyserver random.sks.keyserver.penguin.de
  default-cert-check-level 3
  keyserver-options auto-key-retrieve include-revoked include-subkeys
  no-mangle-dos-filenames
  no-secmem-warning

  # If you installed idea.dll, uncomment the following line
  # load-extension Lib\idea

Creating a key pair and its revocation certificate

All the rest of this can be done from the command line as explained here or using Enigmail's OpenPGP keymanager graphical user interface.

Before you think about creating a key, you need to decide what your passphrase is going to be. This document does not discuss the merits of different types of passphrases, their strengths, etc. However we do recommend taking the time to create a passphrase that you can remember easily but is unique and may not be guessed easily. If you are having trouble thinking of a passphrase, we would recommend taking a look at Diceware, which is very easy to use and gives good strength passphrases.

Now that you have a passphrase, you can create a Key Pair: Open a Command/DOS Prompt. At the prompt, type  gpg --gen-key  and follow the prompts. Unless you specifically know what you are doing, and know the reasons for diverging, you should keep to default types and settings. As you work through the prompts, bear the following in mind:

  • DSA/ElGamal is the default key type and is what most people use.
  • When selecting a key size, the larger the size, the longer it will take to encrypt and decrypt messages, especially for people with older, slower systems. 2048 is probably a good size to go for as it offers good strength whilst not being so large as to cause a major problem to users of old systems.
  • You do not have to enter a comment when asked. Your name and email address are all that is required. A comment might help you to distinguish keys for different purposes.

So now you have a Key Pair, but before you go on you need to know what the KeyID (the number in the position which is shown in red below) is so that you can identify it in the commands we are going to use later. Get yourself a pen and paper and note it down. At the prompt, type  gpg --list-keys . This will give you a listing similar to this:

    C:/Documents and Settings/bporter/Application Data/GnuPG\pubring.gpg
    --------------------------------------------------------------------
    pub  1024D/BB36BA75 2003-11-11 Barry Porter <barry@bpuk.net>
    sub  4096g/1F5A0D8B 2003-11-11

We recommend that you create a revocation certificate for your secret key before using your key, especially if you intend to upload it to a public keyserver. To do so, open a Command/DOS Prompt and navigate to your GnuPG HomeDir. At the prompt, type  gpg -a --output revcert_for_KeyID.asc --gen-revoke 0xKeyID  (where KeyID is the one you noted down earlier). Note that the  0x  prior to the KeyID is a zero, not the capital letter O. The created file is ASCII armored and contains your revocation certificate.

Make one or more copies of your keyrings and the revocation certificate and save them to a floppy, CD, LS120, ZIP, Memory Card or USB Stick or print out your revocation certificate. (Yes, you would need to enter most of it, but hopefully you will never need it.) Lock that media against being overwritten, label it and put them somewhere VERY safe AND secure that you will remember even after years! Some people go so far as to place a backup in a safety deposit box at their bank.

Make your key available on a public keyserver

Now that you have created your Key Pair, you should make your public key available to other users so that they may verify email's you send against the key. There are a number of ways of doing this; some prefer to give their public key out to people who request it via an email address in the OpenPGP comment in their signatures; others publish their key on a website and place a link to it in the OpenPGP comment in their signatures; most people prefer to simply upload their keyring to a keyserver where everybody can access it as required. Note that if your public key contains your email address (which it usually does and should) and you upload the key to a public keyserver, then spammers will also be able to harvest your email address from there.

To upload your public key to a keyserver, open a Command/DOS Prompt and type  gpg --send-keys 0xKeyID . If you get back to the prompt without warning, then the upload was successful. You can also test it using the web based keyserver query interface but if you followed our proposal,  pool.sks-keyservers.net  has been used which is special in the sense that you might not see the result immediately as this address sends requests to a random server within its pool and it may take some time until your newly uploaded key has been distributed to the other servers.

Whom to ask for troubleshooting and related topics

If you have issues or questions regarding the use if GnuPG, it's interactions with PGP, or you just want to find out more, there are some very good resources available.

Join a mailing list ...

... or visit one of these helpful sites:

You're done with GnuPG! What's next?

Congratulations! You are now ready to download and install Enigmail. If you have already done so, remember to configure Enigmail according to your needs. There are even tweaks if you like to fiddle with hidden preferences.