Step-by-step GnuPG Installation and Configuration on Windows
This document aims to provide information on how to install and configure GnuPG in a Windows environment. These instructions are to be used only with GnuPG versions that come with the graphical installer (gnupg.org binary Windows installer versions ≥ 1.4.1).
- Getting started and where to obtain a recent GnuPG installer
- Back up the program, keyrings, and configuration files
- Delete any old program and home directories and registry settings
- Install the program and make it accessible from everywhere
- Test the installation and restore keyrings and configuration
- Creating a key pair and its revocation certificate
- Make your key available on a public keyserver
- Whom to ask for troubleshooting and related topics
- You're done with GnuPG! What's next?
Getting started and where to obtain a recent GnuPG installer
This document was written for new users who have never installed or used GnuPG before and have not perhaps done any reading but just wish to "dive right in and get started" using signing and encryption. If this is the case, please take your time to read through the whole document first skipping the update instructions (which make up significant portions of the document now). Be sure that you are comfortable with all the terms etc. before doing anything! If you are unsure of any part, write to the GnuPG-Users or PGP-Basics lists for help before you begin. They're really nice folks and are glad to help.
Obviously the first thing to do is to obtain a copy of GnuPG. You can download the latest binary version for Windows from the GnuPG Website. The file linked from there is the latest official release and gnupg.org is the primary source for all GnuPG versions.
Back up the program, keyrings, and configuration files
If you are absolutely sure that you never had any version of GnuPG installed on your system -or- that you already followed all of these steps once and now just want to upgrade that installation, you may skip this and proceed with the installation.
As we regularly encounter users who think they only have one GnuPG
version installed on their system but in fact they have more than one,
please start with a file search on all local drives for
gpg.exe . If you find one, please back up the
whole directory it resides in as you might want to copy some of these
files after the installation of the new program. If you found more than
gpg.exe 's, please back up all of them. We
will refer to the (most recent) backed up directory as the program
Your GnuPG HomeDir contains your secret keys
secring.gpg)*, your public keys and the public keys
from other users you collected (
pubring.gpg)*, your trust
trustdb.gpg) and your GnuPG configuration
gpg.conf). To find out where your GnuPG HomeDir is, run
gpg --version and check the
Home: line. If you are unsure about other
possible older HomeDirs, please search for
secring.gpg and back them all up.
If you found more than one keyring in the previous step, please
locate the most current GnuPG program and use it to import all older
<keyring_files> . Also back up the keyrings files
residing in the current HomeDir (now containing all your keys), the
trust database and the configuration file. We will refer to that backup
of the (most recent) HomeDir as the keyring backup.
*) Note that PGP also uses a (normally separate) keyring
directory. Those files are binary compatible but have different names:
pubring.pkr . You may have one same HomeDir for
GnuPG and PGP as long as you don't use PGP 9.x's transparent encryption
(proxy) feature which locks the keyrings permanently.
Delete any old program and home directories and registry settings
Except for the backups you created above, we suggest that you delete all GnuPG program directories and all HomeDir's in order to have a non-ambiguous setup later on.
This guide assumes that have a recent Windows version and that you
are about to use the default HomeDir location: $APPDATA$\GnuPG. This
localised default path is effective since GnuPG version 1.4.1 (see
NEWS.txt ) which resolves to
Settings\<USER>\Application Data\GnuPG on an english
Windows XP default installation. If you can use that default HomeDir,
then you do not need any Registry settings for GnuPG at all. So we
suggest that you issue these two commands (or save and execute this
script to remove all GnuPG related registry
reg delete HKLM\Software\GNU\GnuPG
reg delete HKCU\Software\GNU\GnuPG
/va . Note that if you have values set for each user, you
will need to execute the second
logged in as each of them.
Install the program and make it accessible from everywhere
Here comes the easy part: just run the installer you downloaded,
select your language and ensure that it completes correctly. Do not
change the default installation target directory (which defaults to
C:\Program files\GNU\GnuPG on an English
Windows XP default installation) or adapt the instructions below
If you already followed these steps once before in a previous installation and you are now only upgrading that installation, then you may skip all the rest of this page – your update should be complete.
If you had installed Lib\idea.dll in your old installation directory, you might now want to copy it from the program backup to the program installation directory that contains gpg.exe.
It is handy to be able to execute
from within any directory without having to provide the full path. This
is accomplished by the
variable. Unfortunately the original gnupg.org Windows installer does
not modify the
PATH , so you must do it
manually: on a Windows NT/2000/XP system, open
Settings → System → Advanced → Environment
Variables and edit the
under System variables. In the edit field, add
;C:\Program Files\GNU\GnuPG to the end of the
Path and then click OK three times. On a Windows 9x
C:\AUTOEXEC.BAT and add
;C:\Progra~1\GNU\GnuPG to the end of the
Test the installation and restore keyrings and configuration
To verify that GnuPG is installed correctly and works as expected,
we ask that you run some simple tests. Open a Command/DOS Prompt:
Start → Run, Enter
command (Windows 9x/ME)
and click OK. At the prompt, (without changing to the new
program installation directory) type
--version . You should see a screen of information which
should look similar to this:
gpg (GnuPG) 1.4.1 Copyright (C) 2005 Free Software Foundation, Inc. This program comes with ABSOLUTELY NO WARRANTY. This is free software, and you are welcome to redistribute it under certain conditions. See the file COPYING for details. Home: C:/Documents and Settings/bporter/Application Data/GnuPG Supported algorithms: Pubkey: RSA, RSA-E, RSA-S, ELG-E, DSA Cipher: 3DES, CAST5, BLOWFISH, AES, AES192, AES256, TWOFISH Hash: MD5, SHA1, RIPEMD160, SHA256, SHA384, SHA512 Compression: Uncompressed, ZIP, ZLIB, BZIP2
If you get the error
Wrong command or file
name , then you did not set up the
PATH correctly. If it works fine, type
gpg --list-keys at the prompt. If you did not
have a keyring in the GnuPG HomeDir (shown in the
Home: line as above) before, you will get a
message telling you that the keyring files were created there. If you
backed up your keyrings and config file from a different location
before, then copy the keyring backup to the path created,
overwriting the (empty) keyrings.
GnuPG user defaults can be set in the plain text configuration file
gpg.conf which resides in the GnuPG HomeDir.
Based on our experience we suggest the following entries, but you may choose
to add or remove entries based on your reading:
default-recipient-self keyserver random.sks.keyserver.penguin.de default-cert-check-level 3 keyserver-options auto-key-retrieve include-revoked include-subkeys no-mangle-dos-filenames no-secmem-warning # If you installed idea.dll, uncomment the following line # load-extension Lib\idea
Creating a key pair and its revocation certificate
All the rest of this can be done from the command line as explained here or using Enigmail's OpenPGP keymanager graphical user interface.
Before you think about creating a key, you need to decide what your passphrase is going to be. This document does not discuss the merits of different types of passphrases, their strengths, etc. However we do recommend taking the time to create a passphrase that you can remember easily but is unique and may not be guessed easily. If you are having trouble thinking of a passphrase, we would recommend taking a look at Diceware, which is very easy to use and gives good strength passphrases.
Now that you have a passphrase, you can create a Key Pair:
Open a Command/DOS Prompt. At the prompt, type
--gen-key and follow the prompts. Unless you specifically
know what you are doing, and know the reasons for diverging, you should
keep to default types and settings. As you work through the prompts,
bear the following in mind:
- DSA/ElGamal is the default key type and is what most people use.
- When selecting a key size, the larger the size, the longer it will take to encrypt and decrypt messages, especially for people with older, slower systems. 2048 is probably a good size to go for as it offers good strength whilst not being so large as to cause a major problem to users of old systems.
- You do not have to enter a comment when asked. Your name and email address are all that is required. A comment might help you to distinguish keys for different purposes.
So now you have a Key Pair, but before you go on you need to
know what the KeyID (the number in the
position which is shown in red below)
is so that you can identify it in the commands we are going to use
later. Get yourself a pen and paper and note it down. At the prompt,
gpg --list-keys . This will give you a
listing similar to this:
C:/Documents and Settings/bporter/Application Data/GnuPG\pubring.gpg -------------------------------------------------------------------- pub 1024D/BB36BA75 2003-11-11 Barry Porter <email@example.com> sub 4096g/1F5A0D8B 2003-11-11
We recommend that you create a revocation certificate for your
secret key before using your key, especially if you intend to upload it
to a public keyserver. To do so, open a Command/DOS Prompt and navigate
to your GnuPG HomeDir. At the prompt, type
gpg -a --output
0xKeyID (where KeyID is the one you
noted down earlier). Note that the
0x prior to
the KeyID is a zero, not the capital letter O. The created
file is ASCII armored and contains your revocation certificate.
Make one or more copies of your keyrings and the revocation certificate and save them to a floppy, CD, LS120, ZIP, Memory Card or USB Stick or print out your revocation certificate. (Yes, you would need to enter most of it, but hopefully you will never need it.) Lock that media against being overwritten, label it and put them somewhere VERY safe AND secure that you will remember even after years! Some people go so far as to place a backup in a safety deposit box at their bank.
Make your key available on a public keyserver
Now that you have created your Key Pair, you should make your public key available to other users so that they may verify email's you send against the key. There are a number of ways of doing this; some prefer to give their public key out to people who request it via an email address in the OpenPGP comment in their signatures; others publish their key on a website and place a link to it in the OpenPGP comment in their signatures; most people prefer to simply upload their keyring to a keyserver where everybody can access it as required. Note that if your public key contains your email address (which it usually does and should) and you upload the key to a public keyserver, then spammers will also be able to harvest your email address from there.
To upload your public key to a keyserver, open a Command/DOS Prompt
gpg --send-keys 0xKeyID . If
you get back to the prompt without warning, then the upload was
successful. You can also test it using the
web based keyserver query
interface but if you followed our proposal,
pool.sks-keyservers.net has been used
which is special in the sense that you might not see the result
immediately as this address sends requests to a random server within
its pool and it may take some time until your newly uploaded key has
been distributed to the other servers.
Whom to ask for troubleshooting and related topics
If you have issues or questions regarding the use if GnuPG, it's interactions with PGP, or you just want to find out more, there are some very good resources available.
Join a mailing list ...
- Gnupg-users mailing list:
- PGP-Basics mailing list:
... or visit one of these helpful sites:
- Tom McCune's PGP Page:
- Jim Willingham's PGP Site:
- David S. Jackson's PGP Resources Page:
- Rubin.ch PGP Page:
- German/Deutsche Pages:
Anleitungen und Einführungen:
You're done with GnuPG! What's next?
Congratulations! You are now ready to download and install Enigmail. If you have already done so, remember to configure Enigmail according to your needs. There are even tweaks if you like to fiddle with hidden preferences.