Installing and configuring PGP in Windows

Home Page

Today I installed Windows 7 and Office 2007, and configured Outlook. Then I looked for the most suitable GnuPG plugin for Outlook.

There are several, and I failed to install the best option due to missing components in my Windows install (it was built for Office 2005).

However, I did succeed in installing the command-line GnuPG tools, and also a shell extension which allows you to easily de/encrypt and sign files directly from the Windows Explorer right-click menu. This means you can secure files on your PC before sending them. I think this might in some ways be preferable to having email encryption only.

I'm writing this to document the install process. I disabled UAC (User Account Control) on Windows 7, so you might get additional security warnings. If you use UAC, remember to start Command Prompt when needed by selecting All Programs->Accessories->right-click on Command Prompt and select "Run as Administrator"; and similarly when running programs from the Windows Explorer.

First, download GnuPG by following the FTP link on this page. When I looked, the page looked like this (you want the FTP link beside GnuPG 1.4.10b compiled for Microsoft Windows.):

The file is called gnupg-w32cli-1.4.10b.exe. Save it and run it, or just run it.

You'll get a security warning. Click through it:

You can safely disable the install options:

The install creates a new directory under "Program Files", and you need to add this directory to your path. Right-click on "My Computer" and open "Properties", then select the "Advanced" tab:

Click "Environment Variables" and scroll in the "System variables" pane until you see "Path":

In the System pane, select "Path" then click Edit...

Move the text cursor to the end of the Variable value and append the following:

;C:\Program Files\GNU\GnuPG\

including the leading semi-colon and the trailing backslash. Hit the three "Ok" buttons to exit System Properties and you're done.

Next you need to generate your key for signing and encryption.

Open a Command Prompt and follow the procedure outlined in the GnuPG documentation at which looks like this:

In the command prompt, type the following command:

gpg --gen-key

and follow the key generation procedure, as I did in the following (note I was not in "My Documents" directory, that doesn't matter):

At this point you should export and backup a copy of your public and private key files, and make sure you won't forget your passphrase, or everything you have encrypted will be gone forever. To export your public key, change to your documents directory and type this command (but use your name, of course):

gpg -a --export -o clifford.heath.pubkey

This is the file you must send to your friends so they can encrypt email that only you can read. It's a plain-text file, so you cam safely view it in Notepad and paste it into the text of an email. The one I just generated looks like this (this is not my real one, just a test):

When I receive your public key file, I will import it into my public keyring using this command:

gpg --import ken.evans.pubkey

That completes the setup of GnuPG. Next you should install the Windows Shell extension GPGee. You can download it from (follow the download link). The page looked like this:

Save the ZIP file and view it in the Windows Explorer:

Windows will warn, but you can open it up to find the installer program:

Double click to run that. Since you're viewing the ZIP file, you'll get a warning you can ignore:


Click through the installer screens to the end:

Now, you can right-click on any file or directory in Windows Explorer, and you'll see a new option, GPGee:

You need to tell GPGee where everything is, so select Configure. The next screen shows my configuration (for the Administrator account):

Now, when you right-click a file or directory and select Sign, you'll see a screen like this (after choosing a signing key):

Hitting ok asks for your passphrase:

and now you have a signed copy of the original file.

If you had selected Encrypt as well, you'd have to select the public keys of the people you want to allow to decrypt the file, but otherwise the process is the same. Note that I selected "Text output", which means that the signed&encrypted text is encoded in ASCII so it looks similar to the public key I showed earlier. This file can easily be attached or pasted into any email message.

A similar procedure allows you to decrypt files you receive from others. GPGee will again ask for your passphrase, so it can unlock your private key.

When you receive a PGP encryption key from a friend, you can save this email (as text) to a file whose name ends in .asc, and then you can use GPGee to verify the signature. It looks like this:

That completes the installation procedure. Enjoy!

Clifford's Home Page