General information about OpenPGP
OpenPGP is a standard for guaranteeing the identity and privacy of e-mails (and data in general) based on public-key cryptography. Its most popular implementation is GnuPG. (GPG) can be installed on many operating systems. Inside the FSFE, we use OpenPGP CA to ease the distribution and authentication of public keys.
Generally, identity is guaranteed by digital signatures, privacy is guaranteed by encryption. To digitally sign and encrypt your e-mail messages with OpenPGP, you need your own OpenPGP key pair. Your OpenPGP private key must be kept safe on your system. Your OpenPGP public key however can be shared with everyone.
On this page you will find basic instructions to create your OpenPGP key and use it in your FSFE-related communications.
As of Thunderbird 78, Thunderbird uses its own OpenPGP key storage. That complicates a few things. If you are a Thunderbird user, look out for these boxes as they will contain information specifically about this mail client.
This guide will never be exhaustive and does not intend to be. You can read more information elsewhere, for example in the Email Self-Defense Guide or the GNU Privacy Handbook.
First of all, you should have GnuPG installed. There are other OpenPGP implementations, but they are not covered here. On GNU/Linux systems, you can usually install it using your normal package manager. Typically the package is called gnupg or gpg. This will provide the gpg command in your terminal.
For graphical interfaces and email clients, please refer to the overview of GnuPG frontends. There, you will find graphical interfaces to generate and manage your keys, and email clients that support OpenPGP.
Generating your OpenPGP key pair
If you already have a OpenPGP key pair, you can just add a new user-id to it (using your USERNAME@fsfe.org mail address). But if you prefer to create a separate OpenPGP key to be only used for FSFE, that's fine too.
If you need to create your own key pair, follow these instructions:
- Most of the graphical interfaces listed above provide a guided procedure
You can use the gpg command line tool, as described at the GnuPG manual
As user-id, please use YOURNAME YOURSURNAME <USERNAME@fsfe.org>. If you don't have this User ID on your key, then you cannot upload it to the FSFE's WKD.
As of Thunderbird 78, Thunderbird uses its own OpenPGP key storage. Therefore, you cannot create a key via the command line and use it in Thunderbird without synchonising it. To create a key in Thunderbird, open Tools > OpenPGP Key Manager, and then Generate > New Key Pair. Here you can set your email address, desired expiration date, key strength and so on.
Sharing your OpenPGP key
To allow someone to verify your signatures and send encrypted email to you, you have to give them your public key. Since you typically do not want to do that manually for every contact, the FSFE offers a service to ease this process tremendously.
Export public key
First of all, you have to export your own public key(s). This can be one or multiple public keys, perhaps also expired or revoked ones. The simplest terminal command to do that is:
gpg --export USERNAME@fsfe.org | gpg -a --sign > mykey.asc
It exports all keys that include your @fsfe.org email address, signs them with your secret key, and writes them to the file mykey.asc. You will need that in the next step.
Thunderbird uses a separate storage for all OpenPGP keys. That adds some complexity, but the included key manager is quite simple to use. Here you can see how to export a key (click on the thumbnails to see it large):
Advanced security tip
This is secure and error-proof in most cases. However, if you want to check manually, also consult the commands gpg --list-keys USERNAME@fsfe.org and gpg --list-secret-keys USERNAMES@fsfe.org. Are there keys that do not make any sense to you, or whose fingerprint you never saw before? Ensure that you do not have fake keys planted on you.
Upload to OpenPGP CA
The FSFE runs its own OpenPGP CA instance. It makes uploading your public key and fetching other FSFE users' keys simple. It also signs your public key automatically after upload to give other people an indication of your key's authenticity. You can read more about the background in our initial announcement.
To upload your key, you must have an FSFE account. All supporters and staff have this by default, volunteers can request one with their team's coordinator. Your key must also must have a username that composes your @fsfe.org email address.
Go to OpenPGP key management in the FSFE's user panel. Click on Upload a public key, select your mykey.asc and press Upload.
- On the next step, you will see a summary of the keys the file contains, their fingerprints and other information, and a checkbox for each key. Our system makes a pre-selection that's usually secure and error-proof. However, as you've read above, you can check whether these keys really belong to you. If you've lost the secret key, forgot the password, or uploaded keys that you do not want to be distributed (e.g. in case of test keys), make sure the check box is unchecked.
When you are happy, press Publish selected keys. The selected keys will then be stored in our OpenPGP CA database, and be available via Web Key Directory (WKD) and as plain text files on keys.fsfe.org.
Please be aware that once you've published your keys, they are public to the world. Deleting keys from OpenPGP CA is not trivial, so better be safe than sorry. (Of course, you can always revoke the keys, if you make a mistake.)
Have your key signed by the FSFE
After uploading your key(s), the FSFE's CA (Certificate Authority) will automatically sign your USERNAME@fsfe.org user ID. As you have successfully logged in to the FSFE's user panel, we know that the person uploading the keys controls the USERNAME@fsfe.org email address.
Some may argue that this is a weak proof of identity. We argue it's better than nothing. Everyone can evaluate for themselves how much they trust the FSFE's signature.
Fetch public keys
To get your own signed or another FSFE user's public key, you can run the following terminal command:
gpg --locate-external-keys USERNAME@fsfe.org
You can also download it as ASCII armored text file via a link that is easy to remember:
All keys will be signed by the FSFE's CA. It may make sense to also download your own key after uploading it to get the signature on your own computer. To verify your own or someone else's signatures, download the CA's public key and list the signatures of an email address with these commands:
gpg --locate-external-keys --auto-key-locate wkd firstname.lastname@example.org gpg --list-sigs USERNAME@fsfe.org
On the resulting output, there should be something like the following visible under the @fsfe.org uid:
sig N 699D9E7F63B40E79 2021-01-25 FSFE OpenPGP CA <email@example.com>
To download a key, open Tools > OpenPGP Key Manager, and navigate Keyserver > Discover Keys Online. Here, just enter the desired email address and Thunderbird will also look it up via WKD.
FSFE as trusted introducer
Optionally, you can define the FSFE's CA as a trusted authority to sign keys of @fsfe.org addresses. In OpenPGP technical terms, this configures the CA to act as a trusted introducer on your system. Based on this configuration, your OpenPGP software knows that we want it to honour cryptographic statements (that is, certifications - or signatures) made by the CA.
Please refer to the more advanced tutorial by OpenPGP CA to learn how to configure and use this on your system.
When you delegate (some) authentication decisions to a CA, it is important to make sure that you are delegating this trust to the correct entity - and not for example to an impostor.
These resources may help you to further improve your encryption and email experience.
Guides for Thunderbird: as mentioned above, this client goes some special paths, specifically w.r.t. encryption. For example, learn how to disable encrypted subjects that annoy non-Thunderbird users.