Skip to main content

And This....

1 min read

Daring_Comic_Super_Password why you should use strong passwords.  My guess:  the guy got a bunch of emails and passwords from other hacked databases and just tried them.  That or he just guessed easily guessable passwords.  Pick strong passwords.  Never reuse them.  Make them long and random.  Use a password application to remember them.

Link to the article about someone locking iThings and demanding a ransom.

Image from Gwyneth Anne Bronwynne Jonesvia flickr

Privacy Idea -- Step 3a

13 min read

This is part of my privacy series.  Main post is here.

I haven't written about steps 1 or 2 yet.  Step 1 is fairly easy:  get a server.  Right now, I have a VPS through 1and1 (the same company that currently hosts

Step 2 doesn't make sense on a vps with limited disk space.  Although, part of me says I should try.  But, it may be easier with real disks so I'm planning to wait.

This is what I did to get OpenVPN installed and working.  YMMV.

Text in the Courrier New font is what you should type in.
Text in the Comic Sans MS font is output.
Text in italics are notes.

No, I'm not going to show you how to SSH into your server, install putty, or use the command line ssh.  Go google those things. Ask if you need help (I won't not help) but I consider those things prerequisites for this howto.

  1. Since this is a new server, I ran "yum update" to make sure my server was up to date.  It was.
  2. I ran the command "passwd" and set the password for the root user to something strong
  3. run "cat /dev/net/tun" to make sure that my vps supported TUN (required for openVPN).  If this command returns "cat: /dev/net/tun: File descriptor in bad state" if TUN is supported.
  4. "yum install nano" . Yum is a text editor on linux.  You can use anything you like.  The guides I reference below do all the installs at once with a -y at the end.  I don't trust computers (and you shouldn't either).  Read the output, make sure they are doing what you want and you understand what is going on!
  5. "yum install openssl" You need this package as a prerequisite for openVPN
  6. "yum install lzo" another prerequisite for openVPN
  7.  "yum install pam" yet another prereq
  8. At this point, I thought I could find an up-to-date rpm for openVPN and install it.  I only was installing the minimum I needed (or thought I needed).  I futzed around for a while here trying to find a binary and get it installed.  No luck.  I also futzed around adding some yum repositories to my config.  I did sort of succede in getting a binary...but I kept getting an error:  Requires:  I fiddle-farted around for a bit trying to solve that on it's own.  
  9. "yum install gcc make rpm-build autoconf.noarch zlib-devel pam-devel openssl-devel" this command installs gcc; make; rpm-build; dev tools for zlib, pam, and openssl; along with autoconf.  This is a bunch of dev tools I was trying to avoid installing by simply getting binaries
  10. "wget" this is a binary for lzo from openVPN
  11. "wget" I have no idea but the instructions I was following said I needed it.
  12. "rpmbuild --rebuild lzo-1.08-4.rf.src.rpm" this rebuilds the lzo binary I downloaded earlier.
  13. "rpm -Uvh lzo-*.rpm" this installs the lzo binaries
  14. "rpm -Uvh rpmforge-release*" this installs the rpm downloaded from rpmforge above
  15. "yum install openvpn" -- finally we get to install openVPN
  16. I ended up and got openVPN 2.3.2 which differs from 2.2.2 and earlier in a significant way:  it doesn't include the easy-rsa application used to generate keys.
  17. "yum install easy-rsa" will install this.  If you get an error, you'll probably need to run steps 18, 19, and 20
  18. "cd /etc/yum.repos.d"
  19. "wget"
  20. "wget"
  21. openVPN has been "installed" into /usr/share/doc/openvpn-2.3.2/
  22. easy-rsa has been "installed" into /usr/share/easy-rsa/
  23. copy the easy-rsa files into /etc/openvpn/:  "cp -r /usr/share/easy-rsa/* /etc/openvpn/"
  24. now go into that directory:  "cd /etc/openvpn/"
  25. you can edit the vars file.  it is used to set up the defaults you need to generate your keys.  I changed a few things.  This step is optional...but if you edit it, you can just go through some future steps hitting enter.
    export KEY_SIZE=2048 (default was 1024.  Bigger is better)
    export KEY_COUNTRY="XX" (your country)
    export KEY_PROVINCE="XX" (state)
    export KEY_CITY="XXXXXXXX" (city)
    export KEY_ORG="XXXXXXXXX" (organization)
    export KEY_EMAIL=XXXXXX@XXXXXXXXX.XXX (email quotes)
  26. Now run it "./vars"
  27. Run "./clean-all" to make sure there's no junk around
  28. Run "./build-ca" to start the process of making your "master" certificate.  This will take a while since you are making a 2048 bit key.  Let it run.  Mine took about 5 min or so to finish
  29. When it finishes, build the key for your server "./build-key-server server"
  30. Build the keys for each client you want "./build-key client1"  You can replace client1 with whatever you want the client called.  It just needs to be unique
  31. Copy the sample server config file into /etc/openvpn/.  "cp /usr/share/doc/openvpn-2.3.2/sample-config-files/server.conf /etc/openvpn/server.conf"  When I did this at first, I put it into a subdirectory called conf.  Don't do this.  Just put your conf file into /etc/openvpn/.  This becomes important when it comes time to run it as a service.
  32. Now, edit the file "nano server.conf"
  33. You'll have to make some changes in the file.  Read the comments and everything should become clear.  Here's my file:

    # Sample OpenVPN 2.0 config file for #
    # multi-client server. #
    # #
    # This file is for the server side #
    # of a many-clients <-> one-server #
    # OpenVPN configuration. #
    # #
    # OpenVPN also supports #
    # single-machine <-> single-machine #
    # configurations (See the Examples page #
    # on the web site for more info). #
    # #
    # This config should work on Windows #
    # or Linux/BSD systems. Remember on #
    # Windows to quote pathnames and use #
    # double backslashes, e.g.: #
    # "C:\\Program Files\\OpenVPN\\config\\foo.key" #
    # #
    # Comments are preceded with '#' or ';' #

    # Which local IP address should OpenVPN
    # listen on? (optional)
    ;local a.b.c.d

    # Which TCP/UDP port should OpenVPN listen on?
    # If you want to run multiple OpenVPN instances
    # on the same machine, use a different port
    # number for each one. You will need to
    # open up this port on your firewall.
    port 1194

    # TCP or UDP server?
    ;proto tcp
    proto udp

    # "dev tun" will create a routed IP tunnel,
    # "dev tap" will create an ethernet tunnel.
    # Use "dev tap0" if you are ethernet bridging
    # and have precreated a tap0 virtual interface
    # and bridged it with your ethernet interface.
    # If you want to control access policies
    # over the VPN, you must create firewall
    # rules for the the TUN/TAP interface.
    # On non-Windows systems, you can give
    # an explicit unit number, such as tun0.
    # On Windows, use "dev-node" for this.
    # On most systems, the VPN will not function
    # unless you partially or fully disable
    # the firewall for the TUN/TAP interface.
    ;dev tap
    dev tun
    tun-mtu 1500
    tun-mtu-extra 32
    mssfix 1450

    # Windows needs the TAP-Win32 adapter name
    # from the Network Connections panel if you
    # have more than one. On XP SP2 or higher,
    # you may need to selectively disable the
    # Windows firewall for the TAP adapter.
    # Non-Windows systems usually don't need this.
    ;dev-node MyTap

    # SSL/TLS root certificate (ca), certificate
    # (cert), and private key (key). Each client
    # and the server must have their own cert and
    # key file. The server and all clients will
    # use the same ca file.
    # See the "easy-rsa" directory for a series
    # of scripts for generating RSA certificates
    # and private keys. Remember to use
    # a unique Common Name for the server
    # and each of the client certificates.
    # Any X509 key management system can be used.
    # OpenVPN can also use a PKCS #12 formatted key file
    # (see "pkcs12" directive in man page).
    ca /etc/openvpn/keys/ca.crt
    cert /etc/openvpn/keys/server.crt
    key /etc/openvpn/keys/server.key # This file should be kept secret

    # Diffie hellman parameters.
    # Generate your own with:
    # openssl dhparam -out dh1024.pem 1024
    # Substitute 2048 for 1024 if you are using
    # 2048 bit keys.
    dh /etc/openvpn/keys/dh2048.pem

    # Configure server mode and supply a VPN subnet
    # for OpenVPN to draw client addresses from.
    # The server will take for itself,
    # the rest will be made available to clients.
    # Each client will be able to reach the server
    # on Comment this line out if you are
    # ethernet bridging. See the man page for more info.

    # Maintain a record of client <-> virtual IP address
    # associations in this file. If OpenVPN goes down or
    # is restarted, reconnecting clients can be assigned
    # the same virtual IP address from the pool that was
    # previously assigned.
    ifconfig-pool-persist ipp.txt

    # Configure server mode for ethernet bridging.
    # You must first use your OS's bridging capability
    # to bridge the TAP interface with the ethernet
    # NIC interface. Then you must manually set the
    # IP/netmask on the bridge interface, here we
    # assume Finally we
    # must set aside an IP range in this subnet
    # (start= end= to allocate
    # to connecting clients. Leave this line commented
    # out unless you are ethernet bridging.

    # Configure server mode for ethernet bridging
    # using a DHCP-proxy, where clients talk
    # to the OpenVPN server-side DHCP server
    # to receive their IP address allocation
    # and DNS server addresses. You must first use
    # your OS's bridging capability to bridge the TAP
    # interface with the ethernet NIC interface.
    # Note: this mode only works on clients (such as
    # Windows), where the client-side TAP adapter is
    # bound to a DHCP client.

    # Push routes to the client to allow it
    # to reach other private subnets behind
    # the server. Remember that these
    # private subnets will also need
    # to know to route the OpenVPN client
    # address pool (
    # back to the OpenVPN server.
    ;push "route"
    ;push "route"

    # To assign specific IP addresses to specific
    # clients or if a connecting client has a private
    # subnet behind it that should also have VPN access,
    # use the subdirectory "ccd" for client-specific
    # configuration files (see man page for more info).

    # EXAMPLE: Suppose the client
    # having the certificate common name "Thelonious"
    # also has a small subnet behind his connecting
    # machine, such as
    # First, uncomment out these lines:
    ;client-config-dir ccd
    # Then create a file ccd/Thelonious with this line:
    # iroute
    # This will allow Thelonious' private subnet to
    # access the VPN. This example will only work
    # if you are routing, not bridging, i.e. you are
    # using "dev tun" and "server" directives.

    # EXAMPLE: Suppose you want to give
    # Thelonious a fixed VPN IP address of
    # First uncomment out these lines:
    ;client-config-dir ccd
    # Then add this line to ccd/Thelonious:
    # ifconfig-push

    # Suppose that you want to enable different
    # firewall access policies for different groups
    # of clients. There are two methods:
    # (1) Run multiple OpenVPN daemons, one for each
    # group, and firewall the TUN/TAP interface
    # for each group/daemon appropriately.
    # (2) (Advanced) Create a script to dynamically
    # modify the firewall in response to access
    # from different clients. See man
    # page for more info on learn-address script.
    ;learn-address ./script

    # If enabled, this directive will configure
    # all clients to redirect their default
    # network gateway through the VPN, causing
    # all IP traffic such as web browsing and
    # and DNS lookups to go through the VPN
    # (The OpenVPN server machine may need to NAT
    # or bridge the TUN/TAP interface to the internet
    # in order for this to work properly).
    push "redirect-gateway def1"

    # Certain Windows-specific network settings
    # can be pushed to clients, such as DNS
    # or WINS server addresses. CAVEAT:
    # The addresses below refer to the public
    # DNS servers provided by
    push "dhcp-option DNS"
    push "dhcp-option DNS"

    # Uncomment this directive to allow different
    # clients to be able to "see" each other.
    # By default, clients will only see the server.
    # To force clients to only see the server, you
    # will also need to appropriately firewall the
    # server's TUN/TAP interface.

    # Uncomment this directive if multiple clients
    # might connect with the same certificate/key
    # files or common names. This is recommended
    # only for testing purposes. For production use,
    # each client should have its own certificate/key
    # pair.

    # The keepalive directive causes ping-like
    # messages to be sent back and forth over
    # the link so that each side knows when
    # the other side has gone down.
    # Ping every 10 seconds, assume that remote
    # peer is down if no ping received during
    # a 120 second time period.
    keepalive 10 120

    # For extra security beyond that provided
    # by SSL/TLS, create an "HMAC firewall"
    # to help block DoS attacks and UDP port flooding.
    # Generate with:
    # openvpn --genkey --secret ta.key
    # The server and each client must have
    # a copy of this key.
    # The second parameter should be '0'
    # on the server and '1' on the clients.
    ;tls-auth ta.key 0 # This file is secret

    # Select a cryptographic cipher.
    # This config item must be copied to
    # the client config file as well.
    ;cipher BF-CBC # Blowfish (default)
    ;cipher AES-128-CBC # AES
    ;cipher DES-EDE3-CBC # Triple-DES

    # Enable compression on the VPN link.
    # If you enable it here, you must also
    # enable it in the client config file.

    # The maximum number of concurrently connected
    # clients we want to allow.
    max-clients 3

    # It's a good idea to reduce the OpenVPN
    # daemon's privileges after initialization.
    # You can uncomment this out on
    # non-Windows systems.
    user nobody
    group nobody

    # The persist options will try to avoid
    # accessing certain resources on restart
    # that may no longer be accessible because
    # of the privilege downgrade.

    # Output a short status file showing
    # current connections, truncated
    # and rewritten every minute.
    status openvpn-status.log

    # By default, log messages will go to the syslog (or
    # on Windows, if running as a service, they will go to
    # the "\Program Files\OpenVPN\log" directory).
    # Use log or log-append to override this default.
    # "log" will truncate the log file on OpenVPN startup,
    # while "log-append" will append to it. Use one
    # or the other (but not both).
    ;log openvpn.log
    ;log-append openvpn.log

    # Set the appropriate level of log
    # file verbosity.
    # 0 is silent, except for fatal errors
    # 4 is reasonable for general usage
    # 5 and 6 can help to debug connection problems
    # 9 is extremely verbose
    verb 4

    # Silence repeating messages. At most 20
    # sequential messages of the same message
    # category will be output to the log.
    ;mute 20

  34. you can now run the server by "openvpn server.conf"

I'll do another post detailing firewall changes and then a third detailing client configuration.

References: -- main guide I used -- another howto I used -- openVPN docs I referred to -- big BIG huge help with getting iptables set up right

[Update 2013-06-30 07:14:07] Edited step 34

[Update 2013-06-30 07:53:27] I've finished step 3b detailing firewall changes with iptables and starting the server as a daemon

I need some advice

2 min read


Currently, I'm on a shared hosting plan with my hosting provider.  I've farmed out email to Google with Google Apps.  I use Amazon's Cloud Drive for their cloud music player (+20GB online space).  I use flickr to host my pictures.  I'd like to combine everything into one provider.  However, my experiments in self-hosted pictures haven't turned out so good (and I'd need about 300GB space).  And I'd need another 200 GB or so for music.  Any ideas on how I could do this on my own?

I've thought about using AWS with their EC2 compute cloud and S3 for storage, but there's no easy way to talk between the two (Why not, Amazon??).

I've looked into VPS solutions, because most of the time, everything will sit idle.  But I can't get the disk space I want.

I've thought about buying a QNAP NAS device, but I'd prefer to NOT have it at home.

That leaves getting a physical server somewhere.  But the price is about $100/month.  For $1,200/year, it seems like I should be able to buy my own server and put it in a data center somewhere.  Has anyone else out there tackled this sort of problem?  How have you overcome it?

[Update 2013-06-23 07:19:22] I've been thinking about this, and I think co-location of a server is the only way to go.  That is the ONLY way to guarente that my data isn't shared with anyone.  Sure, the police could come in and take the server...but I could set it up so the disks are encrypted and can't be read without a password.  Going this route would also let me get rid of:

  • Hosting:  $13/month
  • VPN:  $55/year
  • Flickr:  $25/year
  • Amazon Music:  $20/year (+20 GB Storage)

It would let me get (with no known men-in-the-middle):

  • email done on my own server
  • cloud storage
  • Contact/Calendar synching across devices without Google
  • Secure telephony (asterisk with zrtp) 
  • Off-site backup (with loads of space)

I think my plan is going to be to set this stuff up at home, see if I can do it, then decide from there what to do.

Image from amy nievera via flickr

Do you Encrypt Your Computer?

1 min read


If not, you should.  But, if you do, you should also never hibernate your computer.  Why?  Because this device can search out a cached password and use it to decrypt your drive.  Wow.

Image from richard-g via flickr

SSL and

5 min read

Oh brother where art thou

I've got the website, I think, all converted to force SSL every place.  I've also redirected a TON of URLs via .htaccess files to secure equivalents.  Here's a rundown of what I've done: -> -> ->
update flickr pictures to use https in both the href and img src tags

The flickr stuff was fairly easy.  I just had to run a couple of SQL queries to do a find and replace on a few fields in a few tables.  By the way, if you care, the find and replace syntax for MySQL is:

update [table_name] set [field_name] = replace([field_name],'[string_to_find]','[string_to_replace]');


In general, the check I use in the .htaccess file looks like:

RewriteCond %{HTTPS} off
RewriteRule (.*) https://%{HTTP_HOST}%{REQUEST_URI} [R=permanent]

In reality, it isn't that easy.  From how I've seen it work, if you have one .htaccess file in a directory, that overrides something higher up.  That means I've had to put a .htaccess file in each of the directories for the domains above and test several cases of with www and https, without www and https, with www and no https, etc... for each case.  I think I finally have it worked out.  Worst case, the [L] directive doesn't seem to be working.  What does L do in a .htaccess file?  Well, I think it is supposed to tell Apache to stop processing redirects.  Mine keeps going.

Oh, and while the URL gets rewritten, it doesn't reassign variables in the .htaccess file.  That means you have to order things right so stuff works out.  Here's an example:

RewriteCond %{HTTP_HOST} host1
RewriteRule ^.*$ https://NewLocationHost1%{REQUEST_URI} [NC,R=perman$
RewriteCond %{HTTPS} off
RewriteCond %{HTTP_HOST} !host1
RewriteRule (.*) https://%{HTTP_HOST}%{REQUEST_URI} [R=permanent]
RewriteCond %{HTTP_HOST} ^DomainWithNoWWW$
RewriteRule ^.*$ https://DomainWithWWW%{REQUEST_URI} [R=permanent]

When you get to line 4 (RewriteCond %{HTTP_HOST} !host1) to do a generic check of is https turned on or off, you have to also check to make sure you aren't coming from a different host (files vs media vs www).  If you don't, you'll end up and rewrite using the generic %{HTTP_HOST} with a wrong host and get certificate errors.

Oh, one other thing I did, after I had all the redirection already done, was to insert the following line into my .htaccess files:

Header set Strict-Transport-Security max-age:31337


If you are wanting to do something similar, that looks like the better way to do it.  From what I've read (at eff and wikipedia) that header, by itself, would force a browser that understood it to make a https connection.  If it couldn't, the page wouldn't load.  But, if the browser didn't understand it, the page would load via http.  So, if you are starting out from scratch and didn't already have 30 lines of .htaccess written, try that.  If it works, you are done...if not, then you can delve into .htaccess and mod_rewrite.

Now, why did I do this?  Over the weekend, I did some reading regarding rights and the government.  I found out that the 4th Amendment--protection against unreasonable search--doesn't apply if you've shared the information with a third party.  This means the government can get a list of the phone numbers you have dialed from the phone company with just a court order...they don't have to get a warrant.  Now, enabling https on my website doesn't help there; however, it does allow me to use a feature of my new hosting plan (a dedicated ssl certificate) to make the logins for the website safe so prying eyes at Starbucks can't see my username and password.  Or, better yet, someone can't sniff my login credentials when I get set up to blog from my mobile phone (or upload pictures).  A bonus is that no one can read the other stuff as it goes over the wire...that means a "bad guy" government couldn't sniff packets and find out what I've written.  Now, they could go to the website and look...but what if I make some things public and other things not...then you have to have the ID and password to login to see what's up.

Oh, by the way, the 4th Amendment stuff I mentioned above means I may look to stop using disquis for comments and go back to native comments.  But, on the other hand, comments are already shared with a 3rd party so is there a reasonable expectation of privacy there?  Probably not....

[Update 2012-12-26 08:12:01] I'm getting mixed content warnings.  I can't see what's wrong...can anyone help? They are fixed.

[Update 2012-12-27 07:32:51] If you came here looking to see how % or $ work in htaccess files, check out this post where I give some examples and explain % and $ in htaccess files.

Image from legofenris via flickr 


2 min read

Passwords are like Pants...

I assume this is ok to mention (meaning I don't think the bad guys can get anywhere with it).  At the start of 2011, Google introduced two-factor authentication.  Over the summer, I enabled it for my Google account.  What's the difference or extra?  I'm glad you asked.

Basically, two-factor authentication is based on two "things."  In my case, it is something I know--my password--and something I have--a code from Google.  When I attempt to login using a google account, I am not only asked for my id and password, but I get prompted for a verification code.  Where do I get the code?  Google has an app that I installed on my phone that generates them.  So, not only do I have to have my keypass (what I use to generate strong passwords) but I also have to have my mobile phone.

So far, the only problem this has caused was when I tried to sign-on using Google's stand-alone talk application.  I spent a good 30 min trying to figure out why I couldn't log in.  I was trying to sign-on with a google app account so at first I thought that was the problem (it looked like it was stripping off my domain).  After some Googling, I decided I needed to give up and get back to work.  The next day, I decided to give it another go.  This time, I remembered that Google offers to generate application specific passwords for things that aren't two-factor compliant.  I generated a new one and, sure enough, it connected straightaway.

If you want to know what I did to enable two-factor authentication, let me know, and I'll post a HOWTO.

Image from Richard Parmiter via flickr

HOWTO -- Encrypt your e-mail with Thunderbird, Enigmail, and GNUPG

8 min read

 Everyone should be encrypting all of their e-mail.  Why?  Well, let me ask you a question....would you write your wife, husband, sweetheart, etc... a message on a post card?  Why not?  Because everyone can read it, right?!  So, how would you send it?  You'd write it on paper and put it in an envelope, right?  Well, email is just like the post card.  Left unencrypted, it is just like the post card...anyone can read it.  Encryption works like an envelope so to speak.  It let's you pack it up so people who come across the message in transit on the internet can't read it (just like the letter).  Just like the envelope, it can be just takes lots of time to discover the key and decrypt it.

Need more reasons?  Check out this article.

If you are interested, read more .....

[Update 09-29-2010 17:05:47] Check out this post on another reason you should be encrypting your e-mail (and everything else)

Image of the lock is from Daniel Y. Go via flickr.  Other images below are screenshots by me.

[Prerequisites] [Configuring Thunderbird] [Installing GNUPG] [Installing Enigmail] [Configuring Enigmail] [Adding Keys from Others] [Uploading Your Key] [Setting Up Perrecipiant Rules in Enigmail] [Reading Encrypted Email]

Note, you can click any of the pictures below to get taken to larger ones. From there, you can get even larger--read original size--images

Ok...before I start with this HOWTO, here are some prerequisites:

0) I assume you are using windows PC.
1) I assume you aren't using Thunderbird or any other email client that you check your e-mail with
2) I assume you don't use email encryption at the moment and have never messed with it.
3) You need to have an e-mail account you can check with an e-mail client. If you don't have one, you can get one from google easily here.
4) Download Thunderbird and run through the installer. An existing installation of Thunderbird can be used.
5) Download GNUPG.

The download page is here. You can either scroll down to the BINARIES section, look for "GnuPG 1.4.10b compiled for Microsoft Windows," and then click on the FTP link to the right to download.
Or you can just click this link to download the file.


Configuring Thunderbird

(Note, in the screenshots below, I am using the 3.0.4 PortableApps version for my screenshots)

1) Launch Thunderbird.

2) Enter the information requested in the box and click continue.

3) Wait while Thunderbird determines your settings

4) Click create account (assuming everything is correct)

5) The screen will refresh and look like this. You can verify everything is ok by clicking the Read Messages link.

6) Thunderbird setup is complete.

Installing GNUPG

1) If you haven't done so already, download GNUPG.

The download page is here. You can either scroll down to the BINARIES section, look for "GnuPG 1.4.10b compiled for Microsoft Windows," and then click on the FTP link to the right to download.
Or you can just click this link to download the file.


2) Find the file you downloaded and double click it. It will show up as either gnupg-w32cli-1.4.10b.exe or gnupg-w32cli-1.4.10b

3) Click the next button

4) Click next again to agree to the license terms

5) Click next again (accept all packages as show in the screenshot)

6) Click next after verifying en-English is selected (unless you speak a different language)

7) Choose your install path. Usually the default will work ok (c:\Program Files\GNU\GNUPG); however, in the instance below, I picked to install it to my thumbdrive (k:)

8) Click next (this screen creates a menu in your start menu)

9) wait while the program installs

10) When it is done, click next

11) Uncheck the Show Readme checkbox and click finish

12) Installation of GNUPG is done

Installing Enigmail

1) Go to the Enigmail homepage

2) Find the download section of the homepage (in the screenshot below, it is in the top left section of the page and says "v1.0.1 for Windows (32-bit)")

3) Right-click the link and copy the URL to your clipboard. In Firefox, choose the "Copy Link Location" option. In Internet Explorer, choose "Copy Shortcut." In Google Chrome, choose "Copy Link Address.")

4) Go back to Thunderbird and click Tools -> Addons

5) Click the Install button

6) In the filename box, paste (hit the ctrl key + c at the same time) what is on your clipboard. it should look something like this

7) Click the open button

8) Wait while the file is downloaded. When the window refreshes, click the Install Now button

9) Click the restart thunderbird button

10) Wait while Thunderbird restarts. When it does, Enigmail will be installed

Configuring Enigmail

1) Go to OpenPGP->Setup Wizard

2) Choose "Yes I would like the wizard to get me started" and click Next

3) Choose "Yes I want to sign all of my e-mail" and click Next

4) Choose "No, I will create per-recipiant rules for those that send me their public key" and click Next

5) Make sure yes is selected and click next (this will make some configuration changes to Thunderbird to make sure encryption works well)

6) Enter a passphrase. Pick something nice and strong. Here, here, and here are some rules for creating strong passwords

7) Click the Next button

8) Click the next button when presented with the summary

9) Click next to generate your key

10) Wait while your key is made

11) Click the finish button

Adding Keys from Others

1) Open up Thunderbird

2) Choose OpenPGP->Key Management from the menu

3) Choose Keyserver->Search for Keys in the OpenPGP key Managment Window

4) Enter your search criteria into the Search for Key box and hit ok. You can use name, email address, or a partial match. If you want to search for my key, use my e-mail address

5) Results are shown like this. For any keys you want to import, make sure the checkbox is checked then click the ok button

6) You'll get a message that they keys were imported. Click ok

7) If you want to see the keys you have, click the display all keys by default checkbox

8) Click the X to close the window.

Uploading Your Key

1) Open up Thunderbird

2) Choose OpenPGP->Key Management from the menu

3) Highlight your key

4) Go to Keyserver->Upload Public Keys

5) Hot the OK button to search using the default keyserver

6) The key will upload

7) Now you can simply close the Key Management window and people can find your public key to send you e-mail.

Setting Up Per-recipiant Rules in Enigmail

1) Open up Thunderbird

2) Choose OpenPGP->Preferences from the menu

3) Click the Display Expert Settings Button

4) Go to the Key Selection tab and click the Edit Rules button

5) Click the add button in the new window that pops up

6) Fill out the window like:

Set Open PGP Rules for enter the person's email address
Apply Rule if Recipiant is exactly
Use the following keys See steps 7 and 8
Signing Choose Always from the dropdown
Encryption Choose Always from the dropdown

7) To choose the keys, hit the Select Key(s) button

8) A new window will open. Check the checkbox next to the person's key you want to use. Also, select your key! IF YOU DO NOT you will not be able to read any e-mail you send to this person.

9) If you want to set a rule to encrypt your e-mail to me, it would look like this:

10) Click the ok button. Then, click the ok button two more times (once for the key management window and once for the OpenPGP preferences window). You will return to Thunderbird.

11) Test it out and send someone an e-mail.

12) You should type the e-mail just like normal. When you click the send button, it should ask for your password. Enter the password entered in the Configuring Enigmail section #6

Reading Encrypted Email

1) Launch Thunderbird

2) When you are looking at e-mail in your inbox, there is nothing that tells you it is encrypted or not.

3) However, when you go to open an encrypted message, you will be prompted for your password. Enter it and you will see the message like normal.

4) Once it is open, you should see this

5) Take a look at the green bar at the top. Green is is dead so to speak. It tells you that the message is encrypted and everything is ok. If you don't see this bar, then the e-mail hasn't been encrypted.

If you have questions about any of this, contact me.

[Update 04-11-2010 07:10] I've added instructions on uploading your key to a keyserver with pictures. They can be found in the Uploading Your Key section.

[Update 04-10-2010 17:10:39] I had someone follow the instructions above and send me an e-mail.  But, I forgot to write instructions on uploading your key to a key server so people can send you encrypted e-mail.  I'll follow with some pictures later, but here are the steps:

Open thunderbird
Go to OpenPGP->Key Management
Pick your key
Go to keyserver->upload public key
Hit ok.

[Update 2012-12-26 10:12:00] Edited some incorrect links

Listserves, Passwords, and Mailing Lists

1 min read

This article poses an interesting question: what exactly are those people who manage that mailing list you are on doing with your password?