Gpg4win: Powerful Encryption for Free

Privacy is a hot subject. Nobody likes being snooped on, even if they’re not a secret agent. Fortunately, high-quality encryption software doesn’t have to cost an arm and a leg–in fact, it doesn’t have to cost anything at all, as Gpg4win demonstrates.

Gpg4win is not a program in itself; rather, it’s a suite of five utilities bundled along with a comprehensive manual and a powerful encryption engine. The utilities included are Kleopatra (a certificate manager), GPA (an alternative certificate manager), GpgOL (a plugin for Outlook 2003 and 2007), GpgEX (an add-on for Windows Explorer, 32-bit only), Claws Mail (an email application), and a manual entitled Gpg4win Compendium.

At the core of Gpg4win lies the engine, GnuPG, also known as the GNU Privacy Guard. This is an open-source implementation of OpenPGP, a powerful and open encryption standard. GnuPG uses an encryption system called public-key cryptography: Each user has a private (secret) key, as well as a public one that they can freely distribute. To encrypt a file or an email for any other user, you need their public key. Only that user can decrypt your message, since only they have the right private key (and the passphrase that goes along with it). Needless to say, you can also use this system to encrypt material for your own later use because you have your own private key.

Sound complicated? It is. Complexity is the biggest hurdle facing first-time Gpg4win users. The installer ties the suite of utilities nicely together as a single download, but once you’re done clicking Next-Next-Next, getting started isn’t all that obvious.

The first utility you’ll need is the GNU Privacy Assistant, labeled as “GPA” on the Start menu. The only thing that hints this might be a good place to get started is that the Gpg4win installer places GPA outside All Programs, at the point in the Start menu reserved for recently installed applications. Once you launch GPA, it offers to generate a key pair for your use. The wizard provided for this is quite user friendly, takes just a few simple steps, and even alerts you if your passphrase seems too short. The only odd point in the wizard is that it asks if you’d like to back up your key before you even have a key.

If you feel nostalgia for the UI aesthetic of the late 90s, you’re going to love GPA’s look and feel. Grey is the dominant color, along with large flat buttons, sharp corners, and beveled edges. Kleopatra and Claws Mail feel a bit more modern, but don’t expect anything approaching the sleek interface of recent Google Chrome and Microsoft Office versions.

Once you’re all set up with a key pair, you can begin encrypting files. This is where GpgEX steps in. This is a shell extension for Windows (32-bit only at this point). Thanks to GpgEX, encrypting a file is as easy as right-clicking it. Once you do this, you’ll notice two new context menu entries, one of which says “Sign and encrypt”; the other is a menu with lots of other GnuPG-related options. Signing a file requires not only your key but also your passphrase, which makes it possible for other parties to know that it was really you who encrypted the file or email message.

One of the most important components in the Gpg4win suite is a manual, not an application. The Gpg4win Compendium is a comprehensive and enlightening text explaining the ins and outs of the encryption system. There is a large section entitled “For Novices” that explains how Gpg4win works, discusses what a passphrase is and how to create a good one, and covers other essential topics. The manual includes screenshots and plenty of illustrations, which serve to make it more inviting.

Gpg4win is offered for free, but the developer welcomes donations. This is one of the most important free encryption projects for Windows, so if you feel strongly about privacy, Gpg4win is a worthy cause indeed.