Company PGP Implementation Guide

TL;DR

This guide outlines a practical approach to rolling out PGP (Pretty Good Privacy) encryption across your company, focusing on ease of use and security. It covers key generation, distribution, email client integration, and ongoing management.

1. Choose Your PGP Software

Several options are available. Consider these:

• GnuPG (GPG): Free, open-source, powerful but can be complex.
• Kleopatra: A GUI for GnuPG, making it more user-friendly.
• Mailvelope: Browser extension for webmail encryption (Gmail, Outlook Web App).
• Commercial Solutions: Offer support and often simpler interfaces (e.g., Symantec PGP Desktop).

For this guide, we’ll assume GnuPG with Kleopatra as it strikes a good balance between power and usability.

2. Key Generation

1. Install GnuPG & Kleopatra: Download from the official website and follow the installation instructions for your operating system.
2. Generate a Master Key Pair: Open Kleopatra. Go to File > Generate Key Pair.
3. Key Details: Enter your name, email address (company email is best), and a strong passphrase. Choose RSA and RSA (default size of 4096 bits is recommended).
4. Key Usage: Ensure ‘Sign’ and ‘Encrypt’ are selected.
5. Advanced Options: Consider setting an expiration date for the key. This adds a layer of security, requiring renewal after a period.
6. Key Generation Process: Kleopatra will generate your keys. Move your mouse randomly to provide entropy (randomness).

Important: Back up your secret key securely! This is crucial for decryption and signing. Store it offline, encrypted if possible.

3. Key Distribution

Sharing public keys is essential. Avoid sending them as attachments (security risk). Use these methods:

• Key Servers: Upload your key to a public key server like Ubuntu’s Key Server or MIT PGP Key Server.
• Company Directory: Create an internal directory (e.g., a shared document, intranet page) listing employees’ public key fingerprints.
• Signed Emails: Send a short email to colleagues containing your public key fingerprint and signed with your private key. This verifies authenticity.

To verify a key fingerprint:

gpg --fingerprint <email_address>

4. Email Client Integration

1. Thunderbird: The most popular option for desktop email clients. Install the Enigmail extension (Enigmail website). Configure it to use your GnuPG installation.
2. Outlook: Requires a commercial PGP plugin (e.g., Gpg4win Outlook Plugin) or using Kleopatra directly for signing and encrypting individual emails.
3. Webmail (Gmail, etc.): Use Mailvelope. Install the extension and configure it to access your GnuPG key.

Configure email clients to automatically sign outgoing emails by default. Encryption should be optional, as not all recipients will use PGP.

5. Training & Policy

• Training: Provide comprehensive training on using PGP, including key generation, distribution, encryption/decryption, and signing.
• Policy: Establish a clear policy outlining when PGP should be used (e.g., for sensitive data, legal documents).
• Key Revocation: Teach users how to revoke compromised keys.

To revoke a key:

gpg --output revoke.asc --gen-revoke <key_id>

Store the revocation certificate securely.

6. Ongoing Management

• Key Expiration: Remind users to renew keys before they expire.
• Compromised Keys: Have a process for handling compromised keys (e.g., revocation, re-key generation).
• Regular Audits: Periodically audit key usage and policy compliance.