radical hacks How to Set up Secure Email Encryption Using PGP This document is mirrored from the original source at http://www.verysimple.com/scripts/support_pgp.html

This page explains how to set up a form processor which encrypts email using PGP so that you can transmit credits card numbers or whatever. I'm assuming that you know how to install a cgi script and basic UNIX commands. Although this was written with pair networks in mind, it may apply to other UNIX servers as well. Please direct questions and comments to .

Complete Installation Instructions:

  1. Requirements
  2. Create and Copy PGP Key Files:
  3. Install the Form Processing Script
  4. Install and Customize the HTML Form

Additional Information:


1. Requirements:
You must have these things to set up PGP email encryption on your site.

  1. Webmaster Account: You will need to install a custom cgi script. pair's Webmaster account allows you to have your own cgi-bin. Use pair's Upgrade System to upgrade to a Webmaster account.

  2. Secure Server (SSL): SSL is used to encrypt the data as it travels from the visitor's computer to the server (before it is encrypted and sent to you). Use pair's Upgrade System to request a secure server.

  3. Access to PGP on the server: pair servers already have PGP running on them, but you don't have permission to use it by default. You must request permission from and provide proof that you are a US resident.

  4. A copy of PGP (using RSA) on your home computer: You need to decrypt the message once it reaches your home computer. PGP 5.5 for Business Security and PGP 2.6.2 for DOS uses RSA encryption. The new freeware version does not (and will not work for this). You are legally supposed to purchase a copy if you use this for commercial purposes. PGP is available from Network Associates.

  5. A script that uses PGP: The script used to process the your HTML form must encrypt the body of the message. (I've modified Matt Wright's FormMail 1.6 to use PGP and explain how to obtain and install it on this page.)

  6. Optional - Digital Certificate: A digital Certificate verifies to the visitor that you are who you say you are. Use pairs Certificate Request to obtain a Digital Certificate. You can use pair's digital ID free of charge, but you won't be able to use your own domain name for the URL of the form. In other words, the URL to your form will be something like https://ssl.pair.com/yourloginname/form.html

2. Create and Copy PGP Key Files:
Once you have permission to use PGP on the server -and- you have PGP installed on your home computer, you need to create your PGP key files. You do this using PGP on the server.

  1. Create a folder in your home directory named: .pgp (with the dot)

  2. At the telnet prompt, type: pgp -kg This will run you through a bunch of steps to generate a key. Make a note of the ID and password that you use.

  3. PGP created three files in your .pgp directory (pubring.pgp, secring.pgp and randseed.bin). Use FTP to transfer these file to your home computer.

  4. Using the PGP program installed on your home machine, import the file secring.pgp. Once you successfully import this file, you can decrypt messages sent from the server using this key.

3. Install the Form Processing Script:
You now need to install a script that uses PGP to encrypt email messages. These instructions explain how to use SimpleSecure (modified by yours truly). FormProcessor by Selena Sol also has provisions for PGP encryption.

  1. If you haven't already, create a folder called cgi-bin in your public_ssl directory.

  2. Obtain the script: SimpleSecure, decompress it and move it (ASCII mode) to your public_ssl/cgi-bin/

  3. The script is a modified version of Matt Wright's FormMail 1.6 and is installed the same way. There are three additional configuration variables that you need to set:

    A note about file permissions: simplesecure.cgi needs to be executable by the visitor. If you are on pair networks, the web visitor (user:nobody) doesn't have permission to execute PGP. For this reason, you need to run the script through cgiwrap. This allows the script to run using your login permission. simplesecure.cgi file permission of 700 is sufficient. (because the script runs with your user ID permissions.) Likewise, simpletemp needs to be writeable by the script, and pubring.pgp and randseed.bin need to be readable.

4. Install and Customize the HTML Form:
The final step is to adjust the URLs on the HTML form and test the script.

  1. Copy the file simplesecure.html (included with the script) to a directory that is readable by web visitors. Make sure it is readable (permission of 604).

  2. Edit the form action to point to simplesecure.cgi on your server - making sure to run it through cgiwrap.

    A note about cgiwrap: Running the script through cgiwrap is simply a matter of changing the URL on your form. If the URL to the script was https://ssl.pair.com/yourname/cgi-bin/form_processor.cgi then you should change the URL to https://ssl.pair.com/cgi-sys/cgiwrap/yourname/form_processor.cgi

  3. Edit the value of the hidden variable "pgp_key" to your PGP ID that you created above.

  4. Open simplesecure.html using your favorite web browser and give the script a try. You should receive an encrypted message, which you can decrypt using your secret pass phrase!

    Now that your script is working properly, you can use any existing forms that are compatible with Matt Wright's Form Processor by simply adding the pgp_key hidden form field and changing the form action URL.


Additional Information:

How can I get around buying PGP for my home computer?

Legally, you must purchase PGP if you are going to use it for commercial purposes. If you are using it for personal purposes and do not want to deal with installing PGP at home, you can decrypt the messages on the server.

By reading your mail via Telnet using Elm, you can decrypt PGP encrypted messages. This way, you don't need to install PGP at home. Be sure to always leave the message encrypted while it is stored on the server, though.

You can also cut and paste the PGP encrypted part of the message into a text file, upload it to the server and use PGP to decrypt the text file.

Editing Selena Sols FormProcessor to use PGP

  1. You need to edit the file pgp-lib.pl that came with the form processor script. This is the library that the form processor uses to encrypt the message. If you installed the script in /cgi-bin/ then you'll find this file in /cgi/bin/Form_processor/Library/ .

  2. Edit the pgp_path variable to point to the location of pgp on the server.

  3. Change the public key ID.

  4. Specify location of pgp files. (This is the same procedure as is with simplesecure.cgi - you can either change the default location, or copy pubring.pgp and randseed.pgp into the directory that came with the script)

  5. Create a temporary directory for PGP to use. In the same directory that form_processor.cgi is in, create a directory called Temp that is readable and writable by the script.

  6. Edit your setup file to encrypt the message. These are the three lines that I changed in feedback.setup:

    $should_i_use_pgp = "yes";
    $pgp_lib_path = "./Library/pgp-lib.pl";
    $pgp_temp_file_path ="./Temp";

    Remember: If you are on pair, you need to run the script through cgiwrap.