More news broke this week revealing the extent to which internet traffic routed through companies such as Google and Yahoo has been compromised. It is also interesting to note that this appears to have been due in part to a lack of encryption, at least in the case of Google’s internal network. As such it seems an appropriate time to cover email encryption via third party applications. You don’t have to rely on email providers to secure your data, you can do it yourself. Enter PGP.
Before we dive in I’d like to note that this article is meant for the beginner. The following piece provides a very brief background of PGP as well as an introduction on getting started using GPG (the open/free version of PGP).
PGP, an abbreviation for Pretty Good Privacy, is an encryption program that was originally developed by cryptographer Phil Zimmerman in 1991. Since then it has gone through numerous changes, both in who maintains the program and in what it can do. It has also withstood the test of time, having been the center of government scrutiny in several instances. Zimmerman founded a company that developed and maintained the PGP program in the 90’s which has since gone through changes in ownership. Currently the retail version of PGP is owned and managed by Symantec (Symantec Encryption Desktop).
GPG, an abbreviation for Gnu Privacy Guard, is the free/open version of PGP. Maintained by the Free Software Foundation, GPG is compatible with PGP and vice versa. It has also been supported in the past by the German government. So what exactly is PGP/GPG? Originally it was just a command line program that could encrypt files and allow other users to decrypt them. Today there are numerous applications that have been built on top of PGP/GPG that use the program as a backend to encrypt data in email, chat clients, and hard drive encryption.
Getting Started With GPG
If you’re like me you’ve looked into GPG/PGP before but turned back. For this tutorial I’ve tried to simplify the process as much as possible. For the sake of simplicity and ease of use we’ll only be covering one way to use GPG: to encrypt your emails.
For this tutorial we’ll be using a combination of GPG (the encryption program), Mozilla Thunderbird (the email client), and Enigmail (a Thunderbird plug-in that relies on GPG). I’ve chosen these three because they are free to use and don’t rely on a specific operating system. Below are the steps that we’ll need to take to setup encrypted email:
- Create an email account
- Download, install, and setup Mozilla Thunderbird
- Download and install GPG
- Download and install Enigmail
- Setup Enigmail
- Publish your public key (Optional)
- Send a test email / exchange public keys
1. Create an email account:
If you already have an email account you’d like to use go ahead and use that. For our purposes it doesn’t really matter if you’re using gmail, zoho, or some other email provider. Feel free to create a new email account for testing purposes.
2. Mozilla Thunderbird
Thunderbird is an email client offered for free by Mozilla, the same people that make the Firefox web browser. First off you’ll need to download Thunderbird from this page for your platform (i.e. Mac, Linux, Windows). Once you’ve downloaded it and got it running go ahead and input the details for your email address. If you need help on setting up your email with Thunderbird just follow this tutorial. Once you sync your email you should see a display similar to the below:
3. Download and Install GPG
Enigmail is dependent on GPG, therefore you need to have GPG installed in order for it to work.
Most Linux distributions come with GPG pre-installed. To check if you have GPG installed you can go to the terminal and type the following command.
$ whereis gpg
Alternatively you can type in the following command to check which version of GPG you have installed.
$ gpg –version
For Windows users, Enigmail recommends that you use GPG4win, a Windows version of GPG. Go ahead and follow this like to download GPG4Win. Once it is done downloading, navigate to your downloads folder and double click on gpg4win-2.2.1.exe. This will open up the installer which will run you through a few different options (I recommend using the default options).
Mac OS X
I haven’t personally tested these installations on Mac yet but will once I have one available to test with again (and will update this section). You’ll need to download and install either MacGPG from this link or GPGtools for mac, which can be found through this link.
4. Download And Install Enigmail
Once you have GPG downloaded/installed, you’ll need to install Engimail (for reference Enigmail’s guide can be found here). First go ahead and open up Mozilla Thunderbird. Once Thunderbird is running locate the menu button (three horizontal lines) located on the upper right hand side of the window. Click the menu button, then click “Add-Ons“.
Once you’re in the Add-Ons manager go to the top right search bar and enter “Enigmail“. The top result should be Enigmail 1.6 with the description “OpenPGP message encryption and authentication for Thunderbird and SeaMonkey.” You’ll then want to click the “install” button which will download and install Enigmail for you. Once installed, you’ll then need to restart Thunderbird.
5. Setup Enigmail
Once Enigmail has been downloaded and installed make sure to restart Thunderbird. Upon restarting you’ll see a new window appear with the title “OpenPGP Setup Wizard“. Go ahead and select “Yes, I would like the wizard to get me started” and click on next.
You’ll be brought to several screens which will prompt you to select different settings. I’d suggest you go with the default selections. First you’ll be asked if you want to sign all your email, select Yes. Next you’ll be asked if you want to encrypt all your emails, select no (unless you are already familiar with/using GPG ). The setup wizard will then ask if you want to change a few default settings to make OpenPGP work better, select “Yes” and click next.
If you don’t already have a PGP key you’ll be prompted to either create a new one or import an existing one. If you’re new to PGP select “I want to create a new key pair for signing and encrypting my email” and click next. You’ll be prompted to enter a passphrase. I’d suggest entering a rather long passphrase that consists of both letters and numbers, but preferably something you can remember (Note: it is okay to write down your password, just as long as you keep it in a secure place. i.e. on a piece of paper in a safe, not a text file on your computer.) Below is an example passphrase:
encrypt all the things with gpg 01/01/1900
Also note that you’ll have to enter this passphrase to decrypt/encrypt emails. You should then see a screen indicating the actions the wizard is about to perform.
6. Publish your public key to a key server
You don’t have to follow this step, but it will make it much easier for other PGP/GPG users to find your public key and send you encrypted messages. You’ll need to navigate to and click on the menu button in Thunderbird (the three horizontal lines button), then hover over “OpenPGP“, and click on “Key management“, which will bring up the below window. If you don’t see any keys you can select “Display All Keys By Default“. Then click on “Keyserver” on the top bar, and click “upload all public keys“. (Note: this is probably the easiest the easiest method, though some would argue against using a keyserver)
7. Send a test email
I’d strongly suggest that you find a friend or co-worker to try and test your newly setup encrypted email client. You’ll need to start by swapping public keys with the user you’d like to send a message to. Then go ahead and open up Thunderbird and write the message you’d like to send. Alternatively you can send me a message at firstname.lastname@example.org (Note that it may take me awhile to respond, as I already spend a good deal of time responding to bitmessages and don’t constantly check that email address).
To create/encrypt a new email open Thunderbird and click the write button. Compose your email like you normally would. Once you’re done, click on the encrypt button. You’ll see a screen asking if you want to sign your message and/or encrypt it. Signing is just a way for other people to verify its from you. Encrypting actually secures your data, but requires that the recepient also uses GPG. Once you lick ok you may get a prompt asking for the recipients public key (if you don’t already have it loaded). If they’ve listed it on a keyserver you can navigate to the keyserver and search for their email address. If they don’t you’ll need to import their public key. If you don’t have their public key then you can’t encrypt a message to them.
Encryption Key Basics
Most encryption programs, especially those that use public key encryption, require that you use a pair of encryption keys. One key, referred to as your public key, is sort of like your username. When I refer to swapping keys with someone, I’m referring to trading your public key for their public key. Then, when you send them a message, you can encrypt it so that only they can unlock it. The other key, referred to as your private key is sort of like your password. This is one that you never want to exchange with anyone and want to keep as secure as possible.
The keyserver that we encountered earlier is a public repository linking public keys with their respective email addresses. If you upload your key to a keyserver, then anyone wishing to send you an encrypted message can lookup your public key by searching for your email address. However, this also a way for spammers to get a hold of your email address, so beware. It is worth noting that some people recommend that you don’t use a keyserver but instead only exchange public keys in person or via other methods.
What GPG Doesn’t Provide
Generally online security can be broken down into two related categories; anonymity and data security. Some technologies such as Tor or Bitmessage seek to provide their users with anonymity such that their real-life identities are not necessarily directly tied to their online identities. Using GPG alone to encrypt an email will provide you with little, if any, anonymity. If someone manages to intercept your email, either from an email server or network traffic, they’ll likely still be able to see the to and from addresses, time sent, and other data.
What GPG does provide is data security. If you properly encrypt an email with GPG, and it is intercepted, the person/people that intercepted your email will not be able to read its contents. There are still a few ways that such an email could be compromised. For instance, if you had a keylogger installed on your computer someone might be able to figure out your private key and decrypt your email. Or, as has happened in the past, a court order could legally require you to turn over your private key.
Where to go from here
Before you start relying heavily on GPG for security, I’d suggest playing around with it for a bit. Do your own research, see what else it is capable of, and exchange public keys with other GPG users. I plan on putting together a few more pieces on what can be done with GPG in the coming months. As always, thanks for reading!