Between constant password breaches and the NSA looking in on everything you do, you’ve probably got privacy on the mind lately. If you’re looking for a little personal privacy in your communications with friends and loved ones, or you just want to trust that the documents you email to your accountant or client aren’t being intercepted and read, you’ll need to encrypt those messages. Thankfully, it’s easy to do. Here’s how.
Why You Should Encrypt Your Email
While government spying is on everyone’s mind right now, it’s really just the most recent security distraction to make headlines. Before everyone was angry at the NSA (and no, it’s unlikely that PGP encryption will protect your emails from the NSA, although there are plenty of examples of law enforcement unable to break PGP encryption, and then trying to force them to hand over their keys), we were angry at corporate snooping, employers reading personal emails, identity thieves, and hackers. While encrypting your email may or may not protect you from a major government or someone with significant time and processing resources, it can definitely keep your data safe from people looking to hijack your accounts, reset passwords and then log in as you, steal financial data, or comb through your contacts looking for useful information about you for spear-phishing attacks.
We’ve explained several times why your privacy is important, and even if you’re not concerned with government spying (which doesn’t even require a warrant) or corporate tracking (which you may have unwittingly opted into when you signed up for free email), there are several good reasons to make sure you secure and encrypt some of your sensitive communications.
We can hear you now. You may be wondering why you should bother. “Privacy is dead!” “They’re collecting all your data anyway.” “Using stuff like this makes you more likely to be targeted.” While big government agencies and companies looking to sell you advertising are the first things that come to mind when most people think of internet privacy, they’re by no means the only parties interested in your personal data, and you shouldn’t behave like they are. It’s the more mundane threats and issues that are likely to ruin your day.
Getting Started: How PGP Encryption Works, and What You’ll Need
Encrypting your email may sound daunting, but it’s actually quite simple. We’re going to use something called PGP (Pretty Good Privacy, a name that’s actually a tribute to the long-running NPR radio program, A Prairie Home Companion, and not a reference to how good the privacy is) to encrypt our messages. It’ll make your messages look like garbled text to uninvited onlookers, like the coffee shop packet sniffer or library SSL cracker. It’ll also obscure credit card numbers, addresses, photos, and anything else you may prefer be private if you don’t already have a secure connection to your email provider.
So how does PGP work? It’s simple, and we are going to give you an easy example of how it works:
Sam wants to send Jane a secret email love letter that he doesn’t want Joe, Jane’s jealous downstairs neighbor who piggybacks her wifi, to see. Jane uses PGP, which means she has a PUBLIC key (which is basically a bunch of letters and numbers) which she’s published on her web site for anyone who wants to send her encrypted email messages to use. Jane’s also got a PRIVATE key which no one else – including Joe the Jealous Wifi Piggybacker – has.
So Sam looks up Jane’s public key. He composes his ardent profession of love, encrypts it with that public key, and sends Jane his message. In sending, copies of that message are made on Sam’s email server and Jane’s email server – but that message looks like a bunch of garbled nonsense. Joe the Jealous Wifi Piggybacker shakes his fist in frustration when he sniffs Jane’s email for any hint of a chance between them. He can’t read Sam’s missive.
However, when Jane receives the message in Thunderbird, her private key decrypts it. When it does, she can read all about Sam’s true feelings in (pretty good) privacy.
Ready to get started? Here’s what you’ll need:
- GNU Privacy Guard (GnuPG), in the form of GPGTools (OS X) or Gpg4win (Windows)
- Thunderbird (Win/OS X/Linux) or Postbox (Win/OS X) for desktop email
- Enigmail, an OpenPGP add-on for Thunderbird and Postbox. You can get the Thunderbird add-on here, and the Postbox add-on here.
- Mailvelope for Chrome or Firefox, and a webmail account like Gmail, Outlook, Yahoo, or GMX.
Like we said, you’ll need friends who also use PGP, and you’ll have to exchange public keys with them to make sure they can read your messages. Many people post their public keys to their personal websites, or just send them as attachments to everyone they email, just so they have them. That’s the biggest drawback of using PGP encryption to secure your email. It’s only as good as the number of people using it, which is why it’s a good idea to set it up, even if you don’t encrypt everything you send.
Step One: Install GnuPG and Enigmail to Generate Your Keys
The first thing we have to do is install GNU Privacy Guard (akd GnuPG, aka GPG) and generate our public and private keypair. Remember, your public key is the one you’ll give out to people in order to exchange encrypted messages. Your private key is the one you keep close to pocket.
- Download the GPG installer for your operating system (we used GPGTools for OS X and Gpg4win in Windows) and install it. On the Mac, GPGTools will launch as soon as you finish the install. Go ahead and close it—it’s easier for us to generate our keypairs from inside Thunderbird or Postbox.
- Once you have GPG installed, it’s time to install the Enigmail extension for your desktop email client. Grab it here for Thunderbird, and here for Postbox. You may need to save the extension files to your desktop and then drag them into Thunderbird or Postbox to install them.
- Once installed, restart your mail program. You should see a new “OpenPGP” menu along with File, Edit, View, and the rest. Click the OpenPGP menu and select “Key Management.”
- The OpenPGP Key Management window should appear. From here, click the “Generate” menu, and select “New Keypair.”
- The Generate OpenPGP Key window should appear. Select the email address you want to generate a keypair for from the drop-down menu. Type in a passphrase for your keypair—or essentially the password you’ll have to enter in order to encrypt or decrypt messages. Make sure it’s a good, strong password you’re not using somewhere else.
- Click “Generate Key.” It could take a few minutes, but to help build random data for the operation, jiggle the mouse a bit, or just leave the window up while you do other things while the key generates. Every time I did it, it was a matter of seconds.
- You may be prompted to generate a revocation certificate at the end of the process. If you are, do it. That key can be used to invalidate your public key in case someone gets their hands on your private key, or if it’s ever compromised. Save it somewhere safe, preferably somewhere backed up regularly.
Once you’ve created your keypair, export it for safe keeping (also, we’ll need it again later). Here’s how:
- In Thunderbird or Postbox, click the OpenPGP menu and select “Key Management.”
- Right-click the keys you want to save and select “Export Keys to File.”
- You’ll get an alert asking if you want to include your secret key in the saved file. Click “Export Secret Keys” to include it.
- Select a safe place for your keys, and click Save.
This text file includes your public and private keys, so you need to keep it close to pocket until we’re finished here. When we are finished, you can either back it up somewhere safe, preferably somewhere your files are encrypted and regularly backed up. Alternatively, you can delete the file. You can always re-export your keys again later if you need them, and you’d never want to send someone both keys at once anyway.
Step Two: Configure Thunderbird or Postbox to Encrypt Your Messages
Now that we have our keys generated and configured, it’s time to put them to good use. Open a new message in Postbox or Thunderbird, and click the “OpenPGP” menu. You should see option to “Sign Message” and “Encrypt Message.” You can do either, but you should do both. In Thunderbird, you can also toggle signing and encryption using the key and pencil icons at the bottom right of the compose window.
Step Three: Configure Mailvelope for Your Webmail
Desktop email clients are great, and we think there are plenty of reasons to use them, but it’s no secret that many people use webmail instead. Free email providers like Gmail, Outlook, and Yahoo! Mail make it super easy to get your email anywhere you go. Traditionally that kind of convenience comes at the cost of security, but with Mailvelope, you can have both.
Mailvelope is available as an add-on for Firefox and Chrome, and you can grab it from the Chrome Web Store here or for Firefox from the project’s Github page. The Firefox version is experimental and a bit of a pain to install (instructions are at Github, and you need to know your way around Github to get it), but I found it works well. If you prefer another browser, like Opera, there are available hacks to get it working on that platform as well.
Once you have the add-on installed, here’s how to set it up:
- Open your browser’s extensions page and click to open Mailvelope’s options.
- Everything here should be blank. Note: If you don’t use a desktop client at all, you can generate your keys right here. Mailvelope supports generating keys with passphrases from the menu on the left, and exporting them for safe keeping from your key ring.
- Click “Import Keys” from the menu on the left.
- You’ll see an empty text window. Open up the text file that contains your public and private keypair in your favorite text editor (but it has to be a text editor!)
- Select all, and copy all of the text to your clipboard. Then paste everything into the text field in Mailvelope’s settings.
- Click submit. You should get two different alert boxes in green on the page that tell you both public and private keys were successfully imported to your key ring.
Your key should appear in the key ring now (and you can export it if you ever need to). One of the best things about Mailvelope is that you don’t have to set up each keypair for every address you use. Once you have a keypair added, you can use it at Gmail, Outlook, Yahoo, or any other webmail client you add to the “Watch List” in Mailvelope’s preferences (like Google Apps for your domain, GMX-supported webmail services, and so on). You can read more about Mailvelope’s supported services and features here.
Now, the next time you fire up Gmail and click Compose, you should see a little notepad button hovering over your message compose area. Click it to bring up Mailvelope’s compose screen. Type whatever you want in that window, and then click the notepad button again. Select the keypair you want to use to encrypt the message, click Ok, and you’ll see the message in its garbled form. Click “Transfer” to drop it back in Gmail (which is the first time it’ll actually be live at Gmail—while you’re composing in Mailvelope, no drafts are stored and your text is local so Google sees nothing) and send it.