Encrypted emails

Sending secure information over email can be hard as we have found out from recent years with the Snowden revelations.
There are supposedly secure email providers out there like hushmail and 4securemail but there is no need to rely on a third party who can be strong armed by a government.
The best secure way to pass information between two points is with TNO (Trust No One) using PGP encryption yourself.
This allows for the secure transmission of information between parties and can be used to verify that the origin of a message is genuine and ensures only the intended party can read the message

How to setup your keys:

Install a GPG tool
For Macs I use https://gpgtools.org
For Windows I use http://www.gpg4win.org
For Linux you could go command line with installing gnupg

After installing you follow the instructions to create your first Private and Public key.
In the Advanced section it shows the key type, length and expires date. You normally can keep these as the default unless you see a need to change them.
Remember to create a new key each year (or shorter) so the expiry is constantly being updated.

Ensure you use a strong pass phrase and never share with anyone.

You should also create a revoke certificate as soon as you have created your keypair. You publish this if your key has been compromised or you forget your passphrase notifying others that the public key should no longer be used.

Next you should setup your shortcut keys to make this process easier (method dependent on OS).

Send a secure email

You should sign and encrypt your email to not only cover the contents but also prove that it was you that actually sent it.
Write your email

Select the all contents of the email and use your shortcut to sign it

Open the GPG keychain access app and search for the email address you are sending to.
If the email address has more than one public key then choose the most recent one.
You will now see that users public key in your keychain.

Go back to your email and select all the content again (including the signed part)
Use your shortcut to encrypt it.
Select the user(s) you are encrypting for (if you select the wrong one then the recipient will not be able to decrypt it)

Click send

Decrypt a secure email

Select the contents of the secure email from, and including, “—–BEGIN PGP MESSAGE—“, to, and including, “—–END PGP MESSAGE—“.

Open your favorite text editor, and paste it:
Use the shortcut key to decrypt
Enter your password
You will now see the original contents with the PGP signature.
Copy the entire text again and use your shortcut key to verify the message.
You should now get a popup stating if the signature is verified or not.

Note:

This will encrypt the contents of the email, not the subject or who the email is for.
So anyone snooping can still see that you sent an email to this person with the subject title. Just can never read the contents.
You should backup your keys incase your computer breaks or is stolen. Losing your keys means losing the option to decrypt these emails in future.

There are plugins to make your life easier, but the more external systems you use the more likely for one of them to become abused.

Browser plugins
Chrome: https://prometheusx.net/introducing-gmail-crypt/
Chrome/Firefox: https://www.mailvelope.com

Thick email clients
Thunderbird: https://www.enigmail.net/home/index.php
Outlook: http://www.gpg4win.org

Leave a Reply

Your email address will not be published. Required fields are marked *