As previously noted, I don’t anticipate actually needing encrypted communications for myself. However, some of you may see a need, or other folks may come into my world feeling the need.
Encryption is touted as primarily a means of digital privacy. If you worry about people intercepting you communications and seeing what’s in them, then encryption reduces the risk. I maintain that my bigger concern is not so much snooping as that someone might change my message. It turns out that encryption can support that in some contexts, since a message that can’t be read also cannot be changed.
To be honest, the best security doesn’t require a computer, but few of us are ready to dig into things like one-time pads. So we rely on software designed to make it more convenient. These days, it can be downright transparent. That is, you can set things up on most computers to do it all automatically and stop giving it so much thought.
The most widely used system for ordinary folks like us is Pretty Good Privacy (PGP), a system designed some years ago. These days the version easiest to get for free is Gnu Privacy Guard (GnuPG) which uses the same basic concept as PGP, but is free and maintained as Open Source software. It’s a standard feature on Linux and Unix computers, but is also available for Windows and Mac.
The Windows version is here and it’s a complete package with everything you need. The Mac version is here and you’ll need to study a bit, because I don’t deal with Macs enough to be of much help. If you use Linux, there are lots of GUI tools and the simplicity of operation varies widely. You could also learn how to run it all from the command line, if you prefer.
The whole point is that the first thing you do is create your own encryption key. It has to be tied to an email address. This means you consider carefully and decide whether you might want to dedicate some email account just for this purpose. For reasons that aren’t obvious, this would be a huge boondoggle if your account is webmail only. That would mean encrypting a message as a file, then sending the file as an attachment in the email. It’s a whole lot easier to simply use an email client that is designed to handle it directly, but that means selecting an account that you can run from your computer directly, not webmail. There are lots of free ones out there that provide you direct access from a standard email client (using POP and SMTP protocols), and many ISPs will allow you to hold more than one as part of the service. This is not about free email accounts, so we presume here that you have one selected for this purpose, one that is not used for much of anything else.
I will note in passing that you can do it with Gmail, because they allow that kind of usage, and you can do it with the IMAP protocol for any service that permits it. If you use Windows Live Mail, so far no plugin exists, so it’s like webmail in that respect. If you use Outlook, developers are working on it, but it’s a ton of work for the user to integrate and may not work anyway. Keep those for your regular email, and get something like Thunderbird just for your encrypted email traffic. There is also something called Claws for Windows that does it, but Claws is a little challenging to use due to lack of automation in configuring it. With Thunderbird, it’s a simple as installing an extension made for it, called Enigmail.
Here is one of the best guides for Windows users, and it happens to include illustrations on how to do it with Claws, if you prefer. I highly recommend you create your key first using the simplified GUI tools included in the GPG4Win package. I recommend you use 2048 as the minimum key size. Passwords are discussed elsewhere on this blog, so use the search function. You can use an entire sentence if you know you can remember it and type it precisely every time; spaces are acceptable in this case.
There are two ways to share your key with other folks. I export mine to the default GPG keyserver — hkp://keys.gnupg.net. You can find me as
“Ed Hurst <firstname.lastname@example.org> 0223AD6F” if you use the GUI to search for and import keys. Make sure you don’t pick up on some old key I may have used before and lost. I forgot to make a revocation certificate the first few times I played with this, so make sure you create one and save it somewhere. That way, if you decide to change to a new key for any reason, folks will know the old one is no longer valid. (Disregard; I lost that key and can’t recover it. I’ll post a new one in a new message later.)
Please note that you must exchange your public key with someone else in order to use encryption with them. You need a copy of my key and I need a copy of yours. I don’t have room to explain how this works in detail, but your public key is not the same as your private encryption key, but it still enables folks to encrypt messages to you that only you can open. Using their public key, you can do the same. In the lingo of GPG, you have to have my key on your keyring to use it, and I have to have your key on mine. We each have to mark the keys as trusted. Ideally you would exchange these keys face to face using a jump drive or something like that. However, the keyserver concept will do well enough for the level of security we might need. From all anyone can tell, the NSA struggles (generally cannot and keeps trying) with breaking this PGP style of encryption.
Once you’ve done all of that, fire up Thunderbird and set up the account you’ll be using for this. Then install the Enigmail extension as explained in the linked tutorial and it should walk you through a simple automated process of setting itself up for encryption. It knows where to find the keys most of the time.
The other way to get hold of me with a fair degree of security is to get a free account at Unseen, which is hosted in Iceland and wholly unlikely to let any outside law enforcement or spy agencies to see your mail. My address there is “broken” — if you log onto their webmail and send a message to my account there, it never leaves their server. (No longer recommended.)