Given the NSA have pretty much been proven to be listening in to everyone’s conversations, I’d like to start sending encrypted emails whenever possible. This is partly for my own privacy concerns, and partly because I believe that decreasing the signal-to-noise ratio for spying agencies is a good thing.
My GPG key follows at the end of this post, but here’s a primer on a reasonable way to get up and running with sending and receiving encrypted messages. I’m going to assume you’re using Windows and Chrome or Firefox. If you’re on a tablet or other device, there may be other apps that will help.
The idea is to be able to manage keys, and encrypt and decrypt messages. This works by having your own private key which is you never share with anyone, and a public key which you share with the world so that they can send you messages that you can only decrypt with your own private key. In a perfect world, all email clients and browsers would support this natively, but unfortunately this is not the case. We have to make do with some clunky open source software user interfaces (the underlying software is fantastic, programmers just can’t write UIs) and a browser extension that has its work cut out.
Nevertheless, here’s my experience – gained from both using it myself (after switching from the command-line) and talking a non-technical user through the process of sending me an encrypted email.
Getting started with GPG on Windows and your browser
The easiest way I’ve found to manage keys on Windows and the web (which is where the majority of my email is) is using Gnu Privacy Guard, (Gpg4win) and the WebPG browser extension for Chrome or Firefox. I’m using Chrome.
You need both. The version of GPG installed on your computer will actually host the keys and do the encryption/decryption for you. This is very important as you don’t actually want to hand over your keys to anyone else.
To get started, you’ll want to:
- Download and install Gpg4win. You’ll likely not need to use it, and it’s not very user friendly – but it needs to be there for the browser extension to work.
- Install WebPG. I used the webpg-chrome extension from the Chrome store.
- Restart Chrome
You’ll probably want to turn on Enable Inline formatting of PGP Messages and Keys (for now) – it can get in the way when you are not trying to use encryption, but when you are it is the easiest way of doing things.
Note: I don’t use gmail so haven’t tried the experimental gmail interface. Feel free to try it and report back.
When you’re done, click Finished and then Refresh this page to get the extra options.
Creating your private key
On the WebPG icon, click Key Manager. It shows Private Keys, which are the keys you will use to encrypt your messages to send to to other people (you probably only want one of these) – and Public Keys, which are keys your computer knows about that it can encrypt messages to. Sort of like your contacts list. You’ll have a few of these.
You should provide your full name and email address. You do not need to enter a comment. You should enter a password to provide an extra level of security in case somebody else gets hold of this key, or tries to use your computer while you are away from it. You will not be able to decrypt any messages without it.
Your key is normally disabled by default after it is created, you should click the “disabled” text to enable it, and then finished. Once clicked, it should show Enabled and then , to show that it’s now usable:
You now have a key that you can use to encrypt messages, and receive messages from other people.
Sending your public key to other people
Another window will pop up with your public key (it looks like a load of random text with an obvious header and footer) and a copy button. Press that, and paste it into your favourite communication mechanism (email, facebook, your blog, etc.) to let people know how to send encrypted messages to you. (Mine is pasted below!)
Getting someone’s public key
If you’ve enabled the options above, whenever you see someone’s public key on a web page or email in your browser, it should look get enhanced by the browser plugin to make it easily-importable instead of looking like some ugly ASCII text. The key should have an import button, and should look something like:
Clicking the import button should import the key into your public key into your list of public keys. You can now encrypt messages for this address.
It is very important that you are using the key for important communication, that verify that the person you think sent you the key actually sent it to you, and not somebody pretending to be them. The best way to do this is to contact them via a trusted method (e.g. the telephone) and read out the key fingerprint to each other. This can be found on the key options, near where you found the “export this key” button.
Encrypting a message
You can also encrypt and sign a message. If the recipient knows your public key, this verifies that the message comes from you.
If the WebPG plugin menu did not appear in the place you wanted it (for example, you are sending a Facebook message or using Hotmail, etc.) and you are using the box below, you should then copy the encrypted content from the box into the message, and send it. VERY IMPORTANT NOTE: The content you copy and paste should not be readable to you. It should look like ASCII junk with a header and footer. If it’s readable to you, it’s not encrypted properly.
You have now encrypted a message that only the intended recipient can read.
Reading an encrypted message
Again, if the WebPG client works with your messaging system and you have the ‘inline formatting’ option turned on, you should see an option to decrypt a message whenever somebody sends you one. If you just see a bunch of ASCII text with a header and footer (which is often the case, at least for Zimbra, my email client) then you will want to paste it into the box below with the WebPG menu:
Using the WebPG menu, select ‘decrypt’. The message does not have to be from someone you know, but it will have to be sent to your private key. You can only verify that the person who says they sent it to you did actually do that, if they signed it (see above), so bear that in mind when sending sensitive information.
You will be asked for the password you used when you created your private key. You do remember your password, don’t you? ;-)
My Public GPG key
-----BEGIN PGP PUBLIC KEY BLOCK----- Version: GnuPG v2.0.17 (MingW32) mQENBFIZMIkBCAC1spCVxtpCHS5mWeOMumJe9t2QUr/hx1/P+8LSlKyDfgOwBnBD b+3NzyL4BTIzeycsA/0C0rHPYQmDnx6YVjUA4qefiTGZkqPO/CynO04u8toW3MfU CYzJGiFE7M+Kqy/UDhivRnbF09ABobZyWP2HvqubfzZi2eB8QLipjxoK7QcN36qd il3+ZS0wQztOzZ7pkIu3HwSb0IKhcnwXhr/TmRi0s6mx8+HVh0tISsOH90UDL57G QWVdppZeUJnZ+5tKrWACa5hBjeT9xkEyOAlKaJiHY0mK/ZZfFc705AqNx/1DwdgP dX16XnGNfvYyoYSwkrTSyMDyzVUA5n1iLRPnABEBAAG0LFNpbW9uIERldGhlcmlk Z2UgPHNpbW9uQGhpZ2hseWlsbG9naWNhbC5vcmc+iQE4BBMBAgAiBQJSGTCJAhsD BgsJCAcDAgYVCAIJCgsEFgIDAQIeAQIXgAAKCRApNTKiAwAOx92mB/9QeaaXWhuQ ISxyIY4Gft/oitzouPst4yLQk4J2Lg7R5f5WD5ZRgcv1mvrvrFNS5g+1UkVXBiqf xAKoXnBk+MOWrmXMaUZY3ttOxmlsdsNKCFloK9lHOkKJfZMhaNbTpGLKNf6BikJs 79M4t/QYeL9HttkdY3P5FC3QM6+eoChnQnx2aSU2Cq5bXcVujoqAyeRvXTCFoy/g i0hazhDcpw6qj1+WJzAG9RHSGagLq5/gAfhjo1Db+o5mP3dCNawLZTqYm/svOWqb myHKL1hjohA9l+QqKWakoaFVIujfR4HFqqLS5Q+TZ4WhoAjpIlHq+MnebFZqpgur yjrdO4zJQrHCuQENBFIZMIkBCADcr4dMSqe0guwoO3D5DuDXq0rppj9hwZqoJ8hL IwwuFKH54rSzSB20dyjwlweBB0IKkmmwIxI5/Gq/SdjmCp761NpP6A481+6TVPZA GNEL6JPNZn1dGiMTOcp2aJJ13KoL0ssht1VEBVZpevmNWDIaBiPp/z76wONz4VFG aARYbmh0kIg4W8GMEJzRX9YBt4BDOcVcXIUYz1MRY9QlO9mg5Svs5AHGMqqcZam3 WxSWrrdyymK4wqJMMnS3fIC1VWzaJww1/A1b2zf0x7x6MEET88kDwi3q0TbZMiTV NxdYCsG7PSqWZT5ckjbjttX4B4BnlvtF74ylrqRNMqiMMw9TABEBAAGJAR8EGAEC AAkFAlIZMIkCGwwACgkQKTUyogMADsf3rAf+Mp/7d+zFcd/6638caua8k8ju+fte qZwGH9x0DIiudKEoRAyOxvuf/1jtRWXvREcxBAv7D6ADVtMbatBMsPadPTgt6oPH J8/bP6CbPNsh69cQ3L/nhuYnw9SIoIFtldoqk6Ixqeao1BE6g4XVQRfv01eb+o8w z69TD4qG6C6oKc16uUla56+l3HRRl0vTN2qMFrEzjNiu4M8874Rg06NqN3Ppvv0x 2eMNfR33rId+NojYjG1NXR+0qpZ1eiWYsNZGIsYChKSnOBShr8QkbOImuwuNDohl IzAGd7kqtBhrdy7T2gBEuu/39h4ZbIloXdPqtlM4qtANDBmEketPWWMhXA== =XQ9I -----END PGP PUBLIC KEY BLOCK-----
A plain text box for using the WebPG plugin, if your messaging client doesn’t like it
If you’re using WebPG, it’s likely your mail client kills the integration it tries to use. You can use this textarea here to copy and paste things: