encryption head
So you want to send an encrypted email. You criminal, you.
First, it’s necessary to make a few basic points. Programs like Outlook and services like Gmail will talk about offering “encrypted” email to their users, and they certainly do, but that’s not what we’re talking about. Their encryption keeps your data safe while it’s traveling through the various lines on its way from one user to another — very important. This can (often) stop eavesdroppers with access to the physical lines of communication from abusing that access to read the bits going through them. If that’s what you want (and it’s not a bad idea at all), that’s as easy as changing a settings option.
There are also a number of far more secure email services that offer aggressive end-to-end encryption methods. Those are a big step up in security, but as the saga of Lavabit showed, leaving your emails on servers owned by real humans means that those real humans might be compelled to take measures that will reveal your information. A good rundown of encrypted email services can be found here, though they almost always come with a monthly fee and sometimes only accept payment in cryptocurrency like BitCoin. The most secure I’m aware of at the moment is probably the Lelantos Project, but this space is changing virtually week to week.
encryption 4The user-based encryption we’re talking about is far more robust, since it encrypts your messages even from the person who’s supposed to receive it, if they’re not prepared to open them. It doesn’t give Google or anybody else the option of encrypting or not — you’re the one doing the scrambling, so only you and your chosen recipient(s) can decide if you both feel like doing any unscrambling. If you receive a user-encrypted message in your Gmail account, Google can only ever read the garbled version, because that’s all the company ever actually received. It nullifies the trust element of security for everybody except for yourself and your recipient.
As a result, it’s significantly more bothersome to set up and use. Encryption isn’t perfect by any means, but with a good understanding of secure email transmission, you can make sure that nobody without significant time and resources can eavesdrop on you — and how many of us are, realistically, worth government-level effort?
encryption 3First, here’s how computer encryption works in basic sense. In crypto, there is a problem called key distribution: it’s easy enough to lock a file, but for an intended recipient to be able unlock it and read it, you have to get them a copy of the mathematical key — and if you could distribute things like that safely, you could just use that key-distribution method to send the message itself, and keys wouldn’t be needed at all. The eventual solution was to use a so-called public-private key combo, in which one user can lock a file with a publicly listed key unique to a particular recipient, but then only a corresponding secret key held by the recipient can open it.
It’s a fairly simple idea that was held back for years by the sheer difficulty of coming up with a mathematical operation that could do this — lock with one key, then unlock with another. When such a method was first discovered, it was called RSA. RSA didn’t really come into its own until it was put into practice by a guy named Phil Zimmerman in 1991, with the release of a user-friendly software suite called Pretty Good Privacy, or PGP.
There are a number of similar solutions include, but not limited to, PGP, OpenPGP, and GNU Privacy Guard, often called GPG.
We’ll need to do three things to get started: install the system itself, generate a public-private key pair, and publish our public key somewhere that people can find it. There are some browser extensions that will automate some of this process — but frankly, if you’re willing to give away control of that much to unknown parties, you can probably just get by with a paid encrypted email service anyway. We’re trying to do it ourselves, here.
GPG makes things very simple. If you’re using a Windows PC, you might want to tryGPG4Win, on Mac GPGTools. The procedures for getting started with these systems are broadly similar, with only slightly different program names and on-screen prompts.
encryption 2The GPGTools Suite is probably the most streamlined option. It uses a version of the Mac keychain called GPGKeychain to generate and manage any keys you make or encounter. When you make a new key-pair for your own use, or enter someone else’s public key so you can send them messages, GPGKeychain manages this information. This is the center of your security world from now on; someone with access to this program could get at your private keys, reading all encrypted mail just as easily as you do. Make sure you have a screen lock on any system with this program installed.
Creating a new key-pair is as easy as clicking “New,” and following the instructions. This is where you decide on what level of encryption you want (the default is almost always fine), as well as what actual email address will receive the encrypted messages and the alias that will be displayed. You can use your real name if you’d like (I do) but you don’t have to if you’d like to remain anonymous. Once you click create, you’ll have access to a public key for you to copy and host somewhere on the Internet.
The easiest way to do this is probably to right-click and Export the key in question as a text file. Open it up and copy-paste the full key (header/footer and all) into the submit box on this website. MIT hosts public encryption keys for anyone, for free — they’re not the only ones doing it, but they’re the most reliable. If you don’t want to trust MIT to keep the servers up indefinitely, try hosting it on your own personal webspace. You’ll have to publish the link somewhere, so people can actually find it to message you — Twitter bios are popular places to host links to public keys.
encryption 5Now, actually making use of these public/private keys to send or receive emails takes another program from the GPG Tools Suite: GPG for Mail. If you receive an encrypted message without this installed, even one correctly encrypted with your public key, it will appear as gibberish. By installing GPG for Mail, you teach the Mail app to put those keys to use both encrypting and decrypting messages. This means that if you were to lose or break the system with the properly patched Mail client on it, you’d have to reinstall GPGTools to read your own encrypted messages — even those you’ve already opened and read in the past.
GPG4Win works much the same way, with its own key-managers and plugins for Outlook. Linux has by far the broadest set of encryption tools available, but they also tend to be the most complex.
In the end, real user-based encryption is still fairly opaque to most users. On the other hand, a well-designed personal encryption regimen is the best communications protection it’s possible to have right now, and unlike professional encrypted email services it doesn’t cost a thing to operate. You’ll need to do just a bit of DIY work to get it running, but honestly not all that much.
Now all you need is a real reason to be so secretive.