Thursday, May 2, 2013

It's Time to Encrypt Your Email

My people have no tradition of proofreading.  —Ken White

Too long; didn't read

I set out to write some simple instructions on setting up encrypted email.   Being a college teacher, I couldn't resist answering the "because" question for every step.  I also wandered into the ways one could use encrypted email and the other features available.  The article became way too long for anyone to actually use, so  I've broken it up into three parts.  This is the first of the three.  The other two are:

This article has been extensively revised because the Thunderbird email client now supports native encryption. (Note added 2021-02-21)

Why Encrypt?

We've read about "hackers" and reporters breaking into peoples' email. The FBI is back again with a proposal that would make "wiretapping" electronic communications easier. It's probably already too easy. If you're not sure, ask David Petraeus. Current (2013) law provides very little protection for email messages and almost none for messages left on your mail provider's server for longer than 180 days.  According to the Electronic Frontier Foundation, some of the biggest providers of email (Apple, AT&T, Comcast, Verizon, and Yahoo) do not require warrants for access to "content," which appears to include email.  (2019 data.)  In the summer of 2013, we found that snooping by the NSA in particular is far more widespread than most of us had imagined.

Most of the personal email most of us write is completely innocent, things like deciding on where to go for pizza, but even innocent email can contain confidential information.  I needed the Social Security numbers of my nieces and nephew to make them beneficiaries in case of my death.  Even though those exchanges were innocent, they contained information others should not have. I have recently been reminded that anything you communicate to your lawyer should be encrypted to protect the attorney-client privilege.

As you can see, there are good reasons for keeping your email confidential.  The best one is that the contents of your email are none of their damn' business!  whoever "they" may be. You can protect your personal email by encrypting it, and it's easy to do.  Read on to find one way to do it.

Following these instructions will allow you to encrypt mail that you want encrypted, and all the software you need is free.  Messages that you don't want encrypted will not be.  That's important because many of the people with whom you correspond will not have encryption set up at "their end."   Tell the ones who don't about this article!

Two Ways to Encrypt Email

Email can be encrypted using one of two standards, S/MIME or OpenPGP, that are not interoperable.  The Thunderbird email client discussed below is ready for either standard out of the box.  The trouble is, S/MIME requires a digital certificate for which you might have to pay.  These instructions are for OpenPGP, which is based on a "web of trust" rather than on digital certificates.  (If you have friends who use S/MIME encryption, Comodo offers free certificates with a one-year expiration period.  You can install both S/MIME and OpenPGP encryption, but you have to keep track of who uses what.)

Note for Users of  MacOS 

The instructions below will work for MacOS, but after I wrote this, the folks who develop GPG Tools for Mac released Version 2 of GPG Mail.  I don't have access to a Mac, so I haven't tested this personally, but a colleague with a Mac says it just snaps in and works.  If you use the Apple Mail application, you can probably just install GPG Mail instead of following my outline.  Before you start, please do read about pass phrases, key generation, and making a backup of your private key, below; that information is applicable to configuring GPG Mail.  You should actually read the whole article, and the two that follow.  If you try using GPG Mail, please leave a comment reporting your experience.  (Note added 2013-08-11.)

What We are Going to Do

These instructions are primarily for Windows users, but the software described will run on Linux and Mac OS as well.  This may seem long and complicated, but if you take it step-by-step, it'll be easy.  I recommend reading through the entire post before you start.  Here's what we're going to do:
  1. Install a "local" email client, Mozilla Thunderbird, on your computer.  You may already be using Thunderbird.
  2. Devise a passphrase to protect your private key.
  3. Generate your own public/private key pair.
  4. Enable OpenPGP encryption in Thunderbird.
  5. Upload your public key to a keyserver.
  6. Make a backup of your private key.
Optionally, you may want to create a revocation certificate and have your public key signed by a few other people.  There's more on that in Using Encrypted Email(Note: As of spring, 2021, the keyserver at does not support key signing.)

Install a Local Email Client

To start with, you will need an email client that runs on your own computer.  If you are already running Thunderbird, be sure you're running version 78 or higher and you're done with this step.

Otherwise, download and install Mozilla Thunderbird.  In most cases, Thunderbird can configure itself automatically with just your email address because it has a database of settings for major email providers.  If, for some reason, automatic configuration fails, you will need, from your email provider, the server addresses and port numbers to configure IMAP or POP incoming mail and SMTP outgoing mail.  These should be available from your email provider's support site.  You will also need to know the connection type, which will often be SSL/TLS. 

 If you use Thunderbird, to keep your private key secure, you must set a master password.  Use a pass phrase, not a word, as described in the next section.

Devise a Passphrase 

It is important that you keep your private key private.  You will use a "password" for that.  Your encryption is no stronger than this word or phrase. Please don't use any of the top 10,000 passwords.  I recommend using a phrase you will remember, something like, "My best times are those I spend at the beach."  That is very easy to remember, but it would be difficult even for someone who knows me well to guess it exactly.  The phrase should be more than a couple of dozen letters to foil automatic guessing, but you may have to type this phrase every time you encrypt or decrypt a message, so don't write a book!

The people who write password cracking software are onto the rules of grammar.  For a little more strength, you might rephrase as Yoda-speak: "Those I spend at the beach my best times are," or change the grammar around in another way.

For the strongest passphrase, generate it with Diceware.  You can also read the original Diceware article.  Use real dice or the dice from Throw five dice per throw and use the Electronic Frontier Foundation's long word list.

If you forget your passphrase, you're toast.  Write it on a slip of paper and put it in a book you use infrequently. When (if ever) you are absolutely sure you have it memorized, tear that slip of paper into tiny pieces and flush them.

Generate a Key Pair

Once you've settled on a passphrase, you are ready to generate your public and private keys. From the "hamburger menu" at the top left, choose Account Settings > select your account > End-to-End Encryption > Add Key.  The default size of 3,072 bits is probably enough.  For extra strength, choose 4,096 bits.  I made my key unexpiring.  For highest security, expire the key at intervals.

Upload Your Public Key to a Keyserver

To make your public key as public as possible, upload it to a keyserver.  The keyservers talk to each other, so uploading to one of them is generally enough. Thunderbird is configured to use as its keyserver. It isn't (yet) clear to me whether your public key is uploaded automagically.  About an hour after you've configured encryption, go to the keyserver using the link above and search using your email address.  If it finds you, you're done.

If not, do the following: Within Thunderbird's End-To-End Encryption panel, click "OpenPGP Key Manager."  In the  Key Manager, select your key and choose File > Export Public Key(s) to File.  Save the exported file and in a web browser, navigate to  Choose the upload link from the main page, browse to your file, and upload it.  Click Send Verification Email.

Make a Backup of Your Private Key

Earlier I wrote that if you forget your passphrase, you're toast.  The same thing is true if you lose your private key.  If you've followed these instructions, your private key is stored on your computer in Thunderbird's profile directory.  A disk crash or a new computer might mean you can no longer decrypt mail that others send to you.  To prevent that, make a backup of your private key now and any time you make a change.

To do that, within Thunderbird's End-To-End Encryption panel, click "OpenPGP Key Manager."  In the  Key Manager, select your key and choose File > Backup Secret Key(s) to File. You will need to set a password.  If you forget the password, you're toast.  If someone else gets a copy of the file and guesses the password, you're toast.  Copy the backup to a flash drive, preferably encrypted, or burn it to CD and guard it carefully.  Maybe make more than one copy.  I have a copy in the safe deposit box at my bank.

Exporting your private key also exports your public key.  If you ever need the backup, you will be able to import it.

What About Web Mail, Tablets, Smart Phones?

To be secure, encryption and decryption necessarily has to take place on the "end device," your computer, tablet, or phone.  If it happened at your email provider's server, your email provider would have to have your key.  If they have your key, they can divulge the contents of your email, perhaps accidentally or perhaps under a secret court order.

If you were using a web mail client, it will still work, but you won't be able to send or read encrypted mail. The post on Using Encrypted Email includes a brief discussion of Thunderbird Portable Edition, which will let you use encryption with others' computers.

For phones and tablets, there is software for Android that will let you use encryption, and software for iOS that will allow reading, but not creating, encrypted messages. A new iOS app seems to provide full encryption and decryption.  I've successfully installed APG and K-9 on my Android tablet and can send and receive encrypted mail.  I'll try to write some instructions presently.  (Didn't happen.)

About Your Work Email

Even if you work for a very permissive organization, they probably wouldn't appreciate your adding encryption to your work email.  Beyond that, free email accounts are readily available for personal use. I finally subscribed to a paid email service for my personal email on the basis that "free" is often worth the price charged. Mixing personal and work email can cause you serious problems.  For some examples, search on "fired because of email" for stories like this one.

Some Terminology

These definitions may help you navigate the documentation of the programs with which you will be working.
OpenPGP is a standard describing a mechanism for both encrypting and digitally signing files. Those files may be email messages or a "plain" data file. There is no "OpenPGP" program; two programs that implement the OpenPGP standard are described below.
PGP was a company, since acquired by Symantec, and also the name of that company's products. The PGP products implement the OpenPGP standard. They're commercial products; they cost money. People pay Symantec money to get technical support, regular product upgrades, etc. If you are installing encryption for a company, and not for personal use, consider the Symantec products or those offered by other companies.  There was a free version of PGP, but it is now very out of date and should not be used.
GnuPG, also called Gnu Privacy Guard or GPG, is a free and open-source implementation of OpenPGP. As with other free software, support consists only of forums, mailing lists, and web articles. Upgrades and fixes are contributed by a dedicated group of volunteers.
GnuPG refers to your public key and those of others as certificates because that's what they are. What's produced is a public key with a digital signature signed with the corresponding private key. That's a self-signed digital certificate. While it doesn't provide any assurance of correct binding to an identity, it does provide protection against tampering.

Ready for More Information? 

Now that you have encryption set up, read Using Encrypted Email.  For an overview of how this all works, try A Little About Encryption.

Did You Do This?

Every encrypted message is a tiny protest against the government's massive surveillance apparatus.  Please encourage others by leaving a comment below.  It can be as short as "I did it!" or as long as a description of your experience, but you really will help others.  Please spread the word by sharing this post.  Linking is easiest and lets me make updates, but the Creative Commons license lets you copy the entire post, too.

Copyright © 2013 by Bob Brown
Last update: 2021-03-14
 Creative Commons License
It's Time to Encrypt Your Email by Bob Brown is licensed under a Creative Commons Attribution-ShareAlike 3.0 Unported License.

The quotation by Ken White is used by permission.

No comments:

Post a Comment