Email Encryption How To (not Why)

January 28, 2011 EDIT: Hello to all you people coming from Stumbleupon. Note that I haven’t checked out these instructions to see if they’re still relevant after two years. If you find anything that’s out of date, let me know!

This post is not intended to convince you to start encrypting all of your email. This post is intended to do that. As well as the book, “Little Brother” by Cory Doctorow.

This post is more of a how-to, in simple layman’s language (I hope). Others have done this before, but I think I’ve broken it down more for the people who aren’t familiar with the various platforms and I’ve included some of the pitfalls that I hit while I was doing all the setup. There are many many little tutorials around. Google is your friend. If you find that any of the instructions here are unclear or lead you down the primrose path, please let me know.

Email Encryption How To
I have been thumbing my nose at The Man recently by joining the ranks of people who regularly encrypt email messages.1 I accomplish this through three different tools: GnuPg, Thunderbird/Enigmail (actually two separate tools there), and Firefox/FireGPG (which are again two separate tools working together).

  1. The first and most important one of these tools is GnuPG which stands for GNU Privacy Guard. If you don’t know what GNU is, go here, but it’s not important for this discussion.
  2. The second set of tools is the Thunderbird/Enigmail combination which I use because I like being able to access my email whereever I go via IMAP. Thunderbird is a free email client via the Mozilla project which also publishes Firefox, a browser similar, but much superior, to Windows Internet Explorer. Then there is the Enigmail extension, which must be installed on top of Thunderbird.
  3. Thirdly is the Firefox/FireGPG combo which allows me to use encryption through Google Mail. Firefox, as I just mentioned, is a superior web browser to Internet Explorer and FireGPG is an extension downloaded through Firefox’s extension utility in order to bring on board the capabilities of GnuPG.

This is all a lot of detail, but I can break it down. Firstly, a quick summary of Public Key Encryption (which is what GnuPG is for) for people who don’t care about the math. If you don’t want the explanation, skip to the paragraph marked Step 1.

Public Key Encryption
Encrypting a message takes your Plaintext, mangles it through a magic mathematical process to come up with a bunch of gobbledy-gook that requires a Key to understand. If you have the Key, you may de-mangle the gobbledy-gook and end up with the Plaintext that was originally mangled. What Public Key Encryption does is provide you with two keys that, combined with someone else’s two keys, allow for a secure communication route.

Why does everyone get two keys, and what are these key things anyway? One is called your private key, and one is called your public key. The private key you keep private and never let anyone see, ever. The public key you distribute to everyone, everywhere so they can check your messages. Keys look like this: mQGiBEicoXYRBACFu+jc9... and go on for a very long time.

The reason for two keys is simple in concept, but mathematically complex. The concept is this: Any message you send is “signed” with your private key. Anyone who has your public key can verify that it is “you”2 that sent that message. If they send a message to you that has been signed by their private key, you may then use their public key to verify that they were the person who sent that message.

So far, though, we’ve only talked about verifiability, not encryption. Anyone can still read these “signed” messages. The slick part is when you send a message to a recipient that is encrypted with their public key. Only a person’s private key can “de-mangle” or decrypt a message that has been encrypted with their public key. That is the purpose of the two keys. A message is encrypted using your public key—which everone has—then it is sent to you. You decrypt it using your private key—which only you have—and read the message. As long as you preserve the secrecy of your private key, there is no possibility of someone reading that encrypted message. 3

The way to close the loop for secure message transmission is for both you and your buddy to have exchanged public keys. If you’re sending a message to your friend, you first “sign” it using your private key, then encrypt it using their public key. Now you send the message and your friend first decrypts it using her private key, then she examines the signature using your public key, verifying that it came from you. Simple! Brilliant!

So, how do all those programs I mentioned figure into this mess? GnuPG is the program that handles all the heavy lifting about dealing with your keys. Enigmail and FireGPG handle the conversion of email messages from plaintext to signed or encrypted versions of themselves and back again. Firefox and Thunderbird provide the platforms upon which all that work can be interfaced with the world. What you can take out of this is: You must have GnuPG (or similar program, but that’s the one I’m pimping). Thunderbird and Enigmail are required if you want a computer-based email program; Firefox and FireGPG are required if you want a browser-based email program.4 For those of you who are die-hard Outlook users, I don’t believe that Outlook supports GnuPG. I believe it only does S/MIME, which works as well as GnuPG, but it’s a different system, it’s proprietary, and is beyond the scope of this document.

So now you know the basics of public key cryptography. Here’s the nuts and bolts of getting things set up:

Step 1:
Download Gnu Privacy Guard. This is the link to the executable file of version 1.4.9. If this doesn’t work, go to the GnuPG download page and look for the Windows Install FTP link. Make sure you save this executable to disk before installing. Saving it, rather than just clicking on “run” allows you to confirm the integrity of the file, making certain that the file you’re downloading is the same as the file the GnuPG is intending for you to download. When installing something that is going to secure ALL of your email communications, it makes sense to take some time and get it right.

Step 1a:
To check that you’ve got the right version, you compare the “checksum” of a file against what is posted by GnuPG. This, unfortunately, requires additional steps and downloads. If you want to just get on with it, skip to the next step. If not, keep reading.

A “checksum” is an integer string resulting from performing an analysis of a block of data. Basically, it’s a fingerprint of a series of data. Any modification to the data will result in an altered checksum. For example, the checksum of the windows GnuPG download for v. 1.4.9 is:
If the file is altered, when you run the checksum the result will be very different.

Unfortunately, windows doesn’t come equipped to run checksums. I like using Checksum for Windows which has a convenient interface. Once you download and install it, you can run the “Simple Checksum” which gets posted under the Start Menu. Then you drag the GnuPG executable file over onto the little Simple Checksum window and it will give you the resulting checksum. If it matches the one posted at GnuPG, you’ve got a good file and can proceed with installation.

Step 2:
Install GnuPG. Run the executable you saved in step 1. Click next next next next until you’re done. It’s very easy.

Step 3:
Install Thunderbird. The Thunderbird website has nice instructions. Use them.

When setting up your email accounts, make sure you read my horror story here, to avoid similar problems yourself.

Step 4:
Install Enigmail. Enigmail also has some nice manuals. I’m going to send you there, too. You’ll notice that some of what I’ve written is very similar to Enigmail’s page. One place they’re lacking, though, is the checksum. I’m disappointed by that.

It’s very important that you read the instructions on how to install Enigmail. It is not obvious and is what I consider the primary failure by Mozilla on user-friendliness. Thunderbird Extensions are not Firefox Extensions. This was something that took me a week to figure out. Learn from my pain. Read their manual. Follow their instructions.

Step 5:
Install Firefox if you haven’t already. Once you get used to it, you’ll never go back to Internet Explorer.

Step 6:
Install FireGPG.

  • Open the Firefox Browser
  • Click on the Tools menu –> Add Ons.
  • Click on the top where it says “Get Add-Ons”.
  • Click on “Browse all Add-Ons” which should be on the top right hand side of the screen. This will bring you to a new website which allows you to search for Firefox add-ons.
  • In the “Seach for add-ons” bar, type “FireGPG” then [enter]
  • When it comes up with the FireGPG result, click on the “Add to Firefox” button. It will download.
  • Click Install and then when it tells you to, restart FireFox.

Step 7:
Develop your first public/private key pair for email encryption. I’m totally going to throw you back to the Enigmail manuals. They did a good job. Use them.

However, before you click over there, it’s critical that you sit down, take a deep breath, and think up a passphrase that is going to represent your private key for the rest of eternity. Remember, you are the only one who will ever have access to your private key. This ensures the security of the encryption. You aren’t going to memorize the huge long list of characters that looks like this, mQGiBEicoXYRBACFu+jc9 but is more than a thousand characters long. Instead, you’re going to memorize a passphrase that is difficult to guess, is cryptographically strong, but that you can remember. Bruce Schneier talks about bad passwords. A passphrase is longer and should contain multiple special characters, numbers, capitalizations, etc. But it also has to be easy to remember for you. The character Randall Waterhouse memorized a sentence from a biography in the book “Cryptonomicon” (of course, he got it wrong when he tried to enter the passphrase). Ultimately, it’s up to you, but be sure that you can remember it. If you forget the passphrase, your encrypted data is gone gone gone.

My passphrase is more than thirty characters long, includes both random captitalizations, alphanumeric characters and misspellings.

Step 8:
Publish your public key. Put them on keyservers, and send them to family and friends (these family and friends need to have followed all these steps, too). Then verify that you have good keys from everyone. More about that in a moment.

You publish public keys on keyservers so that people who receive “signed” messages from you can go download your public key to verify that it’s from you. Enigmail has a tutorial on how to do this.

With people whom you are acquainted with, you can exchange public keys and then verify them by vocally confirming their key IDs or key fingerprint (whatever you want to call them). Key IDs or fingerprints are a hash (kind of like a checksum) of your public key. My fingerprint is C422C269 but you shouldn’t trust this blog post. You should call me and verify that the fingerprint being displayed next to my Public Key on your Enigmail is the same as the one I give you over the phone. That eliminates the possibility of Man in the Middle attacks on our communications.

This might seem slow, but what it allows you to do is set “trust levels” on your friends’ and families’ public keys on your encryption program. For example, on my enigmail, I can go into the Key Management and right-click on another person’s key and the “set owner trust” to anything from “I Don’t Trust” to “I Trust Ultimately”. Anyone who receives an “I Trust Ultimately” or “I trust fully” is permitted to download their trusted public keys to me automatically. Therefore, if I trust Bob and Bob trusts Jane, and I receive a message from Bob with Jane’s public key attached, I will automatically trust Jane. There is a detailed description here.

This is powerful and dangerous. Be careful with your trust assignments.

Step 9:
Start sending only encrypted and signed emails to people.

I haven’t talked much about the mechanics of doing the encryption and signature stuff inside Thunderbird or Google Mail. If feel that this can be left as an exercise for the reader. Besides, the Google Mail client changes on a weekly basis, so what I write today might be out of date by next month. Suffice to say, if you send an email and you’re not asked to type in your passphrase, you might have things set up incorrectly.

Caveats and Warnings
I am not a security expert. If someone says, “That Bill Ruhsam character doesn’t know his ass from his elbow!”, I would give them at least the benefit of the doubt. However, I may be wrong about the gritty details of things (descriptions of cryptography, statements about Outlook) but these programs work.

Encryption is only as good as the system it’s based on. If you’re going to take this to heart, run the checksum in Step 1a, and verify the fingerprints of the public keys you receive as described in Step 8. Currently my public key network is entirely within friends and family, so I call them on the phone and ask them for their fingerprint by voice. Easy and secure.

Encryption is also only as good as your passphrase and the desire and resources of someone else to break that encryption. Given enough processing power, any encryption scheme can be broken5, so don’t think that this makes your messages entirely unreadable for all time. Very secure codes from the 50′s can now be broken with ease because computers are leaps and bounds faster. Who’s to say what breakthroughs in the next ten to fifty years would allow the NSA, or whomever, to read your encrypted mail.

Lastly, there are ways to break encrypted mail that involve trojans and viruses etc. It’s important to maintain a clean computer. If you suspect that your private key has been compromised, it’s time to revoke it and create a new one.

1: I don’t encrypt any other method of communication, voice, SMS, twitter, paper notes, so maybe I’m being hypocritical.
2: Or anyone who’s in possession of your private key. Remember, it’s for you and you alone. No one else should ever know what it is.
3: Until the mathematical/computational capability arises to attack any particular key length. I refer you to various articles about encryption and encryption attacks.
4: There are other methods for enacting public key cryptography, but I’m not going to describe them. This is a bare-bones beginners tutorial. For more, I recommend Google.
5: Massive caveats to that statement. Don’t bother me with the exceptions.

This entry was posted in encryption. Bookmark the permalink.

5 Responses to Email Encryption How To (not Why)

  1. Chris says:

    Great job Bill. It’s obvious that I never got around to writing the next part of my “how-to”.

    A few fairly minor comments:

    A) There is a GPG compatible encryption for Outlook: PGP, the original proprietary software GnuPG is based on. Configured correctly, PGP and GnuPG will interoperate. Bad news: PGP is pay-ware, and not terribly inexpensive. GnuPG/Enigmail/Thunderbird is a MUCH better option… unless you are FORCED to use Outlook (like at work).

    B) Checksum verification for downloads always strikes me as a dragon-who-eats-his-own-tail problem. If I was truly paranoid, why would I trust that the “Checksum checker” software is valid without having a checksum which needs some other software to verify? I’ve got to have some train of authenticity that I can ultimately trust…

    C) I recommend getting a footnote plugin for WordPress. I use WP-Footnotes. This will allow you to write your footnotes inline and will do the numbering for you (see footnote 5).

  2. Bill Ruhsam says:

    [edit note: minor revisions made to post to fix grammar errors and the issue mentioned in C above]


    B) Given that any tiny change in a file results in a hugely different checksum result, and that it’s unlikely that any particular checksum provider is in cahoots with someone trying to monitor your encrypted traffic, I still feel safe using a random third party to verify a download. I suppose if we were being truly paranoid, we’d have another checksum program verifying a second time.

    C) Sounds like a plan. I’ll get on to it.

  3. Chris says:

    I checked out FireGPG… Although I do not use Gmail, it was still a handy add-on. It seems to parse text in messages for PGP blocks and then prompt you (in-line prompts) for whether you want to verify or decrypt messages.

    I had a little trouble in my webmail with PGP/MIME attachments, but once I told Firefox to go ahead and open the attachments (*.asc) itself, it works as desired with FireGPG.

    Das ist gut.

  4. Pingback: Talking Traffic » Episode 27 - Myriad Topics

  5. Pingback: The Evil Eyebrow » 2009 Hugo Awards (Nominations)

Leave a Reply

Your email address will not be published. Required fields are marked *

You may use these HTML tags and attributes: <a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <strike> <strong>