Secure eMail, a beginner’s guide

Why and how? Here is the 101 on how to secure your online communication.


Did you know your eMails can be read by anyone? Yes, anyone. eMails are by default transmitted over the internet as plain text, so anyone running an eMail server, can technically read your eMail. In general this is irrelevant, because nobody cares to read all the billions of messages sent all the time, but then there are some intelligence agencies that made the news recently for spying on everyone indiscriminately (data bulk-collection) and then there are Google, Facebook, Yahoo etc.

While intelligence agencies use your messages to put you on no-fly lists and make arrests based on your online activity, companies that read your mail are doing it to provide targeted ads that you are more likely to be interested in. There is no such thing as a free service, either you pay or you (your data) are sold.

Spam

Spam currently is so bad that about 67% of all eMails never make it into your spam folder, let alone your inbox. Only those eMails where the algorythms are not sure, get marked as spam. Very few finally make it to your inbox.

In a world where encryption is default, sending spam would require those sending spam to build programs that not only identify potential email addresses to be spammed, but would then have to figure out where to find the corresponding public key. Unencrypted mail could be filtered and spam would become harder to send.

How to get started

Encrypting is surprisingly easy if you use any of the native applications like Apple Mail, Outlook or Thunderbird. If you use a Cloud service where you have all of your eMails online and don’t ever download them gMail will soon have you covered, but of course continue reading your messages. Google will only encrypt in transmission, but not inside your inbox. iCloud already implements encryption in transmission to provide fundamental security from fraud, but just as it is with gMail’s service, of course the receiving cloud-service as well as iCloud can read your eMails. Still, it helps with security a tiny bit, until your messages are subpoenaed for some made up reason and you don’t even get notified.

Sidenote: Services like iMessage encrypt end-to-end, that means not even the service provider can read these messages. That is something we have yet to develop for eMail.

Encryption 101

The way encryption with messages works in general is with a public and private key, coming together as a key pair. A pair is linked to one or more eMail-addresses, It contains your public and your private key, the names of wich indicate what you do with them. Your public key is required by the sender to encrypt messages that only your private key can decrypt.

Once you have installed a software-solution of your choice, mine is GPG tools, an open source solution for Mac OS X, you will generate a key pair. Here is GPG for Windows and here are some more solutions listed for Windows and Linux. GPG tools also signs eMails that are addresed to recepients without encryption, this way they at least have a chance to make sure that you are actually the sender.

In GPG tools you can export your key and it will automatically only export your public key — but can choose to export public and private for backup purposes for example. Never share your private key, ever.

Share your public key along side with this article with your contacts so they can start sending your encrypted messages. Here is mine.

Decrypt incoming

To decrypt eMails you don’t have to do anything if you’re using a plugin. When I receive an encrypted eMail I am prompted by GPG for my passphrase and it automatically decrypts the incoming messages. If you use a service or application that isn’t supported or doesn’t support it on it’s own, you can select the encrypted text and select the decrypt command from the context menu.

Encrypt outgoing

Encrypted text, ready to be pasted into an eMail.

Again, if you’re using a plugin and compatible software, just click the encryption button and it’ll ask you for what recipient so it can use their public key. GPG tools will actually add their eMail address to the recipients list.

Encrypting manually is as easy as copy and paste. Write your message in a text editor, select the text and choose the encrypt command from the Services menu or right click and choose Services > Encrypt. If you’re using another software or aren’t on OS X, it’ll of course work differently. Then just copy and paste the garbled message including the —— BEGIN… and …END … MESSAGE—— parts into the eMail, text message, forum etc. Wherever.

What should I encrypt?

Everything. It is absolutely irrelevant what you are sending, encrypt it. Otherwise you will be tipping off the unwanted listeners on wich messages are worth the effort to crack the code and wich aren’t. And we don’t want to make it easy for them, do we?

Your motivation for encrypting your communication should be privacy, security and especially free speech. You should encrypt so you don't censor yourself out of fear for someone might be listening.