Previously we had discussed how to how to make a solid password, an overview of how encryption works, and how to encrypt data. Email privacy is a growing concern and in the last part of this series of articles we will discuss how to encrypt emails.
|How To Encrypt Email|
All email encryption programs use public-key cryptography (as does OpenSSH) which applies an asymmetric key algorithm. Public and private keys are made, the former to produce an encrypted message that only the latter can read (decrypt). It is essentially impossible to derive the private key from the public key, so sharing the public key in a non-secretive way is not of grave concern, though certainly keeping the public key in only sure hands would add an additional level of security. PGP was initially released in 1991 by Phil Zimmermann for Windows, but was later published by the Internet Engineering Task Force (IETF) as a standard named OpenPGP.
There are many great solutions for email encryption, and most (if not all) are based on the OpenPGP standard. Lifehacker explains how to use Enigmail, and there is a commercial version of PGP offered by Symantec. For Apple Mail there is an encrypt program, and there is a Firefox Greasemonkey script for Gmail. There are certainly many others, but here we will look at GNU Privacy Guard (GPG), which is a very popular implementation of OpenPGP, to offer a possible solution and to show the basic idea of how public key encryption works.
Step 1 – Install
Installing the program, whether it be on of the many GUI’s or the command line interface, should be fairly straightforward.
Step 2 – Create a Public Key
For the sake of the example, let’s say Bob and Jim want to send encrypted emails back and forth. Both Bob and Jim create their own public key by the following:
Follow the steps, using RSA and RSA (meaning RSA public key and RSA private key) and 2048 bit keys. The passphrase will need to be very long, so initially enter as long of a passphrase you can remember, and then if it says “Not enough random bytes available,” then bang on the keyboard for a while until it’s happy. Then export your public key to share:
gpg -a --export > bob-gpg.pub
Note that the ‘a’ option converts the input/output to and from OpenPGP ASCII armor format. This is used for readability and ease of use. The bob-gpg.pub file should look something like:
-----BEGIN PGP PUBLIC KEY BLOCK-----
Version: GnuPG v1.4.10 (GNU/Linux)
(a big blog of text)
-----END PGP PUBLIC KEY BLOCK-----
Step 3 – Import Public Key
Now, Jim should have done the same thing and made a public key. After he emails Bob the public key, Bob will import it into GPG:
gpg -a --import jim-gpg.pub
And likewise, Bob emails Jim his public key and Jim imports it.
Step 4 – Write an Encrypted Email
You can use a Word document, Excel file, or any kind of file to write your email. Once it is written, encrypt it and it will make a new file with the extension ‘asc’:
gpg -a --encrypt email.txt
It will prompt you to “Enter the user ID. End with an empty line:”, at which point Bob would enter “Jim” or “Jimmy” or his email. The encrypted file should look something like:
-----BEGIN PGP MESSAGE-----
Version: GnuPG v1.4.10 (GNU/Linux)
(block of text)
-----END PGP MESSAGE-----
Step 5 – Read (Decrypt) an Encrypted Email
Now, the encrypted email.txt.asc can be emailed to anyone anywhere without care, more or less. But, Bob just wants to email it to Jim, so he emails it to Jim and now he reads the file as so:
gpg -a --passphrase --decrypt email.txt.asc > email.txt
Note that if you don’t have the ‘passphrase’ option you won’t be prompted for it on some systems.
And that’s it! It can be rather intimidating, but once you’ve done it a few times it’s not so bad. A good policy is to change the public key every so often to prevent the possibility that someone has not retrieved your public key, and if they happen to get access to your email account they at least won’t be able to read all the emails. It is also a good policy to not transfer the new public keys via email, rather by hand using a thumb drive for example. Though this may be overkill in many situations, when needing assurance that email information is kept secret using an encryption program will get the job done.