How to encrypt your emails with PGP keys
Important: This encryption tutorial is aimed at Linux-users. However, if you are using a Windows or macOS machine, the process is very similar. If you encounter any problems, feel free to contact us.
Secure online conversation is not a simple thing. There are various possibilities, depending on your needs. For journalists this might be protecting their sources. Offering a way for people to stay anonymous when they contact you might go a long way towards cultivating sources . We will guide you through the process with this tutorial, so, if you want to know how to send and receive emails securely, continue reading.
First things first
There are some differences between the two computer programs. One is that they use different encryption algorithms, that is to say different methods of encryption. More importantly, PGP became proprietary some time after it was published. GPG was rewritten based on the OpenPGP algorithms to offer a free encryption program.
The email client
First, you will need the right email client. Mozilla Thunderbird is a good choice, because it is free and supports Linux as well as macOS and Windows. To be more specific, we will use an add-on for Thunderbird called “Enigmail”, but we will get to that in a minute. You can download Thunderbird here. The link is also listed in the ‘Downloads‘ section farther below.
If you have installed and set up Thunderbird, you can install the add-on we talked about. Just open Thunderbird, click on the menu-icon next to the search bar, select “Add-ons”, then search for “Enigmail” and install it. Thunderbird will ask you to let it restart itself, let it do that.
Now that we have our email client configured properly, we will continue with GPG, the key managing program.
To check if you have already installed GPG type
gpg --version in the terminal. If it doesn’t return something like
gpg (GnuPG) 2.1.15 you have to download the tarball marked in the picture on the right. Download and install it from here.
Windows-users can find the equivalent program here. There are alternative implementations for macOS but we won’t cover those or the Windows version in this tutorial. We don’t believe they require much more effort than an ordinary installation though, so you could just try to get them working on your own. You can find a list of OpenPGP-compatible programs for various operating systems – including Android OS – linked in the Downloads section.
Creating the keys with Keybase
Next, you need to create a pair of keys. At journocode, we went for the easy way and used keybase.io to create the key pair. The big benefit is that you can also use Keybase to register verified identities of yourself from various websites, for example Twitter, Facebook, Github or your own website. This overview is paired with your public key. This way, you can simply use a URL like “keybase.io/your_username” in your email signature to submit others a link to your public key instead of the full, lengthy key in the signature.
That’s why we decided to use keybase. You don’t have to create an account, but it really makes things easier. If you don’t want to, you can skip ahead to the next step: “Importing the keys in Enigmail”.
If you create an account, the website will guide you through the process of creating the keys. Important: The passphrase you choose for your Keybase account will also be used to decrypt the messages you receive through your email client.
At one point you will be asked to answer some questions like “What’s your favorite dinner?”. These help to randomize the function keybase uses to create your unique set of encryption keys. It’s normal that this process might take several minutes. Keybase will also ask you if you would like them to store the private key for you. You need to agree to that to follow this tutorial – Don’t worry, Keybase will store the key encrypted.
Importing the keys in Enigmail
Now we have gotten ourselves a pair of encryption keys: a public one to share and a private one to keep secret. We will now take those to set up Enigmail. In order to do so, open Thunderbird, click the menu button again, hover over “Enigmail” and then select “Setup Wizard” from the dropdown-menu. The wizard will ask if you want to continue using a standard, extended or manual configuration. If you didn’t create an account with keybase, check the box for the standard configuration and click continue. The setup will guide you through the process of creating your pair of keys.
If you decided to use keybase, select the extended configuration. In the next step you can choose to associate all of your email addresses from Thunderbird with the encryption keys or just some of them. Enigmail will then ask you for the public and private key files, ending with “.asc”.
Getting the public key
To get them, visit keybase.io in your browser and go to your profile. There you will see a sequence of characters next to the symbol of a key. This character sequence is specific for your public key but much shorter. It is called a “fingerprint”. If you click at it, a popup will open with your public key as plain text. click in the field, hit “Ctrl+c” (to copy the content) and save it in a new text document on your computer. The file has to end with “.asc” to be noticed by Enigmail as an encryption key file. We would recommend to name this file “public_key.asc” or something alike and store it on your Desktop, so you can easily find it in Enigmail.
Getting the private key
To get the private key, you have to visit your keybase profile again and click on “edit” next to the public key fingerprint. This will present you with the option to export your private key from keybase. Type in the passphrase you set when you created your account, click “Export” and voilà! There is your private key. Notice that you cannot export the key using the “enter” key. You have to click the “Export”-button with your mouse. Next, you have to repeat the steps from before and create a file called “private_key.asc” or something similar.
Now that you have these files handy on your Desktop, you can select them in the setup wizard and continue. When asked if you want to create a key revocation certificate, you should select “yes” and save it to your computer. It is recommended that you store it safely on a CD or USB stick because with this certificate a person could revoke your public key. However, you can simply leave it on your computer, since that would not be a security risk but “just” a nuisance because you would have to create a new set of keys and explain your friends and colleagues what happened to the old one. After confirming this step with your keybase passphrase, you are finished! Well, almost.
Writing and receiving encrypted emails
Now, we can encrypt all of our email conversations. If you start a new message, you will see some new buttons above the “From: email@example.com” field. These are the options of Enigmail:
To make the red message on the right side go away, you can click on the lock. This turns the encryption for the email your are currently writing on. However, this only makes sense if you have imported the public key of the person you are writing to.
Next to that field is a pencil symbol. If you enable this, your message will be signed with your private key, which signals the recipient that you wrote and encrypted this email yourself.
We recommend you attach your own public key, so the recipient can reply to you encrypted. If the recipient in return attaches their public key, you can import that using a simple button in Thunderbird and the conversation between the two of you is completely encrypted! Hooray!
No absolute encryption, but close
Some things cannot be encrypted: the email subject and the email addresses of the participating persons. So other people could still infer from your email logs with whom and when you wrote. Also, you should avoid making the subject too detailed. Nonetheless, the content of your message is safe from whoever wants to sniff through your stuff.
If you could not follow some steps or are stuck at a certain point, don’t hesitate to contact me via Twitter or email. This guide is not meant to be a complete round-up of every possible way of email encryption, there are more ways and further details to consider. Nonetheless, we believe that this will get you started and ready to communicate encryptedly.
If you have set everything up successfully, we would be happy to chat with you through encrypted emails! The public keys of most of us are on keybase.io. Just type in “journocode” and you should find the profiles of our members, or visit www.journocode.com/about.
Mozilla Thunderbird – this directs you to the English version. If you’d prefer Thunderbird in any other language, you can choose that below the ‘Free Download’ button.
OpenPGP-compatible software – Don’t get startled if sites like the one for gpg4win look kind of strange. The OpenPGP project is a reliable source, so I reckon these links are trustworthy.
Public key cryptography for non geeks – very good explanation of the mechanism
McAfee password security tips
Dictionary attack – Wikipedia
Email server configuration for TU Dortmund Unimail – PDF