pgp.asc logo

Introduction to E-Mail Encryption

Why encrypt your mails?

If you are on vacation you might send a picture postcard to a friend or family member with a quick "wish you were here" sort of message. But, if you are writing a personal letter to that same friend or family member you would be more inclined to seal it in an envelope.

If you are mailing a check to pay a bill or perhaps a letter telling a friend or family member that the extra key to your house is hidden under the large rock to the left of the back porch you might use a security envelope with hatched lines to obfuscate or hide the contents of the envelope even better. The post office offers a number of other means of tracking messages- sending the letter certified, asking for a return receipt, insuring the contents of a package, etc.

Why then would you send personal or confidential information in an unprotected email? Sending information like the location of your extra house key under the large rock to the left of the back porch in an unencrypted email is the equivalent of writing it on a postcard for all to see.

Encrypting your email will keep all but the most dedicated hackers from intercepting and reading your private communications.

How does it work?

The way PGP (Pretty Good Privacy, the standard we are going to use) works is that you have a public key and a private key (this sort of encryption is also known as Public Key Infrastructure or PKI). You, and only you, will have and use your private key. Your public key is handed out to anyone you choose or even made publicly available.

Keys

If someone wants to send you a message that is meant only for you to see, they would encrypt it using your public key. Your private key is required to decrypt such a message, so even if someone intercepted the email it would be useless gibberish to them.

It is important to note that you should encrypt all of your messages, not just the confidential or sensitive ones. If you only encrypt a single email message because it contains your credit card information and an attacker is intercepting your email traffic they will see that 99% of your email is unencrypted plain-text, and one message is encrypted. That is like attaching a bright red neon sign that says "Hack Me" to the message.

If you encrypt all of your messages it would be a much more daunting task for even a dedicated attacker to sift through. After investing the time and effort into decrypting 50 messages that just say "Happy Birthday" or "Do you want to golf this weekend?" or "Yes, I agree" the attacker will most likely not waste any more time on your email.

How do I get started?

Step 1: Install the GPGTools GPG Suite for OS X

Visit the GPGTools website and download the GPG Suite for OS X. Once downloaded, mount the DMG and click on "Install". Inside the installer, you can stick with all default parameters, except for the "Installation Type". On the "Installation Type" screen, press "Customize" and uncheck the GPGMail package.

Step 2: Creating your very own PGP key

When the installer completes, a new app called "GPG Keychain Access" will launch. A small window will pop up and say: "GPG Keychain Access would like to access your contacts." Press "OK." As soon as you press "OK," a second window will pop up that says "Generate a new key pair." Type in your name and your email address. Also, check the box that says "Upload public key after generation." Expand the "Advanced options" section. Increase the key length to 4096, reduce the "Expiration date" to 1 year from today. Press "Generate key." As soon as you press "Generate key," the "Enter passphrase" window will pop up.

A brief word about your passphrase

The entire PGP encryption will rest on your passphrase. So, first and foremost, don't use a passphrase that other people know! Pick something only you will know, and others can't guess. And once you have a passphrase selected, don't give it to other people.
Second, do not use a password, but rather a passphrase -- a sentence. For example, "Pennstate55" is less preferable than "I graduated from Penn State in 1955, ya heard?!" The longer your passphrase, the better. Lastly, make sure your passphrase is something you can remember. Since it is long, there is a tendency you might forget it. Don't. The consequences to that will be dire. Make sure you can remember your passphrase.

Back to Step 2

Once you decide on your passphrase, type it in the "Enter passphrase" window. Turn on the "Show typing" option, so you can be 100% sure that you've typed in your passphrase without any spelling errors. When everything looks good, press "OK". You will be asked to reenter the passphrase. Do it, and press "OK". You will then see a message saying, "We need to generate a lot of random bytes..." Wait for it to complete. Et voilà, your PGP key pair is ready to use!

Step 3: Set PGP keyboard shortcuts

Next, you will set up four global keyboard shortcuts in OS X.
Open System Preferences, select the "Keyboard" pane, and go to the "Shortucts" tab. On the left hand side, select "Services." Then, on the right, scroll down to the subsection "Text" and look for a bunch of entries that start with "OpenPGP:". Go through each OpenPGP entry, unchecking each one and deleting the keyboard shortcut.

Next, you will enable and set four shortcuts:

  • Enable "OpenPGP: Decrypt" and set its shortcut to ⌃⌥⌘- (i.e., control option command minus)
  • Enable "OpenPGP: Encrypt" and set its shortcut to ⌃⌥⌘= (i.e., control option command equals)
  • Enable "OpenPGP: Sign" and set its shortcut to ⌃⌥⌘[ (i.e., control option command open bracket)
  • Enable "OpenPGP: Verify" and set its shortcut to ⌃⌥⌘] (i.e., control option command close bracket)

That's it! You're done setting up PGP with OpenGPG on OS X!

Step 4: Send and receive secure e-mails

Send

Start off by writing your email, then open the GPG Keychain Access app. Press Command-F and type in the email address of the person you are sending your message to. This will search the public key server (a directory of PGP keys) for your friend's PGP key. (If your friend has more than one key, select his most recent one) You will receive a confirmation that your friend's key was successfully downloaded. You can press "Close". You will now see your friend's public key in your keychain, and you can quit GPG Keychain Access and return to writing the email. (You will only need to download your friend's public key once. After that, it will always be available in your keychain until the key expires.) Since you ticked "Upload public key after generation." in Step 2, your public key is now available in the same way!
Select the entire body of the email and press ⌃⌥⌘= to encrypt it. A window will pop up, asking you who the recipient is. Select the friend's public key you just downloaded, and press "OK". Your entire message is now encrypted! You can press "Send" safely.

Receive

When you receive your encrypted answer, copy the entire body, from, and including, -----BEGIN PGP MESSAGE---, to, and including, -----END PGP MESSAGE---. Open your favorite text editor, and paste it. Now select the entire text, and press ⌃⌥⌘- to decrypt the message. You will immediately be prompted for your PGP passphrase. Type it in and press "OK". You will now see the decrypted message!

pgp.asc

pgp.asc is an initiative to decentralize public PGP keys. Even though uploading your keys to a key server is a good idea, it doesn't provide 100% authenticity and you cannot delete old/invalid keys. By uploading your public PGP key in a pgp.asc file to the root of your server, it is easily found by going to http://yoururl.com/pgp.asc. This guarantees authenticity, since only you have access to your server, as well as currentness, because you can always overwrite the old key with a new one.

Step 1: Install Windows Privacy Trey

Visit the WinPT website and download the latest binary version. Run the installer by double clicking the .exe file, and leave everything at default, except if you use a mail client. WinPT comes with plugins for several popular mail clients (e.g. Outlook), and you can install those by selecting them at the "Choose Components" Screen.

Step 2: Creating your very own PGP key

When you've finished installing WinPT, the program should start automatically. A warning will appear that it couldn't find any keyrings. Click "Continue", then select "Have WinPT generate a new key pair." Type in your name and your email address. Increase the key length to 4096, reduce the "Expiration date" to 1 year from today. You will then have to enter you passphrase.

A brief word about your passphrase

The entire PGP encryption will rest on your passphrase. So, first and foremost, don't use a passphrase that other people know! Pick something only you will know, and others can't guess. And once you have a passphrase selected, don't give it to other people.
Second, do not use a password, but rather a passphrase -- a sentence. For example, "Pennstate55" is less preferable than "I graduated from Penn State in 1955, ya heard?!" The longer your passphrase, the better. Lastly, make sure your passphrase is something you can remember. Since it is long, there is a tendency you might forget it. Don't. The consequences to that will be dire. Make sure you can remember your passphrase.

Back to Step 2

Once you decide on your passphrase, press "Start" to generate your key pair. (This could take a while depending on your hardware.) Wait for it to complete. Et voilà, your PGP key pair is ready to use!

Step 3: Send and receive secure e-mails

Send

Start off by writing your email, then right click on the WinPT task bar and choose "Key Manager", then the "Key Server" menu. Select a key server near you and search for the e-mail of the friend you want to send the message to. Select the key that you want to add and click "Receive." (If your friend has more than one key, select his most recent one) You will now see your friend's public key in your Key Manager, and you can return to writing the email. (You will only need to download your friend's public key once. After that, it will always be available in your Key Manager until the key expires.)
Select the entire body of the email and press SHIFT-CTRL-E ("E" like encrypt) to encrypt it. WinPT will prompt you to select the key of the person you want to send it to. Select the person and you are done, your email is now encrypted! You can press "Send" safely.

Receive

When you receive your encrypted answer, press SHIFT-CTRL-D ("D" like decrypt) to decrypt the message. Enter your passphrase when prompted, and assuming that it was encrypted with your public key, WinPT will use your private key to decrypt the e-mail. Congratulations, you just had your first encrypted conversation!

Uploading your key to public key servers

pgp.asc

pgp.asc is an initiative to decentralize public PGP keys. Even though uploading your keys to a key server is a good idea, it doesn't provide 100% authenticity and you cannot delete old/invalid keys. By uploading your public PGP key in a pgp.asc file to the root of your server, it is easily found by going to http://yoururl.com/pgp.asc. This guarantees authenticity, since only you have access to your server, as well as currentness, because you can always overwrite the old key with a new one.

Step 1: Install GnuPG

Either visit the GnuPG website and download the latest version, or install gnupg via the command line. (E.g. for Debian based systems the command would be apt-get install gnupg)

Step 2: Creating your first key pair

Run gpg --gen-key, and choose the RSA and RSA option. (or simply press ENTER, it is the default option) Set the key size to 4096 and then set the validity to one year by entering 1y. Type in your name and your email address, and then you'll be asked for a passphrase.

A brief word about your passphrase

The entire PGP encryption will rest on your passphrase. So, first and foremost, don't use a passphrase that other people know! Pick something only you will know, and others can't guess. And once you have a passphrase selected, don't give it to other people.
Second, do not use a password, but rather a passphrase -- a sentence. For example, "Pennstate55" is less preferable than "I graduated from Penn State in 1955, ya heard?!" The longer your passphrase, the better. Lastly, make sure your passphrase is something you can remember. Since it is long, there is a tendency you might forget it. Don't. The consequences to that will be dire. Make sure you can remember your passphrase.

Back to Step 2

Once you decide on your passphrase, type it in. You will then see a message saying, "We need to generate a lot of random bytes..." Wait for it to complete. Et voilà, your PGP key pair is ready to use!

Step 3: Send and receive secure e-mails

Send

Start off by writing your email, then go to a key server (like http://pgp.mit.edu) and search for your friends e-mail. Download his most recent public key, and import it with gpg --import key.asc. You will now see your friend's public key listed under gpg --list-keys, and you can return to writing the email. (You will only need to download your friend's public key once. After that, it will always be available in your keychain until the key expires.)
Encrypt your mail by entering gpg --output mail.gpg --encrypt --recipient friend@hisurl.com mail. Your e-mail is now encrypted, and you can send it safely.

Recieve

When you receive your encrypted answer, enter gpg --output mail --decrypt mail.gpg to decrypt the message. Enter your passphrase when prompted, and assuming that it was encrypted with your public key, GnuPG will use your private key to decrypt the e-mail. Congratulations, you just had your first encrypted conversation!

Uploading your key to public key servers

Copy your entire public key, from, and including, -----BEGIN PGP PUBLIC KEY BLOCK----- to, and including, -----END PGP PUBLIC KEY BLOCK-----. Open a key server of your choice (e.g. http://pgp.mit.edu) and simply paste your key in the designated form field. Congratulations, your key is now available to everybody!

pgp.asc

pgp.asc is an initiative to decentralize public PGP keys. Even though uploading your keys to a key server is a good idea, it doesn't provide 100% authenticity and you cannot delete old/invalid keys. By uploading your public PGP key in a pgp.asc file to the root of your server, it is easily found by going to http://yoururl.com/pgp.asc. This guarantees authenticity, since only you have access to your server, as well as currentness, because you can always overwrite the old key with a new one.