Home > Apple > Keep Uncle Sam out of your inbox with our…

Keep Uncle Sam out of your inbox with our layman’s guide to email encryption

Last month, I wrote about my troubles with setting up PGP email encryption, despite my determination to do so. PGP is, as you may know, the best widely available encryption protocol. It’s also a giant pain in the ass. And virtually all the how-to guides I came across always left me hanging, at one step or another. So rather than just complain about it, I decided to try to help fix the problem … with another guide. (Hopefully one that doesn’t suck.)

Let me preface this by saying that encrypting your email may not actually do any good, if your goal is to avoid the watchful eye of the NSA. Yes, it will stop the spies from being able to read your email … for now. Unfortunately for you, encrypting reportedly makes you more of a target for the NSA, which apparently keeps all encrypted messages for five years, in the hopes that they can crack the code in the mean time.

Furthermore, unless you’re sending sensitive documents (like insurance papers or company secrets) or a journalist working with confidential sources, there’s really no need to encrypt your email. But really is the only way to keep anyone you don’t want – from the NSA to hackers to your mom – from reading your email conversations.

Without further blathering, here’s how to set up PGP encryption, in the absolute fastest, simplest way I can describe the process.

Note: Due to slight differences in the process, I have split some of the instructions into Mac- and Windows-specific sections. Make sure you’re reading the correct one for your operating system, or you’ll be completely confused.

Step 1: Download 

For Mac users:

The first thing you need to do is download some stuff. The software that creates your encryption keys (which I’ll explain in a moment) is called GPGMail. It’s free.

Note: Just to make things confusing, GPGMail is the name of the software you download, but it is actually just a part of the GPGSuite, which consists of GPGMail (the plugin for the Mail app) and GPG Keychain Access (the thing that creates your keys and associates your keys with particular email addresses.)

Lucky for us, the company that makes GPGMail, GPGTools, just released a new version that works with Apple’s Mail app for OS X.

As a side note, I’ll say that the new GPGMail website is a vast improvement over the version I encountered when I wrote the original editorial. Apparently the NSA spying stuff has put pushed the GPGTools team to make this stuff more user-friendly, which is awesome.

For Windows users:

The best free email encryption option for Windows users is Gpg4Win, which does the same thing as GPGMail mentioned above. You will also want to download the Thunderbird email client from Mozilla, and a Thunderbird plugin called Enigmail.

As you go through the installation process, Gpg4Win will show you a window with a number of checked boxes. You can uncheck “GpgOL,” as this one is the plugin for Outlook, not Thunderbird. Make sure GPA and GpgEX remain checked. You can also leave Claws-Mail unchecked.

Step 2: Create an email address

Your best bet is to set up and entirely new email address, which you’ll use only for sending and receiving your encrypted messages. This isn’t necessary, but it’s a good practice. Gmail, Outlook, Yahoo – all of those will work. Get one set up while your programs are downloading. 

(For the purposes of this tutorial, I’ll be using a Gmail address, just to keep things simple.)

Step 3: Setting up your keys

For Mac users:

This is perhaps the most important step of this whole shebang. See, PGP works by giving you a pair of (so-far) uncrackable “keys.” One key will be your “public” key; this you can share with anyone. The other key is your “private” key – never share this with anyone.

A person with you public key can send you an encrypted email, which can only be decrypted with your private key. In turn, you’ll use the public key of other people to encrypt your messages to them.

GPGMail will create these keys for you. Here’s how to do that:

  1. Click on GPG Keychain Access in your Applications folder.
  2. Click the “New” key icon in the top-left corner, and allow the program to access your contacts.
  3. Enter your name. Some people like to use pseudonyms for the PGP keys, some like to use their real names. The benefit of using your real name is that it will allow more people to find your public key, which you can store in a searchable directory. The choice is up to you.
  4. Create a passphrase. HEADS UP: You will use this passphrase to encrypt and decrypt your emails, so make it a good one. (Here’s a guide for how to make a good password.) I suggest a random assortment of words, with at least one number, symbol, and capital letter thrown in. For example: 37HorsebooKcLOWn#Rocket^J – that’s a pretty good password. Store your password off your computer, in a place where you won’t loose it. If you do lose it, you’ll have to start from scratch. (And starting from scratch means sending every person with whom you correspond through encrypted emails your new public key.)

You’ll need to enter your passphrase twice correctly. Once you’ve done that, your keys will be created. Congratulations – you have officially joined the Super Cool Encryption Club.

For Windows users:

Just as GPGTools for Mac names its different components 19 different things, so too does Gpg4Win – it’s all terribly confusing. The actual program you’ll now need to open is called Kleopatra. This is the software you’ll use to set up your key. Here’s how it works: 

  1. Open Kleopatra.
  2. Click File in the menu bar, and select “New Certificate.”
  3. Click the first option, “Create a personal OpenPGP key pair
  4. Enter your name and the email address you created earlier. (As mentioned above, using your real name can help people find your public key, but you might want to be more clandestine than that.) There’s a “Comment” field as well. Leave that blank (or don’t) because I have no idea what purpose it serves.
  5. Click Next.
  6. If all your info looks good, click Create Key.
  7. Enter a passphrase. As mentioned in #4 above, this passphrase is essential to this entire process. It must be high quality. Also, it’s best if you can simply remember it, rather than keeping it on your computer. Super-privacy freaks will tell you that even having your encryption password written down on a piece of paper can be risky. 
  8. Select Upload Certificate to Directory Service.

Step 4: Setting up Mail/Thunderbird

For Mail (Mac) users:

Before you can send out a secure email, you’ll need to add the address you created earlier to the Mail app. To do that, open Mail and click: Preferences > Accounts > “+” (near the bottom-left corner of the window) > enter in the name of the account (whatever you want to call it), email address, and password > Create.

If you decided to use Gmail, Yahoo, or Outlook, that’s all it takes. If you used some other email service, you might have some more information to enter before the account is added to Mail.

Side note: You’ll notice in the Mail preferences that GPGMail is now another menu option. You don’t have to mess anything in there, but that shows you the plugin installed properly.

For Thunderbird (Mac/Windows) users:

Mac users, if you’re happy with Apple’s Mail app, you can skip this part. If not, Mozilla makes Thunderbird for OS X as well as Windows, so read on if you’d prefer to go that route.

After installation, you’ll go through a couple of prompts, and eventually be asked to enter you email credentials to add that account to Thunderbird. Be sure to enter the email address you’ve created for sending and receiving encrypted messages – that’s the only one from which you’ll be able to do so. 

If you already use Thunderbird, you can add the new email address you created by clicking the Menu icon in the top-right corner > Options > Account Settings > Account Actions (bottom-left corner) > Add Mail Account > Enter email credentials.

Once you have Thunderbird set up, you’ll need to set up the Enigmail add-on. Here’s how to do that:

  1. Go to Thunderbird. Click the menu window button (it looks like three lines on top of each other) at the top-right corner.
  2. Click Add-Ons, and type in “Enigmail.”
  3. Click Install
  4. Restart Thunderbird
  5. Click the “Write” icon to open a new email message. You should see an “OpenPGP” button, with a small arrow next to it. You’ll be using that later.

Step 5: Setting up OpenPGP in Thunderbird

If you’re using Mail for Mac, you can skip along to the next step. Thunderbird users, this is how to set up Thunderbird with your encryption keys that you made using Kleopatra earlier. 

Here are the steps:

  1. Click the Menu icon.
  2. Click the arrow next to OpenPGP.
  3. Click Setup Wizard.
  4. Click the Next button on the popup window.
  5. Make sure “Yes, I want to sign all of my email” is selected, and click Next
  6. This page deals with adding the public keys of those with whom you communicate. Your best bet is to select “No, I will create per-recipient rules for those that sent me their public keys.” Click Next.
  7. Keep “Yes” selected, and click Next.
  8. On the next page, you should see your email account listed. This will allow OpenPGP to import your keys into Thunderbird. Select your account, and click Next.
  9. Click Next.
  10. 10. Click Finish.

Step 6: Send a test email

For Mac users:

  1. Click the “write new email” icon. If you have multiple email addresses connected to Mail, scroll down and select the email address associated with your keys. You’ll notice a green icon show up in the top-right corner that says “OpenPGP,” which is the name of the encryption software you’re using. (Brand name PGP is now owned by Symantec, but it’s all the same thing.)
  2. For this test, you’ll be sending your first encrypted email to yourself. (If you have the address and public key of someone else who uses PGP, you can send it to them, but considering that you’re reading this how-to, you probably haven’t gotten that far yet.)
  3. After entering the address, you’ll see two icons on the right side of the compose window, just above the message field. One looks like a lock, the other a kind of starburst-looking thing.
  4. Click the lock icon to encrypt the email. (The other icon signs your message with your public key, allowing recipients to easily have access to it, and send you decrypted emails.) Click the send icon (it looks like a paper plane). Enter in your GPGMail passphrase (the one you created earlier in the process). And boom – you just sent your first encrypted email.

Just to confuse you, GPGMail automatically decrypts any emails for which you have the public key. Since you’ve sent the email to yourself, you have the public key, and so the email you receive in Mail won’t look encrypted at all. If you want to confirm that the encryption actually worked, check your email through the Web portal (such as mail.google.com), and you’ll see that the message is completely garbled.

For Thunderbird users:

This is fairly simple, from this point forward:

  1. Click the Write button
  2. Enter in the same email address as the one you’re sending from. (This is just to make things simple. If you’ve already added other people’s public keys to your keychain, then you could try to send them an email too.) Enter a subject line if you like.
  3. Write something in the message field – anything at all.
  4. In the bottom-right corner, you will see two buttons: a pencil and a key. The pencil icon signs your emails with your public key, so others can added to their keychain and send you encrypted messages. The key icon encrypts your email. Click the key icon.
  5. Click Send.
  6. Enter in the passphrase you created in Kleopatra earlier, and click OK. The email has now been sent.

As mentioned above, the email you will receive won’t look all garbled, as it will have automatically been decrypted. The only time an encrypted email will look encrypted – meaning the message is just a bunch of meaningless text – is if you do not have a person’s public key saved in your keychain already. 

Step 7: Add other public keys to your chain

For Mac users:

The easiest way to do this is to open GPG Keychain Access, click “command + F” to pull up a search field, and enter the email address of the person with whom you want to send an encrypted message. 

You can also add any public key you receive through Mail (There will be a bright yellow message on any email you receive from an address with a public key attached, and you can add the key to your list from there.) Or you can download someone’s public key as a .asc file, and add it to your list by clicking the “Import” icon on the main window of GPG Keychain Access, selecting the .asc file, and importing it into your keychain.

For Thunderbird users:

To add the public key of someone with whom you haven’t yet corresponded, you’ll have to find their public key on the Web and download it as an .asc file. Save that file to a new folder made especially for public keys. Next, go into Thunderbird and click Menu icon > OpenPGP > Key Management > File > Import Keys from File > Select the keys file and the key you want to import > Open.

And that’s basically it. If you have questions, let us know in the comments and we’ll find you an answer.