Securing Your Personal Electronic Messages

Background

Everyone knows the problem. Certain U.S. government agencies seem to believe that the Internet is their own private property. They monitor and record anything going on, including World Wide Web traffic and any other traffic, including email. If you don't want them reading your private email, you must be proactive about it.

The solution is to encrypt emails. The most common encryption method involves something called public key encryption. This means that if you wish to send an encrypted email to someone, you obtain their public key and use that to do the encryption. They can then use their private key to decrypt the message so it can be read. A cryptographic digital signature can also be provided for the message, so the receiver can verify the message is really from you. You can obtain someone's public key either directly from the person or from a public key server.

If the message requires a reply, the receiver can obtain your public key and encrypt the reply with it. You can then decrypt the reply with your private key.

The program that does all this encryption and decryption is called GnuPG - Gnu Privacy Guard. It is an OpenPGP compliant command line program that does all the encryption and decryption work. This means that it can also work with messages sent by the original PGP (Pretty Good Privacy) email encryption program developed by Phil Zimmermann. Since GnuPG is command line only, several front ends have been developed to provide it with a graphical user interface. These front ends are limited to use with actual email clients. If you primarily use web-based email, such as gmail, yahoo, hotmail, etc. then you are out of luck. There doesn't appear to be any comparable system for web mail.

We will be discussing the use of one of these front ends called Enigmail. It is designed to be used with the Thunderbird and SeaMonkey email clients. It works with all operating systems supported by the email clients and GnuPG.

Enigmail Installation

Before we attempt to install Enigmail, we have to determine if GnuPG is present on your Linux box. This is fairly easy to do. Open up a terminal and type

gpg --version

If GnuPG is installed on your computer, you should see something like this:

gpg (GnuPG) 1.4.11
Copyright (C) 2010 Free Software Foundation, Inc.
License GPLv3+: GNU GPL version 3 or later <http://gnu.org/licenses/gpl.html>
This is free software: you are free to change and redistribute it.
There is NO WARRANTY, to the extent permitted by law.

Home: ~/.gnupg
Supported algorithms:
Pubkey: RSA, RSA-E, RSA-S, ELG-E, DSA
Cipher: 3DES, CAST5, BLOWFISH, AES, AES192, AES256, TWOFISH, CAMELLIA128,
CAMELLIA192, CAMELLIA256
Hash: MD5, SHA1, RIPEMD160, SHA256, SHA384, SHA512, SHA224
Compression: Uncompressed, ZIP, ZLIB, BZIP2

If it tells you that you have version 1.4 or higher, you are good to go. If it is an older version or is not installed, you will have to install GnuPG before installing Enigmail.

You must perform the following steps to install the Enigmail plug-in into Thunderbird.

  1. Google Enigmail download, then download the .XPI file.
  2. Start Thunderbird. Check your email accounts and decide which one you wish to use for encryped email.
  3. Select the Tools | Add-ons menu item from the Thunderbird menu.
  4. There is a button next to the Search box that will pull down a menu. Select Install Add-on From File. Select the Enigmail .XPI file from where you saved it. When the Software Installation dialog appears, click on Install Now.
  5. Restart Thunderbird to enable Enigmail.

Enigmail Setup

  1. Once Thunderbird is restarted, you will see a OpenPGP menu item. Click on that item, then click on Setup Wizard.
  2. Chose the email address(es) that will be using encryption.
  3. Chose whether or not you wish to sign all outgoing emails. I chose not to do that.
  4. Chose whether or not all your outgoing emails will be encrypted. I chose not to do that.
  5. Allow Enigmail to make a few changes to your email account(s) to ensure there are no problems with signing and encrypting email.
  6. Create a new key pair for signing and encrypting email. The OpenPGP Key Management dialog will appear. Select Generate | New Key Pair.
  7. Enigmail will have you fill out the Generate OpenPGP Key dialog. It will ask you for a passphrase. This is like a password for encrypting and decrypting emails. The longer it is, the more secure it is, but keep in mind you will have to type it each time an email is encrypted/decrypted. IMPORTANT: If you forget your passphrase, you are in big trouble, as there is no way to recover from anywhere. Write it down and put it in a secure location if you are afraid of forgetting it.
  8. When you finish creating your new key pair, you will have a chance to create a revocation certificate. This is a handy thing to have if you ever need to revoke the key pair.
  9. The easiest way to share your public key is to publish it on a public keyserver network. In the OpenPGP Key Management dialog, enter your email address in the search box. When your key entry appears, write down the ID, as you will need it. Highlight the key line in the dialog.
  10. Select Keyserver | Upload Public Keys. Use the default key server to upload the key information. This will not upload your private key

Using Enigmail

Using a Signature

A digital signature is a way to certify that a particular email has actually come directly from you. It also is used to time-stamp the email. If the email is modified in any way after it leaves you, the signature verification will fail.

A signature is created using your private key. The signature is then verified using your public key, so the recipient can verify the message actually came from you.

To use your signature, find a person that you know that also uses GnuPG. Compose a message to them, then select the OpenPGP | Sign Message to have Enigmail include your digital signature. When you click the Send button, the signature will be added to the email.

If you don't currently know anyone that can verify an email with a signature, try using Adele, the Friendly OpenPGP Email Robot, whose email address is adele-en@gnupp.de

IMPORTANT NOTE: Enigmail does not work very well with HTML email, so use plain text to compose your emails.

Encrypting Email

In order to send an encrypted email to someone, they need to have a public key that you can use to encrypt the email. Their public key needs to be available to you, so it should be on a public keyserver.

To find someone's public key, open the Key Manager. In that dialog, click on Keyserver | Search for keys. Enter the person's key ID in the search box. It should start with '0x' because the ID is hexadecimal. (Example: 0x26998C26) When you click on Ok, Enigmail will search the keyserver looking for the key you need. If it is found, it will be added to your local copy of keys.

Once you have your correspondent's public key, you are all set to send an encrypted email. Write the email as you normally would, entering their email address, the email subject and the text body. Before sending the email, click on the OpenPGP menu item and select “Encrypt”. Once that is done, click “Send”.

If the email address you entered is the same address that is in your local key list, the email will be sent. If there is a problem matching, you will be asked to manually select a key from your list.