Anyone who deals with sensitive information should have a basic understanding of email encryption.
PGP is the standard, and it’s easy to use.
Consider the following question: What kind of damage would occur if your business’s internal emails were made public?
It was certainly embarrassing for Stratfor, a Texas based company offering geopolitical analysis. With government agencies and Fortune 100 companies for clients, Stratfor claimed its capabilities surpassed the CIA’s. In late 2011 Stratfor’s servers were hacked by Anonymous, which subsequently released over five million of the company’s emails to Wikileaks.
The CIA uses encryption for internal emails; Stratfor didn’t. Stratfor’s oversight not only made its clients vulnerable but was also a major embarrassment to an intelligence-security company that claimed governmental levels of capability, yet took no steps towards protecting its data.
A Digital Envelope
While Stratfor’s size and client list may have been appealing to hacktivists, it doesn’t take a high profile target to be vulnerable. Network security experts have long recognized that email isn’t ideal for privacy. The problem is that email is stored on multiple devices—the sender’s computer, the sender’s email server, the recipient’s email server, and the receiver’s computer—and is transmitted through various service providers and networks in plain text. Consider this useful analogy: unencrypted email is like a postcard, and encryption, like a digital envelope.
In essence, once a plain text email is sent, it’s out of the sender’s control—it can no longer be deleted with certainty because it likely exists as copies across various devices, and its contents are at the mercy of any person with access to the various networks through which it passes or is stored.
Consider this analogy: Unencrypted emails are like postcards; encryption, like a digital envelope.
The solution is simple: encrypt.
Granted, getting started with encryption can be intimidating. Case in point: columnist Glenn Greenwald almost lost the story of a lifetime when an anonymous correspondent insisted on communicating with PGP encryption. Greenwald didn’t know how to use PGP—in fact, he wasn’t entirely sure what it was.
The unknown emailer even made Greenwald a video tutorial on how to use PGP, but Greenwald still hesitated. For a busy journalist, even one who reports on national security, learning encryption software seemed like a waste of time. Finally, a filmmaker named Laura Poitras with experience covering Wikileaks reached out on the mysterious source’s behalf.
Only then did Greenwald learn exactly how explosive the story he’d almost ignored was. He went to Hong Kong to meet one Edward Snowden, who passed on thousands of confidential documents. The rest is history.
How PGP Works
Like Greenwald, many busy professionals (even those of us who don’t receive video tutorials from Edward Snowden) aren’t eager to take the time to learn to use PGP; but it really isn’t that complicated.
PGP is a form of public key cryptography, which essentially entails a set of keys—one private and one public. The public key allows someone to encrypt a message that can then only be decrypted by the person who has the private key.
Users of PGP share their public keys with people with whom they wish to correspond. PGP can render data unreadable by using any of several standard encryption ciphers, such as DES, Blowfish, and AES. But the default for Open PGP is AES 256—the same encryption algorithm used by the U.S. government for top secret data—in conjunction with RSA.
According to EE Times, it would take one billion billion years for a supercomputer to crack AES 128 (AES 256 is stronger) with brute force (using every combination of keys possible).
A Simple PGP Tutorial
The following tutorial illustrates how to use Open PGP software (which is free) with an email client. I use a Mac, so this tutorial will illustrate the Mac version of Open PGP, which is GPGTools, in conjunction with Mac’s Mail.
Download and install PGP software.
After installation, find and open your PGP key ring (called GPG Keychain Access with Mac GPGTools).
Generate a new key pair for your email address. Begin by clicking “new” in the upper left hand corner of the application.
You’ll need to give the key pair a name as well as provide the email address that will be used with the key pair. (Note: There are advanced options available when generating a new key pair, but we won’t discuss those options with this tutorial.)
Before PGP Keychain generates your key pair, you’ll have to assign a passphrase. You’ll use this every time you sign an email or decrypt a message.
Access your public key and share it with the people you’ll be communicating with.
Method 1: The easiest way to share public keys is to upload them to the Open PGP key server. To do this, you simply highlight your key in the keychain and then select “key” from the menu at the top of the keychain application. You’ll then scroll down to “send public key to keyserver.” After which you can send colleagues your key’s “id” or “short id.”
To find your key’s id simply double click on it in keychain. You can also use the option “retrieve key from name server,” which is under “keys” in the menu, to import a colleague’s public key if you have their key’s id or short id.
Note: by uploading a public key to the name server, you’re making your public key truly public; anybody can look it up by your email address.
Method 2: This is the private way of sharing public keys. Begin by right clicking your key in the PGP Keychain Access and then click export. This will generate a Public PGP file with the file extension .asc. Be sure that “secret key export” is unchecked. You only want to export your public key and you never want to share your private key. You can name your file and then export it to save wherever it is convenient.
You can now share this file with the people you wish to cryptographically communicate with.
Swap public keys with colleagues and import their keys into your PGP keychain. If they have uploaded their keys to the keyserver, you can use the method described in step four (method 1) to import their keys to your keychain.
If they have provided you an .asc or text file, then use the import option in the upper left hand corner of the PGP keychain application. If they sent you their public key as plaintext within the body of an email, copy and paste it to a text editing program, save as plain text, and then import to your keychain.
(For your enjoyment—here’s what a public key looks like in plain text:)
—–BEGIN PGP PUBLIC KEY BLOCK—–
Version: GnuPG/MacGPG2 v2.0.22 (Darwin)
Comment: GPGTools – https://gpgtools.org
—–END PGP PUBLIC KEY BLOCK—–
Send encrypted email. GPGTools seamlessly integrates with Mac’s Mail application. (The Windows version integrates with Outlook, and there is an extension available for Mozilla’s Thunderbird.)
To encrypt an email, simply click on the padlock icon. In Mac’s Mail application, this is directly above the text box on the upper right hand corner. The padlock appears unlocked if the message is unencrypted and locked if the message is encrypted.
This is what the padlock icon looks like when the message is encrypted:
Note: The above picture also shows that the message is signed. To sign a message, simply click on the starburst icon to the right of the padlock. You’ll be prompted for your passphrase. After successfully entering the passphrase, the starburst icon will show a check mark at its center to indicate that the email is signed.
Signing an email allows anyone with your public key to validate that you sent the message. If you receive a signed message, it will say so under the email’s subject title.
If you receive an encrypted message, you’ll be prompted for your PGP private key passphrase. Anyone who intercepts the message will see seemingly nonsense data, assuming they don’t have your private key.
While it may seem daunting to get started with PGP, it’s as a simple as clicking a button once you’ve generated a key pair for your email address and imported the public keys of people you’ll be corresponding with into your PGP keychain.
A Word of Caution
PGP is only good if your private key is protected. Anybody with access to your private key could decrypt messages. For this reason, it’s necessary to take measures to protect your PGP private keys and the devices on which they are stored. Strong passwords, full disk encryption, firewall, and VPN services (when using public Wi-Fi) all help to serve that purpose.
“Wikileaks Goes Inside Corporate America’s Wannabe CIA,” by Adam Weinstein. (Mother Jones, Feb. 27, 2012)
“Snowden and Greenwald: The Men Who Leaked the Secrets,” by Janet Reitman. (Rolling Stone, Dec. 4, 2013)
“How Secure is AES Against Brute Force Attacks?“ by Mohit Arora. (EETimes, May 7, 2012)
About the author:
Kevin Goodman is a freelance researcher and writer. He has a master’s degree from Skidmore College with a focus in cognition, culture, and communication. He also has a graduate certificate in criminology from the University of Massachusetts, Lowell.
His primary academic interest is the psychology of belief and its interrelationship with deception. Kevin enjoys making wine, being outdoors and exploring whatever he finds curious. He lives near Bloomington, Indiana, with his wife and two daughters.