Getting Started with Secure Email Using PGP Encryption

Anyone who deals with sensitive information should have a basic understanding of email encryption.

PGP is the standard, and it’s easy to use.

Consider the following question: What kind of damage would occur if your business’s internal emails were made public?

It was certainly embarrassing for Stratfor, a Texas based company offering geopolitical analysis. With government agencies and Fortune 100 companies for clients, Stratfor claimed its capabilities surpassed the CIA’s. In late 2011 Stratfor’s servers were hacked by Anonymous, which subsequently released over five million of the company’s emails to Wikileaks.

The CIA uses encryption for internal emails; Stratfor didn’t. Stratfor’s oversight not only made its clients vulnerable but was also a major embarrassment to an intelligence-security company that claimed governmental levels of capability, yet took no steps towards protecting its data.

A Digital Envelope

While Stratfor’s size and client list may have been appealing to hacktivists, it doesn’t take a high profile target to be vulnerable. Network security experts have long recognized that email isn’t ideal for privacy. The problem is that email is stored on multiple devices—the sender’s computer, the sender’s email server, the recipient’s email server, and the receiver’s computer—and is transmitted through various service providers and networks in plain text. Consider this useful analogy: unencrypted email is like a postcard, and encryption, like a digital envelope.

In essence, once a plain text email is sent, it’s out of the sender’s control—it can no longer be deleted with certainty because it likely exists as copies across various devices, and its contents are at the mercy of any person with access to the various networks through which it passes or is stored.

Consider this analogy: Unencrypted emails are like postcards; encryption, like a digital envelope.

The solution is simple: encrypt.

Granted, getting started with encryption can be intimidating. Case in point: columnist Glenn Greenwald almost lost the story of a lifetime when an anonymous correspondent insisted on communicating with PGP encryption. Greenwald didn’t know how to use PGP—in fact, he wasn’t entirely sure what it was.

The unknown emailer even made Greenwald a video tutorial on how to use PGP, but Greenwald still hesitated. For a busy journalist, even one who reports on national security, learning encryption software seemed like a waste of time. Finally, a filmmaker named Laura Poitras with experience covering Wikileaks reached out on the mysterious source’s behalf.

Only then did Greenwald learn exactly how explosive the story he’d almost ignored was. He went to Hong Kong to meet one Edward Snowden, who passed on thousands of confidential documents. The rest is history.

How PGP Works

Like Greenwald, many busy professionals (even those of us who don’t receive video tutorials from Edward Snowden) aren’t eager to take the time to learn to use PGP; but it really isn’t that complicated.

PGP is a form of public key cryptography, which essentially entails a set of keys—one private and one public. The public key allows someone to encrypt a message that can then only be decrypted by the person who has the private key.

Users of PGP share their public keys with people with whom they wish to correspond. PGP can render data unreadable by using any of several standard encryption ciphers, such as DES, Blowfish, and AES. But the default for Open PGP is AES 256—the same encryption algorithm used by the U.S. government for top secret data—in conjunction with RSA.

According to EE Times, it would take one billion billion years for a supercomputer to crack AES 128 (AES 256 is stronger) with brute force (using every combination of keys possible).

A Simple PGP Tutorial

The following tutorial illustrates how to use Open PGP software (which is free) with an email client. I use a Mac, so this tutorial will illustrate the Mac version of Open PGP, which is GPGTools, in conjunction with Mac’s Mail.

Step One

Download and install PGP software.

 

Step Two

After installation, find and open your PGP key ring (called GPG Keychain Access with Mac GPGTools).

Step Three

Generate a new key pair for your email address. Begin by clicking “new” in the upper left hand corner of the application.

You’ll need to give the key pair a name as well as provide the email address that will be used with the key pair. (Note: There are advanced options available when generating a new key pair, but we won’t discuss those options with this tutorial.)

Before PGP Keychain generates your key pair, you’ll have to assign a passphrase. You’ll use this every time you sign an email or decrypt a message.

Step Four

Access your public key and share it with the people you’ll be communicating with.

Method 1: The easiest way to share public keys is to upload them to the Open PGP key server. To do this, you simply highlight your key in the keychain and then select “key” from the menu at the top of the keychain application. You’ll then scroll down to “send public key to keyserver.” After which you can send colleagues your key’s “id” or “short id.”

To find your key’s id simply double click on it in keychain. You can also use the option “retrieve key from name server,” which is under “keys” in the menu, to import a colleague’s public key if you have their key’s id or short id.

Note: by uploading a public key to the name server, you’re making your public key truly public; anybody can look it up by your email address.

Method 2: This is the private way of sharing public keys. Begin by right clicking your key in the PGP Keychain Access and then click export. This will generate a Public PGP file with the file extension .asc. Be sure that “secret key export” is unchecked. You only want to export your public key and you never want to share your private key. You can name your file and then export it to save wherever it is convenient.

You can now share this file with the people you wish to cryptographically communicate with.

Step Five 

Swap public keys with colleagues and import their keys into your PGP keychain. If they have uploaded their keys to the keyserver, you can use the method described in step four (method 1) to import their keys to your keychain.

If they have provided you an .asc or text file, then use the import option in the upper left hand corner of the PGP keychain application. If they sent you their public key as plaintext within the body of an email, copy and paste it to a text editing program, save as plain text, and then import to your keychain.

(For your enjoyment—here’s what a public key looks like in plain text:)

—–BEGIN PGP PUBLIC KEY BLOCK—–

Version: GnuPG/MacGPG2 v2.0.22 (Darwin)

Comment: GPGTools – https://gpgtools.org

 

mQENBFLgUi8BCAD05xMtvYEz+R0ka03SHEsXXhZNdwGwIenTudYEAIGEdQzSzFDc

8jfO+r7BWDtdIN2zAMyBgRE722kotnNc2N22+jUHXOFgRjwBVmWPbso+9DHQwe+1

H5efRKnwerBDcwVXGsQyEp9I4jrKwdFhtBb62ivDoe5Bh7G34k7RBp1tLuOh9GWp

e0AV2sV3aIemL+BFz7NHU6+3gHFEedVghbtpRsPdPkCGfsyAjitZdiDnUh3VbYMU

fHPEpteXtnh7KxjIIvHZO8MbF1QUGV3hR0W+hio85gFjPYfR5p4ejKQE5FEEKOkf

fb5FPgk7oE8Mq29lc45brO/HP+pxKyS2xKLbABEBAAG0LEtldmluIEdvb2RtYW4g

PGtldmluLmdvb2RtYW4uaGVyZUBnbWFpbC5jb20+iQE3BBMBCgAhBQJS4FIvAhsD

BQsJCAcDBRUKCQgLBRYCAwEAAh4BAheAAAoJEJsoDLBhpTF6AqAH/1XaGXeI6EVm

M/roLorMRBCs78m/kGkVhx8Xrlky9SCNpWqmNyccYEyzKpTxiYnMr72M7wFbrpiV

Uv8CqBa/0nbQx+pRBXLVJsCT7ykiC5PAYV3rskR5L4EJXQEXma4scmF7Y5MofaxQ

ChHxsKv2V/+WmaHlzKkDMHRmCk+1NsK5FAFzav7F+3lEmNFmI5vqqXcuAlY8B431

wOzS9ktrzXVkHkNU/g6Tqamb9ojIgIVJQR8k5qSErpoMqS0jqDj4I4M/lwBGqJdO

hD2h3hNFv8+wqTacc8jI5VlpGnxeR+7rKd4KQm5A8FXgfGI4IRpvNpL3PjGJ7zCJ

I+8K3ETcxYm5AQ0EUuBSLwEIAKuSNH3ZVxIsFo0S8z/upM6NJshZ3z1zgnwJnyhR

psjSJZ4GKIRLL6zZQdp+SO/jH/BkjEpvK0/XTSrXruG5E6uYBDxgo5BC+LRptRC4

3EM9Fbx69zEte9Nu+ExACqN70Wj//cLhwxia2MtHC5uXhsWhuus5uK3MCHAw2GdZ

eQwaQXEVgPMq3hlZKQSpbVj4MiRz5NlHV6c3NZw+RdUNZJmN/SFXnjgYOcqK6JZC

vXMKT9D/Qz89O3D4OOTkvLdzO+StZuEhdPFTf0ifkdPqNqdDSM7NzjD6BbDsU2g1

IZ9S0TO0sOBXy65F2ahlm5GImCcG/DCytixL7AAdJDjmafcAEQEAAYkBHwQYAQoA

CQUCUuBSLwIbDAAKCRCbKAywYaUxenSPCADijfhRUkUJYuyqDpL/tUpLbPl1Qo+Z

kuT8b5ObQ6cSpG4PD0EGCelpv6GQVpVVZOCyxCrPI2rblJ56A/s5+dSCRZv1LkMB

FV20kjrqFHaBv/9Rcc2VxiiwWeiMy8WV9O7PWn1fedjuAzJmwcY5lEVrEx5DFg7c

iE6iHF+jW0/Q1RuhapWyg0EnFy4Wh2x3SHm1GfkZz0X5KPn1A8hNv1Lby5K+tOnG

yJvKGFOulKxwmn+e4oMNxzzVhIJACiEayEPc7t8ArbCS0CP6ZJNsVVD8H6sj//Kc

Eqb859BbEr/dYRjGkV5NCmD1ziqa3/l3g+eVhIZnZ0UQy3S/q3VMTzoD

=qbAu

—–END PGP PUBLIC KEY BLOCK—–

 

Step Six

Send encrypted email. GPGTools seamlessly integrates with Mac’s Mail application. (The Windows version integrates with Outlook, and there is an extension available for Mozilla’s Thunderbird.)

To encrypt an email, simply click on the padlock icon. In Mac’s Mail application, this is directly above the text box on the upper right hand corner. The padlock appears unlocked if the message is unencrypted and locked if the message is encrypted.

 

This is what the padlock icon looks like when the message is encrypted:

Note: The above picture also shows that the message is signed. To sign a message, simply click on the starburst icon to the right of the padlock. You’ll be prompted for your passphrase. After successfully entering the passphrase, the starburst icon will show a check mark at its center to indicate that the email is signed.

Signing an email allows anyone with your public key to validate that you sent the message. If you receive a signed message, it will say so under the email’s subject title.

If you receive an encrypted message, you’ll be prompted for your PGP private key passphrase. Anyone who intercepts the message will see seemingly nonsense data, assuming they don’t have your private key.

While it may seem daunting to get started with PGP, it’s as a simple as clicking a button once you’ve generated a key pair for your email address and imported the public keys of people you’ll be corresponding with into your PGP keychain.

A Word of Caution

PGP is only good if your private key is protected. Anybody with access to your private key could decrypt messages. For this reason, it’s necessary to take measures to protect your PGP private keys and the devices on which they are stored. Strong passwords, full disk encryption, firewall, and VPN services (when using public Wi-Fi) all help to serve that purpose.

 

Sources:

“Wikileaks Goes Inside Corporate America’s Wannabe CIA,” by Adam Weinstein. (Mother Jones, Feb. 27, 2012)

“Snowden and Greenwald: The Men Who Leaked the Secrets,” by Janet Reitman. (Rolling Stone, Dec. 4, 2013)

“How Secure is AES Against Brute Force Attacks?“ by Mohit Arora. (EETimes, May 7, 2012)