How to encrypt email with PGP (GnuPG) to protect and secure your online privacy. The last few weeks a lot is said about government privacy infringement programs like the NSA’s program Prism and UK GCHQ’s Tempora… Did you know you can easily protect your privacy, identity and your data transmissions by encryption?
For websites, you can visit only SSL/TLS-encrypted websites, make use of a VPN tunnel, (RDP over) ssh tunnel with PuTTY, or TOR project and network. But your business communications like email need to be secured too! Why not encrypt your email?
For more privacy and security, it’s now more important than ever to encrypt email with PGP.
Several implementations and methods to encrypt your email exist. In this article, we focus on Pretty Good Privacy, or PGP, for short. PGP was first created by Phil Zimmermann in 1991, and its open source implementation GNU Privacy Guard (GnuPG) to encrypt your email.
For Windows operating systems, there is a Gpg4win flavor available that we’ll be using in this article, and as a mail client we use Mozilla Thunderbird.
In this article, we won’t dive into the more advanced options of PGP. Options such as adding multiple email addresses to a key or a web/ring of trust iss beyond the scope of this article.
Important to mention is that PGP uses public key cryptography, with asymmetrical keys. This means you have two keys:
And this means the other person with who you want to exchange an encrypted email, needs to have this set up too. An public key is bound to an user or email address and is published to a keyring server. For others to download of course, hence the “public” part. The public key is needed to decrypt an encrypted message. The private key needs to be… well, private! It represents you, your identity and trustworthiness.
You can find more information about – the inner workings of – PGP on Wikipedia
Assuming you already have an email address set up in your email client, we start with downloading GnuPG’s Gpg4win. Its website is Gpg4win.org. You can start the download of the current version 2.1.1, at the time of this writing (Released: 2013-05-31).
After downloading Gpg4win, just follow the installer, but we skip the Root certificate configuration.
If you use Office Outlook 2013 you also need the Outlook Privacy Plugin with Gpg4win. You find more information about this plugin here. You can follow this great manual if you’re using Outlook 2010 or 2013.
Download enigmail-1.5.1-sm+tb.xpi Thunderbird plugin and install this plugin through the Add-ons Manager > Plugins > Install Add-on From File. Browse to your downloads and select the enigmail-1.5.1-sm+tb.xpi file, and click open. Wait three seconds, click Install Now and restart Thunderbird.
Next, we need to set up our private and public GPG keys.
The full version of Gpg4Win also includes Kleopatra: a certificate manager application. We use this program to set up our PGP identity and keys. You find this program in your start menu under Gpg4win.
Follow the next screen shots to set up your key pair with Kleopatra.
Our PGP key pair has now been created, as the next screen confirms. Now we want a back-up for safekeeping, so click Make a Backup Of Your Key Pair.
Once the back-up is created it’s time to upload our public key to a key server for others to find. Click Upload Certificate To Directory Service. You can safely ignore the warnings.
Our key is all set now!his key is valid for two accoun
Don’t forget your passphrase, you must remember this one!
Now our PGP key pair is created, it’s time to let Mozilla Thunderbird (and EnigMail) know about this. We need to set up our OpenPGP identity.
The OpenPGP identity (key) was discovered automatically:
Before we send an email we need to find the public key of the recipient. This is done through a key server (or you might have received someone’s key on a thumb drive, or as a download .asc file).
As you can see, this key is valid for two accounts/email addresses.
Now everything is configured (that was easy, wasn’t it? ;)), you are ready to send your first encrypted email message. Just do what you normally do, but also choose the Encrypt Message option.
The email is sent encrypted:
Now the other end received the email and needs to decrypt it. Upon opening the email you are prompted for your passphrase.
All we now need to do is to import the public key to verify the signature.
… So why don’t you?
Because of government programs like Prism and Tempora it’s more important than ever to protect your online identity and to encrypt email with PGP, and your other online communications. This article showed you how easy it is to set up a PGP key pair to encrypt email with PGP. For other online communications you can use Tor, a VPN or SSL/TLS.
Even if the other side is not using PGP/GnuPG, you can still sign (not encrypt) your emails, to “prove” you were the sender.
My name is Jan. I am not a hacker, coder, developer, programmer or guru. I am merely a system administrator, doing my daily thing at Vevida in the Netherlands. With over 15 years of experience, my specialties include Windows Server, IIS, Linux (CentOS, Debian), security, PHP, WordPress, websites & optimization. Want to support me and donate? Use this link: https://paypal.me/jreilink.
A cheat-sheet for password crackers
Windows privilege escalation guide
Help Net Security reviewed Acunetix 11
Vulnerabilities in .NET Core, ASP.NET Core Could Allow Elevation of Privilege
Penetration Testers’ Guide to Windows 10 Privacy & Security
Joomla (< 3.6.4) Account Creation/Elevated Privileges write-up and exploit
Samsung’s smart camera. A tale of IoT & network security
“How we broke PHP, hacked Pornhub and earned $20,000”