Lukas Z's Blog

Encrypt Your Email With GPG

It’s 2013 and the way we use technology is moving in the wrong direction when it comes to privacy.

We should not accept that in the era of Facebook and Google Search privacy is a thing of the past. Because we cannot blindly trust corporations to handle our private data. Because we cannot assume the government does what is best for us, either. On the contrary. My understanding of democracy is that the public keeps an eye on what the government and public authorities do.

The fact that we live in a mostly peaceful world with a high living standard and low corruption (I am talking of western European countries here) is a huge achievement and a consequence of horrible wars (which had a huge impact on mentalities) and positive economic development afterwards. But looking at history it is an exception. An unlikely thing that happened. Meaning: Because things went well for my generation there is no guarantee that it will continue to be so.

I am an optimist and I do not expect a big catastrophy or another Adolf Hitler in Europe any time soon. But that does not mean that we can be lazy, put our fates (and our data!) in the government’s (or some corporation’s) hands and hope for the best. That would be a stupid thing to do. Our private information should remain private.

Some people still say things like: “I don’t have anything to hide anyway, so I don’t care.” This infuriates me. Especially when it is coming from educated people that should know better.

It is hard to maintain privacy nowadays. For example, last week Facebook suggested in an E-Mail that I “friend” some people that are only in my GMail contacts. - Wait. How did Facebook access my contacts? I haven’t given them the permission. But, and that’s the thing, my contacts gave theirs. In the end it seems that one cannot escape the data collection.

But we should do what we can, without missing out on all the benefits the Internet gives us.

So let me talk about email-encryption.

Why should you encrypt your email?

The Internet works, because many computers form a network of connections. Data is passed from point A to point B by sending it from one intermediary computer to the next. An email will pass through 10 to 20 computers before it reaches its destination.

Those computers include the switch of your DSL provider, their backbone routers, border gateway routers that connect larger regions (countries), the computers of the recipient’s email provider and so forth. Not to mention the guy that sits next table from you in the cafe, using the same unencrypted wireless network.

As a methaphor you can imagine this: You want to send the tax office your income statement. But the mail system doesn’t exist. So you write it with a black marker in big letters on a sheet of paper. For example: “I earned 1000 Euros last month.” Then you give that letter to your neighbor and ask him to give it to the lady next door, so she can then take it to her friend, who works at a store where an accountant from the tax office comes to do his shopping. Of course everyone in that chain can read your income statement. And this is basically how email works.

Your email is sent in plaintext.

Theoretically it can be read, copied and archived forever at any computer it passes through. It’s like sending a postcard. You would put a letter in an envelope, but the postcard can be read by anyone that takes a look. There’s basically no protection against eavesdropping. And no, the fact that you have to use your password to login to your webmail means nothing. The message still travels in plaintext through wires that you have no control over until it reaches your webmail provider’s servers.

(Technically email providers can secure the communication between each other, but this would only work if both sides support that functionality. I assume that is not a widespread practice yet. And besides, even then you would still have to trust the email provider..)

Think about what is being sent in emails. Invoices, contracts, company secrets, passwords and so forth. We rely heavily on email being secure, yet it is, by design, absolutely not. There’s no protection against eavesdropping at the transport layer.

Thus it’s prudent to put in some protection at the application layer. Enter email encryption.

It’s not complicated. Read on.

How can you encrypt your email?

Sadly, encryption was not built in as a default when email was invented. But that was in the 1960s and I guess they did not anticipate that something like the World Wide Web with billions of users would exist in the future. Therefore users have to take extra steps to encrypt their emails. But luckily there are good tools for that.

Using GPG, which is a standard open source encryption software, we can encrpyt every email using public key encryption.

It just means that one key is used to encrypt a message and another is used to decrypt a message. If somebody wants to send you an encrypted message, you just send him your public key first. He can use it to scramble the text. But he cannot use your public key to unscramble it. That can only be accomplished with your private key, which you never send to anyone.

Simple enough.

So basically to have encrypted email you need a key-store on your computer where you store all the keys of your recipients, and your two keys. You can upload your public key to a keyserver, where other people can just look it up if they want to send you something. For example, here’s the new one I just created if you want to email me.

And you also need the encryption software.

I am using OSX, so these instructions are for that OS. You can find the same information for Linux and Windows, it’s equally simple to do.

Here we go.

  1. Download and install GPGTools
  2. Follow their tutorial

That’s it.

Now, they will install an addon to the Mac’s Mail application that allows easy encryption and decryption. But it seems like it’s not done yet for Mountain Lion.

And besides, perhaps, like me, you prefer your email in the browser. In that case you will have to copy the email text out of the message and decrypt it manually. And the same vice versa when you want to encrypt a message. Write, encrypt, copy and paste into the browser.

I wrote these two short bash functions to help with that. They are aliases for gpg commands combined with using the clipboard. It saves me some typing. You can just put those in a file called “cryptobash.sh” or something similar, and then add “source ~/.cryptobash.sh” to your .bash_profile so they are available each time you open a terminal.

function decryptc(){
  pbpaste > /tmp/encrypted_message.txt; gpg -d /tmp/encrypted_message.txt | pbcopy; rm /tmp/encrypted_message; pbpaste
}

function encryptc(){
  pbpaste | gpg -e -a -r $1 | pbcopy
}

Now all I have to do is copy the encrypted email into the clipbard, and run decryptc (c stands for clipboard) in the terminal to see the plaintext. (If you are in on Linux, then you can use xclip instead of pbcopy and pbpaste.)

And voila, encryption isn’t such a big chore any more.

Key Storage

Keeping your keys safe and moving them between computers can be annoying. You have to protect your private key by all means, but you might want to have it available on another computer, for example in the office of your employer.

The way I do this is simply by storing it in KeePass. The KeePass-database file itself is encrypted, so I just put it into my Dropbox and have everything handy wherever I am.

Finally

There’s some downsides to all this of course. If you are using GMail, you cannot search the contents of your encrypted messages anymore. (Unless you specifically save the plaintext in GMail.) You can’t read your encrypted email on your phone as easily either.

But it’s probably not neccesary to encrypt everything. I won’t try to convince my parents to use GPG for example. And I don’t need to encrypt a link to a funny picture that I send to friends either.

However, I wish that people will start encrypt important things. Bank statements. Insurance documents. Spicy love letters. :) And so forth.

To be honest, I do not have much hope for that to happen soon. But who knows, a few privacy scandals, governments messing up (the Internet IS a threat to governments) and the general public might start to ask for secure email. Then perhaps companies will make a greater effort to make it easy (and fun?) to use.

Until that happens we can still send encrypted email already.

So we don’t have to send important things using the equivalent of postcards.

Does Email still matter?

Teenagers probably hardly use email at all. They have things like Skype, Whatsapp, Snapchat etc. But I think email will stay as the main communication tool in business and as a fallback and authentication method for all the other services. So when these teenagers grow up and get jobs they will use email. So yes, it still matters and will continue to do so.

P.S.: You can follow me on Twitter.

Comments

Webmentions