Thursday, 1 August 2013

Added Security 5 : Encrypting emails

PRISM Break : Encrypt your emails
More PRISM Break information coming up (name inspired by this service). This one is a "how to" on encrypting your emails, which will make it a lot harder for those NSA guys to read what you are writing. The system used as an example is VXG Mail and Windows 7. Note that VXG Mail works the same way as Gmail, since VXG is running on Google Apps. Hence this "how to" can be used for Gmail as well.

Step 1
First download and install Gpg4win. The Windows version of GnuPG, or GPG.
Chose at least "GnuPG" and "Kleopatra", but you might consider other components as well.
And please note that there is no need for "Claws-Mail", as Thunderbird with the Enigmail plugin is far superior.

During installation you will end up seeing the message "Defined trustable root certificates. S/MIME configuration".

Check the "Root certificate defined or skip configuration" and click "Next >" to finish the installation.

Step 2
Next up is to open Kleopatra (installed in step 1), and create your new certificates (assuming you have none from before).

Choose the "Create a personal OpenPGP key pair" option. Click "Next", fill out your name and email address and go into advanced settings to make your encryption as difficult to crack as possible.

Tune the "Key Material" to become as many bits as possible. At the time of writing DSA 2048 bits + Elgamal 3072 bits.

Your certificate details might look something like this:

Name:              Frode Klevstul
Email Address:
Comment:           Take this, NSA
Key Type:          DSA
Key Strength:      2,048 bits
Certificate Usage: Encrypt, Sign
Subkey Type:       ELG-E
Subkey Strength:   3,072 bits
Subkey Usage:      Encrypt

Step 3
Now you have a public and a private key. The public one you should distribute to the world, like what is done here. There are different ways to do this. Read this article on stackexchange for more details. Or you can just add your public key to your own webpage, like I have done here.

You should take a backup of your secret key. You might also need it if you have several machines where you want to setup secure emailing from. In that case you need to use Kleopatra's "Export Secret Keys" function (right click the certificate you want to export). Note that this file / your private key should NEVER be published for anyone to see. This is for your eyes (and machines) only.

How to keep the private key safe
If anyone gets hold of your private key, they can decrypt your emails. Hence that has to be saved a very safe place. And several places, as if you lose it you are unable to decrypt your messages again. I keep my private key stored while itself also is encrypted. To encrypt my private key I use EncryptOnClick.

Step 4
Next up it to install Thunderbird and the plugin Enigmail. Note that you will find the plugin if you open the plugin page, from inside Thunderbird, and search for it. Then it is one click to install it. When you already have Gpg4win installed encryption is ready to be used.

To send an encrypted and signed massage from Thunderbird is very simple. Just click the pencil and key symbol at the lower right corner. Or chose to sign and encrypt it from the OpenPGP menu.

Note: you need to encrypt the email with the receiver's public key. So you can not send an encrypted email to someone that has not got a public key.

In the IMAP sent folder, in the VXG Mail account, this message is to be found (the encrypted version of the email sent):

Only the receiver of this email can read the content, after it has been decrypted using the receiver's private key. Which only the receiver has got.

Appendix: Claws Mail Bug
I did try installing and using Claws Mail (I installed as part of Gpg4win, see step 1). Which I did configure to use VXG Mail, or what have you got (by the way, a great thing about VXG Mail and Gmail is that you can do IMAP over SSL).

Setting up Claws Mail was pretty easy, but there seems to be a major bug which makes the entire encryption process useless. Claws Mail strangely saves two versions of the email in the IMAP sent folder, one encrypted and one clear text version. No idea why, as it is lame. There might be a setting in Claws Mail to avoid this, but I did not find none.

As you can see above there are stored two versions of each email sent, in the IMAP sent folder. The receiver only gets the encrypted one though, so it all seems very strange. But when a clear text version is saved it is useless. Hence Claws Mail can not be used for safely sending encrypted emails, as far as I can see.

If it was working
If if had worked as planned, below is how to use it.

Compose an email and under "Options" do pick "PGP Mime" as "Privacy System" and chose to sign and encrypt the email.

Note: in case you do not see "PGP MIME" under "Privacy System" you might have to load the plugins "PGP/Core" and "PGP/MIME", under "Configuration > Plugins".

Write your email, and click the "Send" button to start encrypting and sending of your mail. Please note that the subject will not be encrypted, but the main content / body will.

For a normal email client, not supporting PGP, the email will look like this:

Using Claws Mail, it will look like this:

- So to send an encrypted email to someone, you need their public key. Here is mine one.
- To receive an encrypted email you need your own key pair (private + public keys).
- For a more in depth tutorial please check out this link.

Gpg4win tutorial by Tim Starling.
Howto Setup OpenPGP Keys.
Sending and receiving encrypted e-mails (on Windows).

No comments:

Post a Comment

Allowed HTML tags:
<a href="">hyperlink</a>

Please, show the courtesy of identifying yourself when adding a comment. Anonymous comments will, most likely, be removed.