In part one, we looked at turning on SSL to encrypt the reading and sending of emails. This secures you from eavesdropping on your local and / or ISP network. The minute your email goes through a non secure connection, which is quite often, its not secure anymore. The way to guarantee that your private emails remain private is to encrypt the email itself.
Encrypting emails sounds like something extraordinarily difficult that only spies do. I think that once everyone sees just how easy it is to encrypt emails, it’s surprising that more people don’t.
Why is this important?
For a minute, let’s think of email like regular postal mail, only much faster. Unencrypted mail is the equivalent of sending a postcard. Anyone who wants to, including the carrier, can flip it over and read about your vacation. Now imagine sending postcards with communications about business, personal and private matters written on the back, for everyone to see. That’s email.
Additionally, with email encryption and the process of signing, you have a guarantee that the sender is who they say they are. Suddenly phishing isn’t as easy as forging some mail headers and copying eBay’s email template.
Ways to Encrypt Email:
Email encryption works via two different methods. Either S/MIME or a form of Phil Zimmerman’s PGP (most common implementation is GnuPG).
Both methods work with public / private key encryption. You encrypt your emails with your public key and decrypt with your private key. You then exchange public keys with everyone you communicate with.
For example, to email Steve Jobs with encryption, you exchange public keys with him. Then you encrypt your demand for Apple Tablet photos with Steve’s public key and send it to him. Steve uses his private key to decrypt and read the message. He then encrypts a quick “no” email to you, using your public key. You decrypt his email via your private key and sigh.
Which method to use?
Either method works, and works well. Sometimes it depends on what everyone else you communicate with is using. S/MIME is natively supported in Mail, Thunderbird, Outlook, Entourage and most other email clients. It also requires you and everyone you communicate with to get and install your own certificates, which can be a pain. GnuPG creates and handles the certificates for you but requires a little tinkering to install at first.
I’m going to show you how to do both.
Note: PGP is not free software, but OpenPGP and GnuPG are. They are interoperable.
To use GnuPG, the first thing you’ll need to do is download the software libraries. These are the functionality behind the application. In this step, you’re not downloading the program – you’re downloading the bits that make it work.
1. Download Mac GNU Privacy Guard and install.
2. Decide which email client you want to use.
Note: Snow Leopard users: Due to the many changes in Apple’s Mail, and undocumented APIs, you’ll need to use Thunderbird or Firefox with GnuPG.
GnuPG and Thunderbird:
Thunderbird 3 works very well with GnuPG. Assuming you have Thunderbird all set up, ready to go and installed GnuPG, here’s what you do next:
1. Download and install the Enigmail add on.
2. Restart Thunderbird.
3. In Thunderbird’s menu bar, you’ll see the new item: “Open PGP”.
Note: My screenshot shows more items in the menu bar because I enabled Advanced mode.
4. Select “Setup Wizard” to get yourself started with creating the keys.
Note: In order to remain compatible with everyone who doesn’t use encryption or signing, set Open PGP not to encrypt or sign by default.
5. When finished, create a test email to yourself. This works best if you have multiple accounts so you can see the encryption / decryption.
6. Before you send the email, encrypt and sign it by clicking “Open PGP at the top”.
7. If you’re sending this to someone who doesn’t have your public key, attach it to the email.
8. Now send it and when you receive the email, you will be prompted to enter your passphrase.
9. Enter it and Thunderbird will automatically decrypt the email for you.
Note: Tiger and Leopard Mail users can download Sen:te’s GPGMail to use GnuPG with Mail.
S/MIME with Thunderbird and Mail:
S/MIME is natively supported in Thunderbird and Mail but you will need to get your own certificate. You can purchase one from Verisign, or take advantage of free certificates from StartSSL or InstantSSL/Comodo.
Once you have your certificate, you’ll need to import it into Thunderbird or Mail. For this part, I will use Thunderbird in my examples. For Mail, just double click the .pk12 file and the Keychain Assistant will walk you through importing it.
1. Go into the Account Settings.
2. Click on the Security settings for the email account you want to use.
3. At the bottom, click on “View Certificates”.
4. The Certificate Manager will open up. Click Import.
5. Once your certificate is imported, click “Select” to choose your certificate.
6. To encrypt emails, compose an email and choose “Encrypt this message” from “Options” in the Menu Bar.
In order to actually use S/MIME, you will need the public keys of everyone you are sending encrypted mails to. In order to send your public key to someone, send them an email that’s digitally signed. Thunderbird and Mail will automatically store a received public key.
WARNING: Do not send the .pk12 file you received when you signed up for a certificate.
Using S/MIME and GnuPG with Gmail:
To encrypt mails with the Gmail web interface, just download the following extensions for Firefox:
S/MIME: Gmail S/MIME
Note: FireGPG requires that you install the GnuPG software in order to use it.