Electronic mails need to be encrypted if you need true privacy when communicating. Encryption is the most practical and effective way of fighting surveillance and privacy violations by the state or any malicious actors like intelligence agencies (unwarranted eavesdropping) and black-hat crackers.
Electronic Mail Encryption can be done using the open implementation of Pretty Good Privacy (PGP, written by Phil Zimmermann) called GNU Privacy Guard (GPG) authored by Werner Koch and others.
Creating a public key pair:
A public key pair is a pair of keys: A public key and a private key. As the name makes it obvious, you keep the private key to yourself and give out the public key. You can create a key pair like so:
$ gpg --gen-key Please select what kind of key you want: (1) RSA and RSA (default) (2) DSA and Elgamal (3) DSA (sign only) (4) RSA (sign only) Your selection? 1 RSA keys may be between 1024 and 4096 bits long. What keysize do you want? (2048) Requested keysize is 2048 bits Please specify how long the key should be valid. 0 = key does not expire <n> = key expires in n days <n>w = key expires in n weeks <n>m = key expires in n months <n>y = key expires in n years Key is valid for? (0) Key does not expire at all Is this correct? (y/N)y You need a user ID to identify your key; the software constructs the user ID from the Real Name, Comment and Email Address in this form: "Heinrich Heine (Der Dichter) <firstname.lastname@example.org>" Real name: Clark Kent Email address: email@example.com Comment: Mail for my human identity You selected this USER-ID: "Clark Kent (Mail for my human identity) <firstname.lastname@example.org>" Change (N)ame, (C)omment, (E)mail or (O)kay/(Q)uit? O You need a Passphrase to protect your secret key. Repeat Passphrase We need to generate a lot of random bytes. It is a good idea to perform some other action (type on the keyboard, move the mouse, utilize the disks) during the prime generation; this gives the random number generator a better chance to gain enough entropy. Not enough random bytes available. Please do some other work to give the OS a chance to collect more entropy! (Need 187 more bytes) gpg: key A6D4E3CF marked as ultimately trusted public and secret key created and signed. gpg: checking the trustdb gpg: 3 marginal(s) needed, 1 complete(s) needed, PGP trust model gpg: depth: 0 valid: 6 signed: 0 trust: 0-, 0q, 0n, 0m, 0f, 6u pub 2048R/A6D4E3CF 2015-07-01 Key fingerprint = 0F1E A29C B027 82AF Cfi1A3 5EB8 6F61 369A A6D4 E3CF uid Clark Kent (Mail for my human identity) <email@example.com> sub 2048R/780EC813 2015-07-01
2048 bit encryption is sufficient for most people. Just go with the defaults if you are unsure.
Verifying the key
$ gpg --list-keys pub 2048R/A6D4E3CF 2015-07-01 uid Clark Kent (Mail for my human identity) <firstname.lastname@example.org> sub 2048R/780EC813 2015-07-01 $ gpg --fingerprint A6D4E3CF pub 2048R/A6D4E3CF 2015-07-01 Key fingerprint = 0F1E A29C B027 82AF C1A3 5EB8 6F61 369A A6D4 E3CF uid Clark Kent (Mail for my human identity) <email@example.com> sub 2048R/780EC813 2015-07-01
Fingerprint of a key is a long unique string that identifies your key. The last two words of it make your key ID.
A6D4E3CF in this case. This Key ID is used to specify this particular key when listing, exporting, etc.
Exporting Public Keys
Public keys can be exported to a file so they can be mailed to people who need to communicate securely with you. Specific public keys can be exported by supplying the key-id like so:
$ gpg --export -a A6D4E3CF -----BEGIN PGP PUBLIC KEY BLOCK----- Version: GnuPG v1 mQENBFWTjfwBCADRKjyRrGzuuDy8Bu3K41mwBDysih0nxM2hkz7VGJw6NtcWGtq3 3xDLyZIa754uaflXCKREN8KqLn1BCJXWAWNhROKh5MV2gP2+eDSoa0FRHKFTJQFW +4A3OtmldzVMZOuG4s73LiQDPoQT0WK9QmUeIfh3RC/MGuOUT1oftz9oyt2Ds298 MdoZzc6vvcLRd4EOIecsAguKyNZOsyN7PEK6F2bFHVy64uoPRkMus4xoYmm/6eBs [[...several long lines of totally meaningless random text...]] ZIj6rHgxh4EOExWYuqb7D/0jOSPjpc/UsDHLE3DASsJ+ehsZnrsNw3fvNcmYcCtS 1FfoeSXVsahkkaTfWD4/hUlO8+L9688M29hHfGqn7HdhROPtAoN/FbCXDNB09WQI fWDis7b3gQgPyiF/ckS65w25T2HVEBsErhHUnUQ+0YG0wnU5HVF9aNEi8aCWgYKd 8Cq11L2jJzNFTm5dZZkIjmaxIFX/JckCPoXSvJLuKDj/g0tRxKkVsj/VKX7QBcZc i1rNvtBlS/a/QmjKkyZPbscCmD1YlOI5zwXh9Id4V0ku7r18yJqNCxmtp33qwymu r+hFAW4pqbir =B2FO -----END PGP PUBLIC KEY BLOCK-----
Exporting Private Key
Private keys are exported for safekeeping. You should store this securely on an encrypted thumb-drive or have a paper backup and store it in a vault.
$ gpg --export-secret-keys -a A6D4E3CF ------BEGIN PGP PRIVATE KEY BLOCK----- Version: GnuPG v1 lQO+BFWTjfwBCADRKjyRrGzuuDy8Bu3K41mwBDysih0nxM2hkz7VGJw6NtcWGtq3 3xDLyZIa754uaflXCKREN8KqLn1BCJXWAWNhROKh5MV2gP2+eDSoa0FRHKFTJQFW +4A3OtmldzVMZOuG4s73LiQDPoQT0WK9QmUeIfh3RC/MGuOUT1oftz9oyt2Ds298 MdoZzc6vvcLRd4EOIecsAguKyNZOsyN7PEK6F2bFHVy64uoPRkMus4xoYmm/6eBs [[..several lines of text snipped just to be polite to you..]] AAkFAlWTjfwCGwwACgkQb2E2mqbU489oZgf+KN2uT+cA22SI+qx4MYeBDhMVmLqm +w/9Izkj46XP1LAxyxNwwErCfnobGZ67DcN37zXJmHArUtRX6Hkl1bGoZJGk31g+ P4VJTvPi/evPDNvYR3xqp+x3YUTj7QKDfxWwlwzQdPVkCH1g4rO294EID8ohf3JE uucNuU9h1RAbBK4R1J1EPtGBtMJ1OR1RfWjRIvGgloGCnfAqtdS9oyczRU5uXWWZ CI5msSBV/yXJAj6F0ryS7ig4/4NLUcSpFbI/1Sl+0AXGXItazb7QZUv2v0JoypMm T27HApg9WJTiOc8F4fSHeFdJLu69fMiajQsZrad96sMprq/oRQFuKam4qw== =Yp1a -----END PGP PRIVATE KEY BLOCK-----
Export the keys to a file like so:
$ gpg --export -a A6D4E3CF > pub.key
$ gpg --export-secret-keys -a A6D4E3CF > priv.key
Make sure to protect your private key file by storing it in an encrypted thumb drive. Then securely delete the private key file using
$ srm priv.key
$ gpg --import <keyfile name>
This will import public / private keys into your keyring
Note: If you export keys without specifying a Key ID, and if you have multiple keys in your keyring, then all your public / private keys will be exported at the same time.
Type your message in a file mymessage.txt
Then do the following command to encrypt it
$ gpg -e mymessage.txt You did not specify a user ID. (you may use "-r") Current recipients:Enter the user ID. End with an empty line: Tony Stark Current recipients: 4096R/130B30DD 2011-01-03 "Tony Stark firstname.lastname@example.org" Enter the user ID. End with an empty line:
You will now end up with a file called mymessage.txt.gpg. Mail it to Tony Stark!
Assuming you have an encrypted file called messagefromstark.txt.gpg, do the following:
$ gpg -d messagefromstark.txt.gpg You need a passphrase to unlock the secret key for user: "Clark Kent (Mail for my human identity) <email@example.com>" 2048-bit RSA key, ID 780EC813, created 2015-07-01 (main key ID A6D4E3CF) gpg: encrypted with 2048-bit RSA key, ID 780EC813, created 2015-07-01 "Clark Kent (Mail for my human identity) <firstname.lastname@example.org>" Yes, man! I agree!
Note: You need to have imported Tony Stark’s GPG public keys into your GPG keyring for encrypting mails to Tony Stark. When you do gpg –list-keys, Tony’s keys should be shown.
Security is complicated. I wish it wasn’t. There are some legitimate work being undertaken by people who genuinely want to uncomplicate security and encryption and make it available to everyone regardless of their technical abilities. That said, read through the content in this link and educate yourself on some good practices regarding GnuPG configuration files: https://help.riseup.net/en/security/message-security/openpgp/best-practices
Note: Leave questions and feedback in the comments section. If you want to organize cryptoparties (awesome workshops where you can learn security stuff), get in touch with us.