DCF Banner

OpenPGP and Email Security and Privacy

The very nature of the internet means that email is both insecure (easily forged by the unscrupulous) and public (easily read by anyone). We have all learned from the spammers and virus authors how easy it is to forge or fake an email. As to privacy, the rule I normally follow is to assume that all your emails will end up indexed and available on Google. There is an alternative that will keep your email both secure and private, a protocol called OpenPGP. I sign all my e-mail with an OpenPGP signature. Here is an excellent discussion of email security, encryption and digital signitures.

PGP is a secure public key encryption system that was created by Phil Zimmerman in 1991. Wikipedia has a nice article on how it works and its history. For individual users, the OpenPGP standard offers the best option. A GNU version that follows the OpenPGP standard is available as the GNU Privacy Guard (GnuPG). GNU software is all open source and is aimed primarily at the Unix/Linux world. There are also good Windows implementations available. A Windows version of GnuPG is available from Gpg4Win. It supports Outlook. I am using the Enigmail plugin for Thunderbird, a Mozilla email client. It is a front-end to GnuPG.

OpenPGP can be used in two distinct ways, signatures and/or encryption. I normally use OpenPGP to sign my email using my private key. If the recipient has PGP software and my public key they can verify that I was the sender and that the content is exactly what I sent including the time-date stamp. The signature cannot be forged. PGP can also be used to encrypt emails. This requires the recipient to have created and published their own public key. The sender encrypts the email using the recipient's public key. When the email is received the recipient uses their own private key to decrypt the messageb. Of course, once they have decrypted it they can save it and send it to the world. But that’s similar to the risk of having a letter you send Xeroxed by its recipient and distributed. At the moment, if properly used and configured, OpenPGP encryption cannot be broken, even by the NSA (which is why there was a ten-year battle by the Feds to prevent the software from being exported}. There is consensus within the international cryptographic community on the security of PGP: it is very very good.

There are several ways to implement secure email encryption. I will discuss some of the free open source options. They can be divided into two groups: email clients that are based on your computer and web based clients that are used with a web browser. Here are some options:

Here is a tutorial for Setting up Thunderbird to do PGP Encryption on Windows. The tools needed are the Enigmail extension for Thunderbird and the Gpg4Win suite of GnuPG tools A similar combination of Thunderbird+Enigmail using GPGTools. can be used on Apple's Mac OS-X

My public key is available here or from an OpenPGP Public Key Server such as the one at Massachusetts Institute of Technology or one run by the OpenPGP community. The properties of my key are:

  Key ID:   0x3AE58BA6
  Key Type: DH/DSS
  Created:  Jan 7, 2010
  Expires:  Jan 5, 2020
  Key Size: 2048/2048
  Cypher:   RSA
  Key fingerprint: 90BA 7D0D ACC2 2822 3018 4F45 E334 A5C9 3AE5 8BA6
  UserID:   David Flory <David.Flory@theflorys.org>

You should verify that the key properties match these after you have downloaded the key. In particular, you should always verify the key's fingerprint.

©2008-2015 David Flory.   Last modified on Mar 27, 2015, 7:34 pm.