How I Learned to Stop Worrying and Love PGP

An email security how-to for Macs (though the steps basically work for PCs, as well)

Computer hackers in Germany. ((Photo: Patrick Lux/Getty Images)

Computer hackers in Germany. (Photo: Patrick Lux/Getty Images)

If you think you might ever need to have a truly private email conversation with anyone ever, then you need to start exchanging encrypted messages with people right now about banal day-to-day life. Here’s why: if anyone ever does suspect you of something and begins spying on you, if the only encrypted emails you have sent are about whatever it is you’re trying to keep secret, they will jump right out at the trespasser. That itself will be a clue.

If you’ve got lots of encrypted emails in your mailbox from all kinds of people, they won’t know where to start.

For all the news about security lately, you would think that it’s impossible—just impossible—to avoid getting your private communications seen by outsiders. That’s not so, though. Even the NSA can’t hack emails if users encrypt them the right way. One of the longstanding methods that give malefactors a headache is PGP (which stands for “Pretty Good Privacy”). You’ve probably seen those words around, right? Edward Snowden wouldn’t email with Glenn Greenwald until he started using PGP. 

It is in our power to communicate with each other securely. Today, I am going to walk you through setting up PGP on a Mac (though it is pretty similar for PC–I have done both). I need to be using PGP more myself, but the problem is: I can’t do it alone. I also hope to convince many of you, reading this, just to go ahead and get set up with PGP right now. Don’t wait till you think you need to keep something private. Just do it.

The big problem with PGP (and really all encryption) is that it has be mutual to work. If I want to use PGP and you don’t want to, then our communication can’t be secured. So the more of us that do, and the better we get at it, the more routine it becomes and the less of our communications will be exposed to interception.

When you send an encrypted email, it looks like a jumbled mess of nonsensical characters. No one, not even a computer, can make sense of it. So do it if for no other reason than to futz with Gmail’s ability to mine data about you.

Seriously. 

giphy

(GIF: GIFSForTheLulz/Tumblr)

I’m writing this with the assumption that you want one simple, direct way to get set up. So, I am to going to skip some best practices because it’s better than nothing to get folks started using bare bones PGP. It’s much better, in fact.

Let’s begin:

You’re going to need three trusted and free programs to get this done: GPG Suite, Mozilla Thunderbird and Enigmail.

Step One: Download GPG Suite and Thunderbird and install them. This works like any installation works. The order they are installed doesn’t matter, but from here you can work entirely within Thunderbird.

The main difference for doing this with a Windows PC is you need an alternative to GPG Suite. I used GPA on my PC.

Step Two: Set up Thunderbird to work with your email. Select File > New > Existing Mail Account. Follow instructions. You may need to dig into whatever your existing email client’s settings are and find your SMTP server’s name and you IMAP or POP3 server names and copy those to Thunderbird. Don’t let these words intimidate you. It’s easy. It’s usually in something like “Account Settings” or “Options” in webmail or in Outlook or whatever client you might use. 

If you’re already using Thunderbird, then you don’t need to download it again.

From here it's going to start getting a bit tougher, but you can do it. (GIF: Cheezburger.com/GIPHY)

From here it’s going to start getting a bit tougher, but you can do it. (GIF: Cheezburger.com/GIPHY)

Step Three: Open Thunderbird and install Enigmail as an add-on. There’s a “three bar menu” / “hamburger icon” to the right of the Thunderbird search bar. Click on it. Click on “Add ons,” and search “Enigmail.” It will find it. Select“Install.” Once it prompts you to restart Thunderbird, do so. You’ll know it worked if “Enigmail” is one of your options in your menu bar upon restarting.

Step Four: In Thunderbird, go to Tools > Account Settings > OpenPGP Security. Check all the boxes. Some of these struck me as strongly worded, but I’ve tested it since with people who PGP and people who don’t. You can communicate with both with no problem. Click “O.K.” to close out this window.

Step Five: Enigmail should appear along your menu bar, if you installed it properly. Now it’s time to get yourself your first PGP key. So exciting!

If you already have keys but don’t know how to use them, you can just import it into GPG Suite. Open the program up and look for “Import.” There’s a bunch of ways to do it.

You're going to be all like... (GIF: Prosthetic Knowledge/Tumblr)

You’re going to be all like… (GIF: Prosthetic Knowledge/Tumblr)

In Thunderbird’s menu bar, select Enigmail > Key Management, and make sure the box is selected next to “Display All Keys by Default” up top.

Fill out the boxes. Put a good, strong password in here, and write it down somewhere you can find but isn’t on a digital device that someone could hack and also isn’t like a Post-it on your monitor because (seriously) why are we even having this conversation then? Maybe a little card in your wallet? The comment field is optional. I put a date in there.

This might sound counterintuitive, but you should use your real name and email when making your key. This helps other PGP users find your public key so they can save a step in messaging you. Your name and email is not helpful at all in cracking the code, so use whatever you really correspond with.

A quick word of explanation: PGP works with two keys. You share your public key with anyone you like. It allows them to encrypt a message that only you can decrypt. The message (and I don’t get how this works myself) can’t be decrypted with the public key. You need both. Only you will have your secret key, but the public key allows anyone to encrypt something that only you can decrypt.

Don’t think about it too hard, because it hurts.

You are now ready to exchange encrypted email.

You have the power. (GIF: Giphy)

You have the power. (GIF: Giphy)

Step Eight: Put the ID of your public key in your signature. This will help people to find the right one to email you at. 

Wanna send some email? When was the last time you were this excited about sending an email? Oh man…

We have now reached the largest source of friction in the process. You need to have someone’s public key downloaded to your keyring before you can send them an encrypted email.

Because you already have Thunderbird open, I’m going to describe how to find keys using it. I honesty found PGPSuite a lot better for this purpose, though. Since you already have Thunderbird open, though, here’s how I found it worked best in there:

  1. Get the key ID from the person you want to email. You can practice a search with mine (ID: 0xDF395EB8). Thunderbird makes it easy for you to attach your public key with your first encrypted email (or non-encrypted ones, too).
  2. Go to Thunderbird > Enigmail > Key Management > Keyserver > Search for keys. Then you’ll search for that Key ID. (If they give you a number without an ‘0x’ in the front, add it. Some people post their PGP signature, as well. In most cases, I found the same method as step two worked for these (they are just longer numbers).
  3. If you upload your contacts into Thunderbird, there’s an option that will scan them for PGP keys. I found a bunch. Go to Key Manager and then “Find All Keys for Contacts” and say ‘OK’ to everything. Downloading can take a few minutes.

With the settings we picked above, corresponding with someone who has PGP will be pretty much as easy as sending email (you’re going to be asked for that password you wrote down, though). If you want to email someone in Thunderbird who doesn’t have PGP, you just click the padlock at the top of the window you wrote the email in, and it will go through like any other email.

Shoot me an encrypted email with your public key attached. Provided you did everything right, I will happily reply. In fact, take note: I will look more kindly on pitches sent encrypted by PGP.

Blues Brothers. (GIF: Giphy)

Blues Brothers. (GIF: Giphy)

I’m not going to lie to you: using PGP adds some friction.

  • When you send emails, you’ve got to put in your password to encrypt it (if you made your key with a passphrase, which you probably should).
  • The dumb key manager doesn’t automatically import email addresses you’ve downloaded from key servers into your contacts.
  • You’re not going to be able to read encrypted emails on your mobile, at least not at this point in using them. You’ll just see a jumble of nonsensical text. There are apps to work around this, but there’s cutting and pasting involved.
  • It only works if the person you are corresponding with agrees to use it as well. This is probably the toughest thing. Encryption has to be a two way street and most people won’t do it. 

Security is a bit of a pain—that’s all there is to it.

Great Grey Owl GIF

(GIF: Head Like An Orange/Tumblr)

Encryption requires your habits to change, too. To email securely, you’re going to need to use Thunderbird, which is separate from your browser. I know we’re all in the webmail habit now, but when you write in webmail, you can assume your email host is, on some level, reading every word. Probably, even as you write it. So shift out of your routine from time to time.

There has been an enormous amount of ink spilled on the ways the various Internet services let us down, but the communication we all use the most, boring old email, is open for us to encrypt all on our own, without their help. So use PGP. The more of us that get set up with PGP, the more people we will find with whom secure communication is easy. 

 

How I Learned to Stop Worrying and Love PGP