Encrypting Your Email & Key Signing

Discussion in 'Community Discussion' started by SandboxGeneral, Jul 22, 2013.

  1. SandboxGeneral, Jul 22, 2013
    Last edited: Jul 22, 2013

    SandboxGeneral Moderator

    SandboxGeneral

    Staff Member

    Joined:
    Sep 8, 2010
    Location:
    Orbiting a G-type Main Sequence Star
    #1
    In light of all the computer security news of late and my own ongoing pursuit of securing my computer and Internet habits for my own protection against hackers and identity theft, I've now started encrypting my emails, or rather installed the ability to.

    I installed the open-source GPG (PGP) GPGTools add-on for Apple Mail and generated a 4096-bit public and private key each for two of my email accounts. The whole process took less than five minutes and is very easy to accomplish.

    Once installed, sending either a digitally signed and/or encrypted email is as simple as clicking on a button in the new mail window. The catch is that the recipient must also have encryption enabled on their account and have uploaded their public key to a key server so you can download it and use it to decrypt an email. If the person you're sending an email to isn't set up for encryption, that's not a problem, you can still send them an email as you would normally, it just won't be encrypted.

    What encrypting your email does is ensure that no one, a hacker, Apple, Google, Microsoft, et al or even the NSA, can snoop on your messages if they happen to intercept it. All they would get would be a huge string of random characters that they wouldn't be able to decrypt.

    One part of the setup process is generating your keys. The installer (above) installs the GPG Keychain Access app, which is different from Apple's Keychain app. With the GPG Keychain access you generate a public and private key and during the generation process you're supposed to move the mouse around a lot or type a lot to get the CPU or disk to create a lot of activity which helps mix up the bits of the key for maximum entropy. With the speed of today's CPU's, key generation is accomplished in mere seconds.

    What I did to ensure there was plenty of disk activity during the key generation was start up and run Blackmagic, the disk speed test app, which is free from the Mac App Store. I figure with that running while you're generating the keys, the excessive disk activity will help create the most entropy possible making for a very secure key. Once the key is generated, you can cancel Blackmagic's speed test - if you want.

    Another part of the key generation process is creating a passphrase. This is similar to a password in that its typically a sentence with upper/lower case words and numbers, even characters, that only you know and can remember. This is used to decrypt your private key and send/read encrypted emails or verify a digitally signed email. If you lose or forget your passphrase, there is no way to ever recover it and you would have to make a new key. Any email you received sent to you based on your lost passphrase will forever be unreadable to you. Its very important to remember your passphrase and never give it out to anyone.

    Lastly, you will want to upload your public key to a key server so others can download and use it to decrypt your emails. You will also want to get as many people as you can to sign your key so that it helps bring validity and credit to your key letting people know that its actually you and your key. Doing this is usually called a key signing party where you get people, typically that you know to sign your key, or actually meet up somewhere so people can actually meet you and be comfortable signing your key.

    This method is very secure, open-source, and endorsed by the podcast Security Now with Leo Laporte (twit.tv) and Steve Gibson (grc.com).

    Additionally, this can be set up on Windows computers and Mozilla Thunderbird (OS X & Windows). Here is the addon for Thunderbird: Enigmail. I don't have the method worked out for applying this on Windows yet, but will work on it.

    I have two email accounts set up, one in Apple Mail and the other in Thunderbird. I set them both up and have easily sent encrypted emails to each account.

    If anyone is willing to try this, I am willing to help and provide my MacRumors email account as a test for sending encrypted emails back and forth. I don't mind doing this since that email account is also listed under the View Forum Leaders page.

    Note: This thread is not intended to discuss or debate the political and social issues regarding encryption and whether or not one has anything to hide from the government or not. We have a PRSI thread where that stuff is already being discussed.

    Apple Releases Statement on Customer Privacy and Law Enforcement Requests for Customer Data

    What this thread is intended for is the technical aspect of email encryption and for members to come together and sign each other's key's.
     
  2. SandboxGeneral thread starter Moderator

    SandboxGeneral

    Staff Member

    Joined:
    Sep 8, 2010
    Location:
    Orbiting a G-type Main Sequence Star
    #2
    Steps to set up email encryption

    1. Download GPGTools and install it
    2. Generate a pair of keys for the email account you desire
    3. Choose the bit length of the keys under advanced in GPG Keychain Access when creating a new key. Recommend length is 4096
    4. Upload your key to the key server
    5. Find someone who has or will set their account up like you have
    6. Download their key
    7. Send them an encrypted email

    Here is the link to the GPG tutorial which does a nicer job of detailing the process than I have here.

    If you have or once you have set up your encryption, you can search the key server through the GPG Keychain Access app for my key which is listed under my username: SandboxGeneral.
     
  3. SandboxGeneral thread starter Moderator

    SandboxGeneral

    Staff Member

    Joined:
    Sep 8, 2010
    Location:
    Orbiting a G-type Main Sequence Star
    #4
  4. maflynn Moderator

    maflynn

    Staff Member

    Joined:
    May 3, 2009
    Location:
    Boston
    #5
    Let me ask you this.

    If I go this route, and I send an email to say a friend, what do they get? Some sort of email with a link to receive and decrypt the email or am I misunderstanding the process?
     
  5. SandboxGeneral thread starter Moderator

    SandboxGeneral

    Staff Member

    Joined:
    Sep 8, 2010
    Location:
    Orbiting a G-type Main Sequence Star
    #6
    First off, GPGTools will not allow you to send an encrypted email to someone who doesn't already have this set up and where you've already downloaded their public key to your GPG Keychain.

    So instead you'd be sending them a clear email as you are and have been all along.

    Once you have someone's public key and they have yours, you each can send fully encrypted emails to each other.

    Here is an example of one of my test emails to myself and what the message looks like encrypted. What it actually says in the clear is "Test 01."
     
  6. maflynn Moderator

    maflynn

    Staff Member

    Joined:
    May 3, 2009
    Location:
    Boston
    #7
    Thanks for the clarification.

    I remember when I was refinancing my mortgage, I'd get an email from them stating that I have a secure/encrypted email. I then had to use the link to sign on to a special site to retrieve my messages. So this works differently then that.
     
  7. SandboxGeneral thread starter Moderator

    SandboxGeneral

    Staff Member

    Joined:
    Sep 8, 2010
    Location:
    Orbiting a G-type Main Sequence Star
    #8
    Yes, it works differently but accomplishes the same thing - provided the method the mortgage company used is the same encryption technology.
     
  8. 0dev macrumors 68040

    0dev

    Joined:
    Dec 22, 2009
    Location:
    127.0.0.1
    #9
    The problem is, a lot of people aren't willing to set something like this up, which makes it pretty useless in the real world. I talk to people outside my tech friends about government monitoring and it's like they don't care. Which is why the government gets away with it.
     
  9. maflynn Moderator

    maflynn

    Staff Member

    Joined:
    May 3, 2009
    Location:
    Boston
    #10
    And there's the rub. I can count on 99.99% of my emails will be going to people who do not have this and/or are unwilling to set this up.

    For this technology to work and catch on, it needs to be done with a level of integration that the user does not have to sign up for some special tools and certificates.
     
  10. TPadden macrumors 6502a

    Joined:
    Oct 28, 2010
    #11
    Yep, the recipient has to be aware he is getting communication from you ...... and WANT to receive it :eek: .......98% of my emails received aren't really desired :D.

    Pretty neat capability though ...........
     
  11. maflynn Moderator

    maflynn

    Staff Member

    Joined:
    May 3, 2009
    Location:
    Boston
    #12
    I can say same thing for my work emails :eek:

    I think as security is only going to get better, but as I mentioned it needs to be better integrated.
     
  12. SandboxGeneral thread starter Moderator

    SandboxGeneral

    Staff Member

    Joined:
    Sep 8, 2010
    Location:
    Orbiting a G-type Main Sequence Star
    #13
    As I mentioned in the first post of this thread in red, if you want to talk about the government and political aspect, do it in this thread: http://forums.macrumors.com/showthread.php?t=1597974
     
  13. SandboxGeneral thread starter Moderator

    SandboxGeneral

    Staff Member

    Joined:
    Sep 8, 2010
    Location:
    Orbiting a G-type Main Sequence Star
    #14
    With the release of Mavericks, GPGTools has released their latest version of GPGMail, 2.1 and MacGPG 2.0.22.

    They had so many people downloading the updates that it crashed their server and ballooned their ISP's allocated bandwidth. They had to add 4 additional servers to handle the load.

    Tweet
     
  14. Diseal3 macrumors 65816

    Joined:
    Jun 29, 2008
    #15
    I didn't even know this software existed. This is a great find.
     
  15. Jon-PDX macrumors regular

    Joined:
    Oct 20, 2011
    Location:
    Pacific NW - USA
    #16
    Figured I'd revive this thread just for fun to see if it gets more interest.

    You are correct, it's like pulling teeth to get people to use encryption.

    I've tried many times over the years to get folks to use PGP and a few did but quit using it after a few months :(

    GPGTools integrates it's self pretty well in MacMail and Thunderbird but still requires folks to take one more step to encrypt the email before hitting send or to decrypt it to read it.

    One thing GPGTools does not do on my Mac that I could do with PGP on my old windows box is create a self-decrypting file that you can send to someone who does not have the software installed. All the recipient needs to know is the password to decrypt it.

    I've spoken to the GPGTools folks about it but I got the impression that that feature is not possible with the current build of openPGP which GPGTools is based on.

    Sorry, got a little off topic. I just miss that feature.

    Anyway, integration has improved over the years but as I said it does take an extra step or two to use it. If it's important to the end user they will use it and I suspect there are a lot of folks that would use it if they know it was available. The trick is to make more folks aware of it.

    Including a link to GPGTools (Mac) and Gpg4win (Windows) in your email signature can generate interest by folks wondering what it is. Beyond that I'm at a loss as how to get more people interested in using encryption.

    Jon…
     
  16. turtle777 macrumors 6502a

    Joined:
    Apr 30, 2004
    #17
    They expire after one year, right ?

    The constant change is a mess.

    -t
     
  17. SandboxGeneral thread starter Moderator

    SandboxGeneral

    Staff Member

    Joined:
    Sep 8, 2010
    Location:
    Orbiting a G-type Main Sequence Star
    #18
    Yeah, it's not easy encouraging folks to try it.
     
  18. Shrink macrumors G3

    Shrink

    Joined:
    Feb 26, 2011
    Location:
    New England, USA
    #19
    I'm using a very simple to use, web based encryption system.

    You sign in, and the recipient of your encrypted message receives an email informing them of the message, and a link. When they click the link it takes them to the site. They fill in a few lines of information, and the encrypted message is available.

    A very easy to use system...especially for the unsophisticated computer user. The only weak link is when the site sends the email to the recipient with the link...I suppose the email from the site could be intercepted.

    Certainly for my purposes...possibly sending medical information on a patient, it is a more than adequate security system.

    And it is so easy to use, you are much more likely to get others to use the system.
     
  19. localoid macrumors 68020

    localoid

    Joined:
    Feb 20, 2007
    Location:
    America's Third World
    #20
  20. Jon-PDX macrumors regular

    Joined:
    Oct 20, 2011
    Location:
    Pacific NW - USA
    #21
  21. SandboxGeneral thread starter Moderator

    SandboxGeneral

    Staff Member

    Joined:
    Sep 8, 2010
    Location:
    Orbiting a G-type Main Sequence Star
    #22
    I used Hushmail quite a while ago. I never stuck with it because their UI was lacking a lot. I should hope that they'd improved it over the last few years.
     

Share This Page