Folks, I wanted to hit on this topic again as it is very critical in these days and times. You do not have to carrying state secrets, be a criminal, or any other devious act to want private communications within your email account. You also don’t have to be a technical expert either. This blog post is intended to be a step by guide in setting up a FREE encrypted email account.
I always recommend purchasing your own domain name. I say this because its always preferred to run your own email services on a private server rather than using the services provided by Hotmail, Yahoo, or Gmail. For those of us in the technical security field, we know who’s in bed with the U.S. Government and who’s not. Let’s look at Gmail, provided by the good folks at Google. Who runs Google’s technical department? None other than ex-NSA (U.S. Government National Security Agency) Matt Cutts. Now why would an ex-NSA agent quit the National Security Agency to run the technical side of things for Google? Its the world’s largest database and guess what? Uncle Sam wants constant access to it! With their own man running the show, they have it. Even though he claims he got out, we all know there’s no official out for agents. Once Uncle Sam owns you, he always owns you.
There’s not much to say in regards to the Microsoft Hotmail brand. Again, this is another U.S. corporation well documented as being in bed with the U.S. Government. Yahoo doesn’t have a clean past either. The makers of Hushmail surely have just as bad a record as well, currently only offering 2048 bit encryption keys at best that reside on their own servers so that they can capture your passphrase when decrypting your emails which will then allow them instant access to all past and future emails that are encrypted with your key.
This step by step guide will show you how to use encrypted email that doesn’t require a key to remain on any server, uses the strongest encryption known to man (currently 4096-bit RSA), and uses a completely open-source application infrastructure. It is currently not known if the NSA can yet crack a 4096-bit key, but it is highly unlikely. Even the best super computers would have quite a difficult time at it. Some estimate it would take nearly 200 years to crack a 4096-bit encryption key while others think it may only be 20-30 years away. Either way, this is excellent news for the common folk that wish to have truly private email correspondences.
Ok, now on to the guide. You will need to obtain the following tools before we get started. These tools are based on the most common operating systems currently in use: Microsoft Windows XP and Vista (all versions). All these things are completely free of charge.
GNU Privacy Guard
The first thing we want to do after obtaining the above pieces of software is to install them one at a time. Start with GTK+ and GNU Privacy Guard. Once these are installed, move on to the Thunderbird installation and then finally the Enigmail add-on for Thunderbird.
Before we go any further its best to reboot your computer. This way all the pieces of the puzzle have a proper chance of being formally initialized. Once that’s done, we can proceed with the rest of the setup.
As I recommended above, it’s better to own your own domain name and operate your email services from your own server rather than a public one where you don’t know who has administrative access to it. While I understand that that is not always the ideal situation for every one, I’ll dab a little into what we can do with Gmail to make it compatible.
If you cannot obtain your own domain and a private server that hosts that domain, then you need to use a free email service that is POP3 (Post Office Protocol version 3) compatible. Gmail is just such a service. Yahoo wants you to pay for it so they will not be included in this article. At this time I’m not sure if Hotmail offers free POP3 services or not.
Once you’ve rebooted, open up the Thunderbird application. Add your POP3 compatible email accounts into Thunderbird. Once all your account(s) are loaded in there and you’ve properly tested them to make sure they are working, then we can proceed to the next step. You will see a tab for OpenPGP in the upper left hand tab. Click on that. Now scroll down to “Key Management” and click on that as well. A mini screen will appear. Click on “Generate” and then “New Key Pair.” Now a third box appears with a lot of options.
With this third box, we select one of our email addresses that we wish to generate an encryption key for. Once that’s selected, we assigned a passphrase for this encryption key. (This passphrase is like a password and will be needed to decrypt all future emails that are encrypted to your private key.) I wholly recommend a 10-15 character alpha-numeric passphrase. Anything less than that can be considered insecure. Do not use dictionary words, pet names, birthdays, pin numbers, your address or street name. Use something very unique. I highly recommend a 20 character alpha-numeric passphrase.
Now we choose when the key will expire. The default is 5 years. I’ve personally set mine to never expire and recommend all of you to do the same. Now we can click on the Advanced Tab. You’ll see “Key Size.” There are several options here and I highly recommend setting a 4096-bit key size. Directly below that is “Key Type.” There are 2 choices in this section. RSA and DSA El Gamal and I recommend going with the RSA key.
Now we click on the “Generate” button. It will take your computer some time to generate a random key based on your computers ability. Some computers are quick to do it and others take a few minutes and this is primarily based on your computers processing power. Once the key generation is complete, it will ask you if you want to back up these new keys so you can create revocation certificates if you ever lose control of your private keys. I highly suggest you take this option. Save the revocation certificates any where but your main hard drive. A pen drive, usb thumb drive, or an external hard drive are ideal places to keep these.
Once your revocation certificates are safely tucked away in an external location, we need to go back to the main screen of Thunderbird. On the left hand side of the screen you’ll see a pane for your email accounts. Click on the name of one of the email accounts. You’ll be taken to another screen where there are several options. Click on “View Settings For This Account.” A new mini screen will pop up. You’ll see an option for “OpenPGP Security.” Click on that.
Make sure the box is ticked for: Enable OpenPGP Support (Enigmail) For This Identity.” Directly below that, make sure the circle is tick for: “Use Specific OpenPGP Key ID.” Your specific encryption key should automatically be in the box already. Directly below that you’ll see 4 options. Make sure the first 2 boxes are always checked. This is just the signature part and is an integral part of letting others know that you have encryption ability. Since not every one uses encryption, don’t check the other boxes just yet.
Remember, you must exchange public keys with anyone that you plan on sending and receiving encrypted emails to and from. You cannot decrypt email in a normal free email account and this email must reside on a POP3 compatible email service. Using this particular method, emails can only be decrypted and encrypted from within Thunderbird. There is no server interaction here in the actual encryption or decryption as that resides on your individual computer only. This is the most absolute secure way to use encryption.
I will write another article later this week regarding the transport of your email and how TLSv1 (Transport Layer Security version1) can provide much better security than the traditional SSLv3 (Secure Socket Layer version 3) could ever do and how we can integrate SSHv2 (Secure Shell version 2) to help us achieve this effect. (SSHv2, besides providing transport security under an immense amount of encryption can also be used to completely hide the origin of where the email actually originated.)
Written by: Jared @ IAPS