NSA SpyingConsidering recent news about the collecting of data communications, I think its time to bring PGP back to life. PGP is an extremely secure encryption method that is easy to integrate into email messages. Although it has been around since 1991, early efforts to make it a standard largely failed. Even I eventually stopped installing PGP because I simply never used it. But the Internet is very different nowadays and I think it’s time to dust off that old key and give PGP another chance.

PGP does have some limitations and it is by no means a perfect solution, but it is much better than sending unencrypted emails. Unfortunately, one big reason for lack of adoption is simply that too many people are intimidated by it. The good news is that you really don’t have to understand how PGP works in order to start using it.

Here are the basic concepts you probably should know:

  • You start by creating two keys for yourself:  one that you pass out to the world, and one that you guard with your life (along with having a reliable and secure backup). The Kleopatra software mentioned below walks you through the process of creating these. It’s really easy. 
  • If someone wants to send you an encrypted email they will need your public key so you generally publish it on a public keyserver or put it on your web site. Mine is here.
  • To be able to read that email you use your private key.  That is why you keep it private.
  • You can also use your private key to sign emails that  you send out. Signing just proves that you are the real sender. Others can verify your signature with your public key.
  • Other people can sign your public key. The more people who sign your key, the more others can be sure that it is authentic.

That’s all you really need to know, so here are some quick instructions for getting started under Windows:

1. Download and install Gpg4Win.

2. After installing, open Kleopatra to import an existing key or create a new key.

3. Once your key is in Kleopatra, right click on it and select Export Certificates to Server to publish your key on a public keyserver, then get another PGP user you know to sign it.

4. Configure your mail client (or use Claws Mail client that comes with Gpg4Win). If you are using Outlook, Gpg4Win comes with an Outlook add-on. If you are using Thunderbird, get the Enigmail add-on.

5. Talk a friend into installing PGP so you can send and receive PGP encrypted email.

A big problem for most people is that using PGP with web-based mail accounts such as GMail, Hotmail, or Yahoo! mail just isn’t that easy. Yes there are solutions, but I have not had great luck with any of those.

In my case, what I chose to do is create a Gmail filter to forward all messages that contain “BEGIN PGP MESSAGE” to another unpublished email account (and delete the original). This other email account is a POP account that I access with Mozilla Thunderbird. I installed the Enigmail plugin and now have Thunderbird to deal with all PGP messages.

All my regular mail I still access through GMail and all my encrypted and other sensitive messages I deal with through Thunderbird. Works great so far! My next step is to explore some of the mobile PGP apps.

I have also added a new contact form that will automatically encrypt all messages using my public PGP key. The nice thing about the form is that it comes from my server, not from you; your email address and name are encrypted in the message body.

My PGP Key: https://xato.net/x/Mark_Burnett_mb@xato.net_(0x6E23BA97)_pub.asc
PGP Key ID: 0x6E23BA97
Fingerprint: C127 C510 79D7 E457 E20D 4419 7752 D68B 6E23 BA97

Yubikey Token        LastPass password manager