How to Encrypt Email

SecurityProNews staff writer Joe Purcell describes the various steps required to encrypt email using a popular version of OpenPGP called GNU Privacy Guard. If you really love a challenge, give it a go. Or, you can order up a Rule18 email account from SECNAP and send your sensitive emails that way. It works just like regular email—because it is. Rule18 encrypts and decrypts automatically and you don’t have to do a thing. If you’re an IT pro, which system do you think your users can manage best?

Intro

All email encryption programs use public-key cryptography (as does OpenSSH) which applies an asymmetric key algorithm. Public and private keys are made, the former to produce an encrypted message that only the latter can read (decrypt).

It is essentially impossible to derive the private key from the public key, so sharing the public key in a non-secretive way is not of grave concern, though certainly keeping the public key in only sure hands would add an additional level of security.

PGP was initially released in 1991 by Phil Zimmermann for Windows, but was later published by the Internet Engineering Task Force (IETF) as a standard named OpenPGP.

There are many great solutions for email encryption, and most are based on the OpenPGP standard. Here, we will look at GNU Privacy Guard (GPG), which is a very popular implementation of OpenPGP, to offer a possible solution and to show the basic idea of how public key encryption works.

Step 1 - Install

Installing the program, whether it be one of the many GUI's or the command line interface, should be fairly straightforward.

Step 2 - Create a Public Key

For the sake of the example, let's say Bob and Jim want to send encrypted emails back and forth. Both Bob and Jim create their own public key by the following:

gpg --gen-key

Follow the steps, using RSA and RSA (meaning RSA public key and RSA private key) and 2048-bit keys. The passphrase will need to be very long, so initially enter as long a passphrase you can remember, and then if it says "Not enough random bytes available," bang on the keyboard for a while until it's happy. Then export your public key to share:

gpg -a --export > bob-gpg.pub

Note that the 'a' option converts the input/output to and from OpenPGP ASCII armor format. This is used for readability and ease of use. The bob-gpg.pub file should look something like:

-----BEGIN PGP PUBLIC KEY BLOCK-----

Version: GnuPG v1.4.10 (GNU/Linux)

(a big blog of text)

-----END PGP PUBLIC KEY BLOCK-----

Step 3 - Import Public Key

Now, Jim should have done the same thing and made a public key. After he emails Bob the public key, Bob will import it into GPG:

gpg -a --import jim-gpg.pub

And likewise, Bob emails Jim his public key and Jim imports it.

Step 4 - Write an Encrypted Email

You can use a Word document, Excel file, or any kind of file to write your email. Once it is written, encrypt it and it will make a new file with the extension 'asc':

gpg -a --encrypt email.txt

It will prompt you to "Enter the user ID. End with an empty line:", at which point Bob would enter "Jim" or "Jimmy" or his email. The encrypted file should look something like:

-----BEGIN PGP MESSAGE-----

Version: GnuPG v1.4.10 (GNU/Linux)

(block of text)

-----END PGP MESSAGE-----

Step 5 - Read (Decrypt) an Encrypted Email

Now, the encrypted email.txt.asc can be emailed to anyone anywhere without care, more or less. But, Bob just wants to email it to Jim, so he emails it to Jim and now he reads the file as so:

gpg -a --passphrase --decrypt email.txt.asc > email.txt

Note that if you don't have the 'passphrase' option you won't be prompted for it on some systems.

That About Does It

That's it! It can be rather intimidating, but once you've done it a few times it's not so bad.

A good policy is to change the public key every so often to prevent the possibility that someone has retrieved your public key, and if they happen to get access to your email account they at least won't be able to read all the emails.

It is also a good policy to not transfer the new public keys via email, but rather by hand using a thumb drive, for example. Though this may be overkill in many situations, when needing assurance that email information is kept secret using an encryption program, it will get the job done.

For a copy of this article go to: http://www.securitypronews.com/insiderreports/insider/spn-49-20110602HowtoEncryptEmail.html

For a printer-friendly copy click the PDF button at top right.

For email encryption that's easy and effective, click here!