These days it’s hard to tell who’s out for your information, but you could and probably should assume everyone is. Your emails get sent through a lot of different servers as part of the routing process to get the mail delivered. Since we have no way to verify that these servers are not collecting information or that their owners are honest, we must take the precautions ourselves by transferring the responsibility and trust away from those who may be negligent, ignorant or malicious.
Banking institutions take security and privacy very seriously since they are scrutinized by auditors, regulators and government. Information is treated as sensitive and any information regarding a client must be either verbally communicated or if electronically transmitted, encrypted. Although the encryption and email is a closed system within their institution (encryption methods are most likely proprietary and only work on the bank’s computers and software), they still practice a high level of safeguarding information. It really goes to show you really have no idea who is listening on the other end. If the banking institutions are that worried about even their own internal people, maybe we have a greater concern for protecting our own personal business.
Here’s a way for you to communicate with others using encrypted emails. We will be using tools which are multi-platform, so there is no real worry about it not working with certain setups. It is really really simple and you will have a sound mind that the information you intended for your recipient is ready by their eyes only, and no others.
On to the guide!
Though I will be going through this installation on a Windows machine, there is no reason why you can’t follow along in Mac OS X or your favorite distribution of Linux (you’ll have to do your own research for specifics). The only requirement is that both of you must use some implementation GnuPG. It is also not necessary for you to use Gmail, you may choose to use whatever email account you want.
Downloads
- GnuPG (Download section)
- Enigmail (Direct)
- Thunderbird 3.0
- Optional: Gmail email account
Method
- Install GnuPG
- Install Thunderbird if you have not already. Set up your email to be able to send and receive mails (Thunderbird 3 users should have no problem with their updated wizard for Gmail. Setup for Gmail and Thunderbird 2.x users. Use IMAP)
- In Thunderbird 3, in the menu bar, TOOLS, ADD-ONS. Then GET ADD-ONS. Type “enigmail”, in the results below, select Enigmail, ADD TO THUNDERBIRD. Restart Thunderbird
- A GnuPG wizard should appear (If not, you’ll notice a new OpenPGP entry in the menu bar thanks to Enigmail, click OPENPGP, SETUP WIZARD)
- Choose “Yes, I would like the wizard to get me started“. Please READ through these next prompts to improve your own understanding.
- “No, I want to create per-recipient rules for emails that need to be signed” (So not every email you send will be tacked with PGP signatures, only those you specify)
- “No, I will create per-recipient rules for those that send me their public key” (So that not every email you send will be encrypted, thus unreadable by those who do not have OpenPG)
- “Yes” to change default settings (Mostly composing emails in plain text as opposed to HTML)
- CHOOSE A STRONG PASSWORD and keep it safe! (Depends if you care that someone may be able to crack your password through bruteforce dictionary attacks) Read the following to help with choosing a strong password. DO NOT LOSE THIS PASSWORD.
- It will now create your keys (which you must take steps to safeguard the private key)
- Optional: creation of a Revocation Certificate. This is in case you forget your password, or your key gets compromised, you can revoke the key so others will not believe that future mails are from you
- Optional: to be listed in the keyserver. This will allow you to be listed under a public directory.
- IMPORTANT for Gmail users using IMAP, you have one more step which you must safeguard against. Since the emails you compose are in plain text and not encrypted, Drafts get sent and stored on Google’s servers IN PLAIN TEXT. You MUST store drafts locally. To do this go to: TOOLS menu, ACCOUNT SETTINGS. Under COPIES & FOLDERS, under Drafts, Archives, and Templates section, select OTHER option and DRAFTS from the drop down.
- Optional: backup your keys (Windows 7: C:\Users\[USERNAME]\AppData\Roaming\gnupg) and consider encrypting these with a program like Truecrypt. Keep these safe!
- Check that you can still send emails properly: send a test unencrypted email.
- Test it out: Compose a new email, click on the key icon in the bottom right (should illuminate to green in Thunderbird 2.x or yellow in 3.x. You can also do this by keyboard shortcut: Ctrl+Shift+E, or by going to the OpenPG menu and selecting “Encrypt Message“)
Notes
If you are interested in cryptography in general and Pretty Good Privacy specifically (PGP which GnuPG is based on), a good book is “The Code Book” by Simon Singh (particularly the chapters ‘Alice and Bob Go Public’ which leads to ‘Pretty Good Privacy’). Although there is a long and controversial debate about privacy, which I have left out of this post, there is a paper for the cause of secrecy and privacy. If you wish to further your knowledge: “I’ve Got Nothing to Hide” and Other Misunderstandings of Privacy” by Daniel J. Solove (a professor at the George Washington University Law School) is a very interesting read for anyone concerned about privacy.
That’s all folks!
Related posts:
Encrypted Emails with GnuPG, Enigmail and Thunderbird
These days it’s hard to tell who’s out for your information, but you could and probably should assume everyone is. Your emails get sent through a lot of different servers as part of the routing process to get the mail delivered. Since we have no way to verify that these servers are not collecting information or that their owners are honest, we must take the precautions ourselves by transferring the responsibility and trust away from those who may be negligent, ignorant or malicious.
Banking institutions take security and privacy very seriously since they are scrutinized by auditors, regulators and government. Information is treated as sensitive and any information regarding a client must be either verbally communicated or if electronically transmitted, encrypted. Although the encryption and email is a closed system within their institution (encryption methods are most likely proprietary and only work on the bank’s computers and software), they still practice a high level of safeguarding information. It really goes to show you really have no idea who is listening on the other end. If the banking institutions are that worried about even their own internal people, maybe we have a greater concern for protecting our own personal business.
Here’s a way for you to communicate with others using encrypted emails. We will be using tools which are multi-platform, so there is no real worry about it not working with certain setups. It is really really simple and you will have a sound mind that the information you intended for your recipient is ready by their eyes only, and no others.
On to the guide!
Though I will be going through this installation on a Windows machine, there is no reason why you can’t follow along in Mac OS X or your favorite distribution of Linux (you’ll have to do your own research for specifics). The only requirement is that both of you must use some implementation GnuPG. It is also not necessary for you to use Gmail, you may choose to use whatever email account you want.
Downloads
Method
Notes
If you are interested in cryptography in general and Pretty Good Privacy specifically (PGP which GnuPG is based on), a good book is “The Code Book” by Simon Singh (particularly the chapters ‘Alice and Bob Go Public’ which leads to ‘Pretty Good Privacy’). Although there is a long and controversial debate about privacy, which I have left out of this post, there is a paper for the cause of secrecy and privacy. If you wish to further your knowledge: “I’ve Got Nothing to Hide” and Other Misunderstandings of Privacy” by Daniel J. Solove (a professor at the George Washington University Law School) is a very interesting read for anyone concerned about privacy.
That’s all folks!
Related posts: