On most projects, there comes a moment when we need to work with sensitive data and need security in the communication with our clients. One of our ways to achieve the necessary security and privacy is by offering and using email encryption for sensitive information. This blog post will describe how this email encryption works and how it can be implemented for free on any computer running Windows. Don’t despair if your computer is not running windows, we will be handling encryption on other operating systems in future blog posts.
Why and when should I use email encryption?
Most email communication is by default not encrypted and is transmitted in the clear. This means, that people other than the recipient can read the email content. Think of your unencrypted emails as a postcard to your family: „The food is good, the weather is nice.“. You probably won’t mind the postman or any other person reading the back of your postcard.
If you want to make sure only your recipient can read the email’s content you should use encryption. It’s like an envelope for your message that only the recipient can open. You don’t necessarily have to use email encryption on all your emails but its use is highly recommended for sensitive information.
How does email encryption work?
You can’t just start to encrypt everything to anyone. Just like with a good relationship, encryption only works both ways. Your recipient has to offer encryption for you to be able to send him or her an encrypted email. And you’ll have to have email encryption yourself. No surprises here.
Each person using email encryption has two keys, one is public and one is private. This kind of encryption is called Public Key Infrastructure or PKI in short.
Public Key: This key is for everyone to see. You can pin it on your homepage, add it to your email signature or book a plane and write it in the sky for everyone to see. It’s the key for the world to send you encrypted emails. Other people will use this key to encrypt emails sent to your email address. There are key servers online working as telephone books for public keys. You can upload your key to those servers to make it easier for other people to find your public key.
Private Key: This key is for you only. I mean it. Don’t share it, don’t post it, don’t give it to your kids and don’t write it in the sky. It’s the key that makes it possible for you, and only you, to encrypt all those emails other people have encrypted with your public key. You can’t use the public key to open them, only your very personal private key can do it.
How do I encrypt my emails?
This guide will explain how to install OpenPGP on a Windows computer using Thunderbird as an email client. If you already run a windows computer, every other software described in this guide is free to use. You won’t have to pay any fees to anyone to encrypt your emails.
Install Thunderbird and set up your email address
Thunderbird is a free email client for sending and receiving emails. You can use your existing email accounts with Thunderbird. It supports IMAP, SMTP and SSL/TLS settings.
Download the installer for Windows at https://www.mozilla.org/en-US/thunderbird and install the software using the setup wizard. This shouldn’t take more than a few minutes.
When you’ve installed Thunderbird and launch it the first time, you’ll see the „Welcome to Thunderbird“ message, asking you to set up your email account. If you have no email account, Thunderbird offers to set up a new email for you at this point. You probably already have an email account and can skip this by clicking on „Skip this and use my existing email“.
Add the information of your existing email account and click on „Continue. Thunderbird will try to complete your email settings by looking up the necessary email configuration online. If you’re using a known email provider like Gmail or Yahoo, Thunderbird will probably be able to complete the settings for you. If not, you’ll have to add the necessary information about incoming and outgoing server yourself.
After Thunderbird verified the configuration you can click on „Done“ to complete the setup.
Detailed information about the setup of email accounts, including manual account configuration can be found on Thunderbird’s support website: https://support.mozilla.org/en-US/products/thunderbird/emails-thunderbird/set-up-email-thunderbird
GnuPG is a free implementation of the OpenPGP standard. PGP stands for Pretty Good Privacy and is a free encryption and authentication software.
You can download GnuPG for Windows at https://www.gpg4win.org/download.html The software will ask you to donate for maintenance and development. If you don’t want to donate, you’re free to select $0 and click on „Download“.
Click on the downloaded file and install GnuPGP. The necessary component for using GnuPGP is GnuPG, the other components like Kleopatra and GpgOL are optional and can be unchecked during installation.
Do the install-thing and click a few times on ‚Next‘ until the wizard is completed.
Enigmail is a plugin for Thunderbird that allows you to use GnuPG in Thunderbird. You can download Enigmail here: https://addons.mozilla.org/en-US/thunderbird/addon/enigmail
Download and install the plugin. You will have to restart Thunderbird when the installation is completed.
Congratulations, you’ve all the software you need to start encrypting emails.
Create a new pair of keys for your email account
When starting Thunderbird the first time with the Enigmail plugin installed, you’ll see the Enigmail setup wizard. Don’t worry if you’ve closed the setup wizard window, you can always start it via the Thunderbird menu by clicking on Enigmail and then Setup Wizard.
Start the Setup Wizard by selecting „Start setup now“. In the next step, Enigmail will ask you how you’d like to setup your email encryption. If you set up email encryption for the first time (and by reading this guide I assume you do) select „I prefer a standard configuration“.
In the next step, you’ll create your key pair. The wizard will give you a short explanation about private and public keys and will ask you to come up with a passphrase for your private key. This passphrase will secure your private key and should be strong and unique. This means it should not be used for any other service or login.
I’m bad at remembering such stuff so I prefer to use long, auto-generated passwords created and saved by a password manager. But that’s a matter of personal taste.
Click „Next“ when you’ve found a passphrase for your email account. Enigmail will now create your private and public keys. This may take a few moments. You can get a coffee in the meantime.
Create a revocation certificate
At some point, you may want to mark your keys as invalid, so people know they should not use this public key anymore. Maybe you changed your email address, lost your private key or just don’t want people to use this type of encryption anymore. In any case, you can tell people that your public key should not be used anymore by using the revocation certificate. So create one and save it somewhere on your hard disk.
Click on ‚Finish‘ to exit the setup. You’re now ready to use email encryption.
Use the Enigmail Key Management to manage your own keys and the keys collected from your contacts. You can also use the key manager to upload your public key to a key server.
The key manager also enables you to export your keys to a file, send keys, revoke keys, create new keys and delete them. You can also use it to search for public keys of other people not yet stored in your key manager in public key servers.
Send your first encrypted email
After all this work I’m sure you’re impatient to send your first encrypted email. As mentioned before, you’ll need to find a recipient also using encryption to be able to send encrypted emails. If you don’t know anyone, send them this guide and make them set up encryption too. If you know someone, they’ll soon be having the unexpected pleasure of being the receiving end of a highly secure „test test – woohooo!“- email communication.
Encrypting your email is as easy as writing an unencrypted email. Open your email editor, add a recipient, enter a subject and write your email content. The only difference is the two active yellow buttons in the menu above your email address. One is for encrypting the email, one is for signing it. By signing the email you prove to the recipient that you’re really you. Keep in mind that a signed email is not encrypted. You can select if you want your email signed or encrypted as well.
Signing your email is good practice for every email you send, encrypting it is probably only necessary for sensitive content. But that’s totally up to you and your desire for privacy, security and that James Bond feeling we all enjoy by encrypting our communication.
How does an encrypted email look like?
I encrypted the email sent to Dominik with his public key. Dominik received my encrypted email in his own installation of Thunderbird using Enigmail. The Enigmail plugin did decrypt the message automatically and displayed additional information about me, the sender.
This message is decrypted and my signature is unverified. Dominik (who is sitting right next to me) can verify that I am really the sender and may set a high trust level for the signature I’m using. He can also import my public key to his own key manager and send me encrypted mails with it.
This is all you need to send and receive encrypted emails. If you want to write an encrypted email to us, feel free to download our public keys from the key servers and send us an email.