How PGP can protect you against email surveillance

5383764072_ab6784e586_o

News broke last week that Yahoo has allowed intelligence agencies to scan user emails. This comes at a very bad time for Yahoo, right on the heels of its 500 million user account data breach—made public earlier this month—and while the company is trying to be acquired Verizon for the meager price of $4.8 billion.

Other tech giants immediately denied having had similar cooperation with government agencies in the wake of the Yahoo leak, though they all have a track record of wholesaling their data to government agencies under the NSA’s PRISM program.

But this doesn’t mean that you can’t protect your emails from prying eyes. There are a couple of tricks that can provide better security—I’m not saying total security, mind—against surveillance, and some services such as ProtonMail provide end-to-end encryption.

But if you’re already using an email service such as Gmail and don’t want to switch to some other provider, this article is for you. In this post, I’ll take you through the steps to setup and use Mailvelope PGP protection for your emails.

What is PGP?

PGP, which stands for Pretty Good Privacy, is a technology developed in the early 90s which uses a variation of the public/private key paradigm to encrypt information. In a nutshell, users generate a pair of keys, one public and one private, and publish their public key for everyone to access. The private key they keep to themselves.

Users will subsequently encrypt their message with the public key of the recipient before sending it. Upon receiving the message, the recipient will decipher it with the private key that is in their exclusive possession.

This mechanism ensures that if the message is intercepted during the transmission, or is picked up from the server where it is stored, it will be of no use.

This is much different from the encryption that services like Gmail and Yahoo offer, which is the HTTPS or TLS encryption of the message during the transfer (that is a necessary measure as well, though). Even if they encrypt it on their servers, they still hold the decryption keys and can access them. With PGP encryption, when a message is encrypted with a public key, it can only be decrypted with its corresponding private key. It’s what we call asymmetric encryption.

Using Mailvelope to encrypt messages

Mailvelope is a free application that adds PGP encryption capabilities to webmail services. It is installed on your browser as an extension and functions by adding elements and tools to email composition and reading pages.

Following are the steps to setup Mailvelope for your email account.

Install Mailvelope

The first step is to install Mailvelope on your browser, which is a straightforward process. If you’re using Chrome, you can find it in the Web Store. If you’re using Firefox, download it from Mailvelope’s website.

After installing the extension, the Mailvelope icon will appear next to your browser’s address bar.

Create your key pair

In order to be able to receive encrypted emails, you’ll have to create your pair of public/private keys. To create a key pair, click on the Mailvelope icon and press the Options button.

mailvelop-menu

Once in the Mailvelope options page, go to the “Generate Key” tab and fill in the basic information for your keys.

mailvelope-generate-key-pair

The password will be used to protect your key pair, so you’d do well to remember it. New versions of Mailvelope enable you to upload your public key to the Mailvelope server for easier discovery.

When you’re ready, press Generate. Once the key is generated, you can view it in the “Display Key” tabs.

mailvelope-display-keys

In order to enable others to send you encrypted emails, you’ll have to give them your public key. To do so, click on the name of the key you just created and go to the “Export” tab.

mailvelope-export-key

Make sure the “Public” toggle button is selected (unless you want to export your private key for personal storage). You can click the Save button to generate the key file, which you can send to users, or you can copy the contents and paste them in an email or a webpage for others to access.

Import keys

In order to send an encrypted email to a person, you have to upload their public key to your Mailvelope app. Once you have the key, go to the “Import Keys” tab, and either upload the public key file or paste its contents in the text area and press “Import.”

mailvelope-import-key

Once the public key is uploaded, you can view it in the “Display Keys” tab.

Send an encrypted email

To send an encrypted email, open your webmail application (such as Gmail) and write your message as you always would, then click on the pencil-and-paper button that has newly appeared on the page.

Note: if the icon doesn’t appear, click on the Mailvelope icon and press the “Reload” button. If it still doesn’t appear, click the “Add” button to add the current mail service to its list of supported website.

mailvelope-encrypt-message

The following email encryption dialog appears, in which you should specify the recipient of the letter in order for Mailvelope to understand which public key it should use to encrypt the message. In most cases, the extension is smart enough to automatically select the key based on the address you’ve inserted in the To and CC fields.

mailvelope-select-encryption-key

After pressing “Encrypt,” your message will turn into gibberish. Press send and rest assured that only the person with the private key will be able to peek at your message.

mailvelope-encrypted-message

Open an encrypted message

When you receive a message that has been encrypted with your public key, it will appear as follows.

mailvelope-encrypted-message-received

In order to open the letter, click on the envelope. You’ll be prompted for the key’s password, after which the decrypted message will be displayed.

mailvelope-message-decrypted

Signing messages

Signing is the reverse of encryption. The message is encrypted with the private key and decrypted with the public key, and it serves as proof that a message was written by the person who has ownership of the private key. This can prevent malicious actors from impersonating you.

To sign a message, write your message as you normally would and press on the encryption button, as you did in the previous sections.

However, instead of pressing Encrypt, click on the Sign button and select the key with which you want to sign the message.

mailvelope-sign-message

The email will be sent in encrypted format as in the previous section, with the difference that it can be decrypted by anyone who has your public key.

mailvelope-view-signed-message

 

A few notes

Mailvelope is wonderful. However, it won’t protect the following things, and do take note that a lot can be discerned from the metadata that is attached to your emails.

  • Recipients: The senders and receivers of the letters will not be encrypted and can still be picked up by anyone who gains access to your emails
  • Subjects: Subjects of emails are not encrypted and will still appear.
  • Headers: Other header information that is included with the email.
  • Attachments: Attachments will not be encrypted either. However, Mailvelope has a tab for encrypting files, which you can use to separately encrypt your files before attaching them.

Also take note that if the private key falls into the wrong hands, all of your encrypted emails can be accessed.

With these considerations in mind, you’ll be able to make the full use of PGP encryption and enjoy a modicum of privacy in world where it is fast becoming a luxury.

Advertisements

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s