How To: Send E-mails Securely and Confidentially

Posted 06/23/2005 at 3:08pm | by

0

Comments

Print

By Omeed Chandra
Shell out $60 for PGP Personal Desktop and you’ll get PGPdisk (for encrypting files on your hard drive), as well as convenient plug-ins for ICQ and several popular e-mail clients. If you want to use the freeware version of PGP instead, uncheck all these optional components during installation.

STEP 1: WHAT IS PRETTY GOOD PRIVACY?
Regular e-mail is perfectly fine for casual communications, but what if you need to send a private e-mail regarding an important matter? The solution is a tool called PGP, which is an acronym for “Pretty Good Privacy.” PGP utilizes shared-key encryption, which means it uses two kinds of keys: public and private. You first generate public and private keys for yourself; and then you and your contacts add each others’ public keys to your respective “key rings.” Using these public and private keys, PGP encrypts and decrypts e-mails sent between you and the people on your key ring, thus ensuring that the sender and recipient are who they claim to be.

PGP has been around for many years and is the most popular method of e-mail encryption in use today. It exists in several flavors, including a freeware version for noncommercial use. To get started, download and install the latest release, minus all the optional plug-ins and features (none of which are free). When the installer asks if you already have keys you’d like to use, select “No, I’m a New User.”

STEP 2: CREATE YOUR PGP KEYS
The first time you reboot your computer after installing PGP, the License Authorization window will appear. Click the Later button to make it go away, and then look for the PGP padlock icon in the notification area of your taskbar (at the bottom-right of your screen). Right-click the padlock and choose PGPkeys to open the PGPkeys window. From the Keys menu, open the Key Generation Wizard by clicking New Key. Click Next, enter your name and e-mail address, and click Next again. This will bring you to the most critical part of the key-generation process—choosing a pass-phrase. Your pass-phrase should be long and complex, ideally encompassing a combination of spaces, symbols, numbers, and letters. When you’re done, click Next, Next again, and then Finish.

Note that PGP offers a multitude of different encryption methods and strengths to choose from. These settings can be accessed by clicking the Expert button on the first screen of the Key Generation Wizard, but because the default encryption method (256-bit AES) is well-suited to our purposes, we won’t mess with it.

Your pass-phrase is the weakest link in the security of PGP, so it’s imperative to pick one that’s difficult to figure out, but that you’ll still be able to remember. To assist in this process, PGP rates the quality of your pass-phrase as you type it in.

STEP 3: EXCHANGE KEYS AND EMAILS WITH OTHER PGP USERS
In order to send and receive secure e-mails among other PGP users, you must first exchange keys with them. To do this, open the PGPkeys window by right-clicking the PGP padlock icon in the notification area and clicking PGPkeys. Select your name from the list of keys displayed, click Edit, and then choose Copy to send your public key to the clipboard. Now fire up your favorite e-mail client, create a blank message, and paste your public key into the message window. Sending this e-mail to fellow PGP users will allow them to add your public key to their key ring.

When sending an encrypted message using PGP, you’ll be prompted to specify who is allowed to read the message by dragging people from your key ring to the Recipients list. If you forget to add the intended recipient(s) of an e-mail to this list, they won’t be able to read it.

You’ll also need to add your contacts’ keys to your own key ring. Have them send you an e-mail with their public key using the procedure just described. When you receive the e-mail, open it in its own message window (to do this in Microsoft Outlook, go to your Inbox and double-click the desired message). Next, right-click the PGP icon in the notification area, choose Current Window, and then click Decrypt & Verify. PGP will look at the encrypted text in the window, and present you with several options. If the message sender isn’t already on your key ring, you will be prompted to add him or her. (You might need to manually sign the sender’s key to verify its authenticity. To do this, right-click the person’s name in the PGPkeys window, click Sign, and then click OK.) Subsequently, right-click the person’s name again, choose Key Properties, and move the Trust Model slider to Trusted and click Close.

After that, it’s easy to exchange encrypted messages with other PGP users. To send an encrypted e-mail, type the e-mail using your favorite client, then (with the message window selected) right-click the PGP icon in the notification area, choose Current Window, and click Encrypt & Sign. When prompted, select the intended recipients of the message from your key-ring and click OK. You can now send the e-mail as you normally would. To read an encrypted e-mail sent by one of your contacts, open the message in its own window, right-click the PGP icon, choose Current Window, and then click Decrypt & Verify. PGP will verify that the sender is indeed who he or she claims to be, and then decrypt the e-mail so you can read it.