Tuesday, February 3, 2009

Email Encryption with Thunderbird

Not too long ago I was inspired to set up public/private key encryption for my email. This is something that has been on my list to do for a while and it turned out to be much easier than I’d thought it would be.

Public/Private Key Encryption
The idea behind key pairs is that you create two keys that can encrypt data that can only be decrypted using the other key in the pair.
An example: Alice and Bob want to be able to communicate with each other but don't want Charlie to be able to read their communications. So they each set up public/private key pairs. Alice and Bob both post their public key on their personal websites and very carefully protect their private keys. When Alice wants to send a secret message to Bob, she will encrypt it using Bob's public key. If Charlie intercepts the message along the way to Bob, all he can see is gibberish. Bob, however, can decrypt the message using his own private key. When he wants to send a message back to Alice, he will encrypt it using Alice's public key so that it can only be decrypted by Alice using her private key.

Your Turn
The first thing you will need to do is install GnuPG. There are specific builds supported through different projects for different operating systems. If you're running Windows, you'll want to install Gpg4win. If you're running Mac OS X, you'll want to install MacGPG2.
Set up an email account using the fantastic cross-platform application Mozilla Thunderbird. Once you have that installed and an email account linked to it, download and install the Enigmail extension. To install an extension in Thunderbird, go to Tools>Add-ons. Click the "Install..." button and then navigate to where you saved the Enigmail file. You will need to restart Thunderbird for the extension to take effect.

You will now notice a new menu item called OpenPGP. Click OpenPGP>Key Management. Click Generate>New Key Pair. Pick the email account you want to use the key pair with. Choose a passphrase to use with your private key. You want to make sure you pick a nice long passphrase and keep it a secret. I recommend at least 15 or more characters and don't tell anyone. Now you can set the key to automatically expire after so long or not, that's up to you. Now click "Generate key." When prompted to confirm, click "Yes." It may take a little bit of time as the key pair is generated. The next thing you will be asked about is creating a revocation certificate. A revocation certificate is a special document that has been encrypted using the private key that basically says this key pair is no longer any good. It is critical that you keep this certificate hidden somewhere. If someone gets a hold of your revocation certificate they can invalidate your key pair! You will need to type your passphrase to create the revocation certificate.

Now for some configuration tweaks. Go to Tools>Account Settings... Click on the "OpenPGP Security" tab on the left for your account to use your key pair. Hit the checkbox at the top to enable your keypair for the account. If you want to, here you can specifiy to sign and/or encrypt messages by default. Clicking the "Advanced..." button brings another set of options. By default, Enigmail will store your passphrase for 5 minutes after entering it. Here you can adjust that as you like. I recommend chaning that 5 into a 0 (zero) to ensure that you must reenter your passphrase everytime for maximum security but that is up to you.

No comments:

Post a Comment