We all need it but we hardly ever use it. So I want to describe the concepts behind a popular method that will do this for you no matter which email client you are using (even Gmail). Its called PGP — Pretty Good Privacy.
Now, I won’t delve into the little details about click here and do this or do that. The goal is to give you an overview of how email security works. You can then download any PGP software you like or use the one integrated with your email client and find the buttons or commands associated with the security functions described here.
The idea behind securing your email is very simple. First, you and each of your friends need to have a pair of keys (public key, private key). Then, when you want to send an email to your friend Bob, you encrypt the email with Bob’s public key. When you do this, no one but Bob can decrypt the message because only he has the decryption key — Bob’s private key.
Although the idea is so simple, there are obstacles that make it hard to use for everyone:
- Not only do you need to use PGP to secure your email, everyone you send emails to, must do so as well.
- How do you find keys for people you need to send emails to?
- How do you trust the keys?
There is no good solution for (1). You have to personally convince your friends to get going with securing their emails. I know its hard but keep trying.
Fortunately, there are decent solutions for (2) and (3). Solution for (2): When you download PGP software, the first thing you need to do is find a way to create a key (pair) for yourself. Note that your friends will be doing the same. The software will then have a way for you to upload your keys. Don’t worry, only your public key is uploaded. Your private key is probably encrypted and stored safely on your computer. Only you can decrypt and use your private key because the encryption is protected with a password that the software should have asked you for when you created the key.
The software will also provide you with a way to search public keys using names or email addresses. This is how you find a friend’s public key. The software should then allow you to store and organize any keys you find.
The email client comes in next. It should provide you with a way to choose your friend’s public key when sending secure email to him or her. It basically knows about the PGP software and where it stores your friend’s keys.
Solution for (3): Each key that you store has a trust ranking. Suppose you create your own key. That key has “ultimate” trust. Then your friend might personally give you her key and you can mark that trusted as well. Your friend might also recommend you a website to download her key from. In this situation, make sure to call your friend after downloading the key and read it out to her to see if it is the correct one.
The way you mark a key trusted is by signing it with your own key and then maybe clicking a check box or two saying how much you trust it. Then you go ahead and upload your friend’s key as well. Now, if her key is already listed, its trust ranking should go up. If not, a trusted key for her can now be found by your other friends.
You should not mark a key trusted unless you are absolutely sure about its source and the integrity of the key itself.
To summarize, download PGP software or just find out how your email client supports PGP (believe me, most already do, you just have to find the feature). Then create your key, find your friend’s keys, call them and verify the key is correct, mark the keys trusted, upload all the keys, and encrypt email you send with the respective friend’s key.
That’s it! I hope all of us start using PGP, because without it, our emails just travel in the clear every day across the world through possibly unprotected servers. So much happens over emails now that it is absolutely imperative that we protect the information contained in them.