Securing your email
With the recent news surrounding privacy implications here in the US, I’ve taken it as an opportunity to encrypt and sign more emails that I send.
Motivations
The motivations I have behind sending encrypted email aren’t to hide secrets, as I don’t really have anything to hide from the government. That said, I dislike the act of surveillence without cause in itself. I believe the simple act of passively recording all information is an inherintly immoral one and is easily corruptable. Couple this with recent statements like:
The NSA “requires retention of all communications that are enciphered […] sufficient duration may consist of any period of time” (via)
As the article points out, the overriding assumption is that your discussions are monitored and unprotected by the 4th ammendment by default.
So what is one to do? I’ve written my senators. Thankfully Ron Wyden is leading the charge, so to speak, on this issue in DC. Unfortuantely, that feels gravely inadequate for the abuses of power here. As the most actionable thing I can conceive of, I’m going to start encrypting more email. If, as a society, we encrypt enough email, we may be able to cause data storage issues for those storing our personal communication. Its a small act of rebellion, but it is some act.
How to secure your email
I’ve worked through how to secure your email through Thunderbird/Enigmail and Mail.app/GPGTools. I had better luck with GPGTools, so that’s what I’ll be showing.
Underlying Concepts
There are a few underlying concepts to secure email: encryption, signing and trust.
Encryption is a simple concept here. We take a bit of text, run it through a program and get out something that can’t be read by people who weren’t the intended recipient. There’s a nifty mathematical trick (easy-to-understand explaination) which makes this possible.
The second concept is signing. Signing a message is the computer-y method of proving you are who you say you are to another user. It’s similar to how you provide a username and password to log into your email, but you don’t want to have to give a separate secret username and password to each person you meet online. Unlike a username and password, signatures can't be mimiced by others.
Signing a message with this electronic signature allows people to know its you. This signature hooks into people’s email program and shows that you’re a trusted user. This is similar to how the green lock icons appear in the web browser when you’re on a secure website.
Last but not least is trust. Trust is the hardest part of the equation. You need to get some information from another person without the possibility of some malicious user posing as them. This is typically done through two different methods. These methods might be something like an online chat room in addition to an in-person meeting. The benefit here is that by seeing the other person face-to-face (and validating state-issued ID), its clearer that they are who you think they are. When you’re satisfied that they are who they say they are, you “sign” their key. This signing is basically a public declaration that you’ve checked up on this person and you think that this key legitimate. This is similar to, but not exactly the same as, signing a message we mentioned above. How to do it
As for the how, the folks at GPGTools have done a solid job of providing a screen-by-screen walkthrough.
If you’ve managed to get through that walkthrough, feel free to send me an encrypted email. To get my key, open GPG Keychain Access, select “Key > Search for Key” from the menu bar. Enter my email address (justin@abrah.ms). From here, you should be able to send me an encrypted and signed email from your Mail.app.