Back to homepage of Daniel von Wachter
Deutsche Anleitung zum Verschlüsseln von Email
Unencrypted email can be read by others relatively easily. The motive for spying emails can be to create profiles of everyone. These can be used for advertising or for political purposes. Many people believe that the secret services can also read encrypted emails, but that is not true: emails that are encrypted with S/MIME or PGP practically cannot be cracked.
Proper email encryption is end-to-end, which means that the email is encrypted on the computer of the sender and decrypted on the computer of the recipient. The sender and the recipient need a key, also called ‘certificate’, which consists of a private key and a public key. The sender encrypts the email using the recipient's public key. The recipient decrypts the email using his private key. You must keep your private key secret and keep a backup. You must give your public key to everyone whom you want to send encrypted emails to you.
Keys (certificates) are also used for signing emails. A signature proves that the email really comes from the email address in the ‘from’ field.
There are two systems for email encryption: PGP (Pretty Good Privacy) and S/MIME (also called X.509). Both are equally secure. The advantage of PGP is that you can create your key yourself for free and choose how long it is valid, whereas free S/MIME certificates are valid only for one year. The advantage of S/MIME is that most email programs contain it already, whereas for PGP you have to install an extra software.
Both systems are particulary easy to use with the email client (software) Mozilla Thunderbird. For webmail encryption is possible but a bit less secure because you have to install your private key in the webmail server. If you try Thunderbird you will find that it is much faster and convenient than webmail anyway.
For free email services remember: If a service is free, then you are the product. Free email services like Gmail are free because they make money by analysing the content of your emails (though they cannot do it with encrypted email) in order to profile you or by exposing you to advertisements. For little money you can get an ad-free email account.
Emails can be written in HTML or plain text. HTML sometimes causes trouble for encryption and looks bad if it is used unintentionally. MS Outlook and many webmailer use HTML as default, with fonts so small that the emails are hard to read (and the viewed size cannot be increased by Ctrl++ as easily as in plaintext). Use HTML only if you need it in order to design the email, e.g. by using different font sizes, font types, and colours. Instructions for turning off HTML: rackspace.com; switch off HTML in Gmail. Instructions for Outlook 2013: Click the "File" tab, then choose "Options" followed by "Mail." Click "HTML" in the "Compose messages in this format" list in the "Compose Messages" section.
Install Mozilla Thunderbird and create an account for your email address. You can use the protocol IMAP, which allows you to read your email from various computers, or the older POP3.
Install GnuPG. If you use Linux, it is probably already installed. GnuPG is a software that implements the OpenPGP standard
Install the add-on Enigmail.
Enigmail creates in Thunderbird the menu ‘Enigmail’. Start the Setup Wizard (Einrichtungsassistent) or do the following steps manually:
Send your public key to those people whom you want to send encrypted emails to you, using the menu option Enigmail–Attach My Public Key. You can also upload your public key to a key server. All key servers are synchronised automatically. You can find other people's public keys on the key server.
All your keys and other people's public keys can be seen in Enigmail–Key Management. They are not stored in Thunderbird. If you want to use them on another computer, you need to export and import them. The other Thunderbird settings and the emails can easily copied to another computer by copying the profile folder. Instructions: mozilla.org, mozillazine.org. You should make backups of the profile folder regularly.
In order to encrypt an email, choose the options ‘encrypt’ and ‘sign’ in the menu or on the symbol bar.
Inline-PGP encrypts only the content your the email, not the attachments. PGP/MIME encrypts also attachments.
You can use one PGP key for several email addresses (which is not possible with S/MIME certificates). You can also add an email address to an existing key.
Thunderbird stores S/MIME cerificates in its profile folder. So if you move the profile folder to another computer, you have also the S/MIME certificates.
While you create a PGP certificate yourself, S/MIME (also called X.509) certificates are generally created by a ‘certificate authority’ (CA), which guarantees to the recipient with a certain degree of reliability that the certificate and the email address really belong to you. In order to be able to use a certificate you have to have installed in addition the ‘CA certificate’. A CA certificate can be based on a further CA certificate. A CA certificate that is not based on another CA certificate is called ‘root certificate’.
First you need to obtain an S/MIME certificate. You can obtain a free certificate that is valid for one year from one of the following certificate authorities (CA): StartSSL, mysecuremail.ch, Comodo. Also CAcert, which is non-profit, is recommendable, but you as well as the receiver of your emails have to install the CA certificate manually, while the other CA certificates are already contained in Thunderbird.
If you want a certificate that is valid for longer than one year, you can either buy one that is valid for three years from a CA, or you can create one yourself, either by creating a self-signed certificate or by creating a CA certificate with which you then create a user certificate for you (or other people). For this you can use the program XCA or the Firefox add-on Key-Manager. But in that case the recipients have to install your self-signed certificate or your CA certificate.
If you want to send me emails encrypted with my S/MIME certificate, you need to install first my CA certificate. For this, enter Tools–Options–Advanced–Manage Certificates–Authorities–Import. Once you have installed it, you need to klick on ‘Edit‘ and then tick the box ‘Trust this CA to identify email users’. Here is a step-by-step guide. If you get stuck in setting up encryption, it may well be because you have not installed or not trusted the CA certificate.
If you have obtained your certificate and you have installed and trusted the CA certificate (or if it is already contained in Thunderbird), install your certificate in the Certificate manger in the tab ‘Your Certificates’.
In the account settings choose your certificate for signing and for encryption. I recommend not to set signing and encrypting as default. With that you can choose manually whether to sign and to encrypt.
The S/MIME signature of an email contains the public key. So if you send a signed email and the recipient has the CA certificate installed, then your public key will be automatically imported.
In contrast to Thunderbird, MS Outlook does not store S/MIME certificates itself but uses the central certificate storage.
Important: Before you install your S/MIME certificate, you need to install the CA certificate on which your S/MIME certificate is based and specify that you trust it:
Now you can install your S/MIME certificate
Finally, tell Outlook to use that certificate.
Back to the homepage of Daniel von Wachter