Securing E-mail Communications

I promised a few people the other day that I would write a post on securing your e-mail communications. This post won’t be applicable to everyone, especially webmail users. I’m going to focus on a few tools that can be used locally on machines.

These tools are:

I actually use the Mac version of GnuPG available at

Thunderbird is the free e-mail program created by Mozilla, where I work. It is cross-platform and based on the same technologies as the Firefox web browser. It can connect to the IMAP and POP3 mail servers used by most providers. It can also connect with Gmail accounts but my knowledge of that is pretty weak (my gmail account forwards to my account).

The Enigmail extension was developed as an add-on for Thunderbird that would allow seamless integration of cryptography functionality into Thunderbird. This piece has actually been the one that was missing in years past, making the use of cryptography with e-mail a serious pain in the ass. The is under active development and the last update was just a few days ago on August 4, 2007.

GNU Privacy Guard (called “GnuPG” from here on) is an open source cryptography program made available by…you guessed it… the GNU Project. For those without a deep history on the net or open source, GNU is one of the main providers of open source tools and philosophy, historically. You may have heard of its seeming insane head, Richard Stallman, who regularly froths at the mouth on a variety of technical topics and points of law. GnuPG is an implementation of OpenPGP, which is an open standard for public/private key crypto communication.

I’m not going to give much more than a quick glossing over on cryptography here. Basically, with public/private key crypto, you generate a pair of cryptographic keys for yourself, a public one and a private one. The public ones is…shared with the public. You give it away to your friends and family. The private key (also called the “secret key”) is kept secure on your machine and shown to no one.

Messages or files can be encrypted using GnuPG or other implementations of OpenPGP using your public key. At that point, the only way to extract the original contents is to use the private key associated with the public key. So, if you lose your private key, all previous encrypted data is inaccessible to you. Likewise, if someone gets your private key, they can extract data encrypted with your private key. The only speed bump in that process is that your private key also has a passphrase (like a password but hopefully much longer) associated with it. To decrypt data, this passphrase must also be entered when the private key is used. This acts as some security but anyone having a copy of your private key has a huge leg up on cracking your data. Keep that in mind (and don’t lose your key either).

Other than actual encryption of data, the other use of a public/private key pair is that you can use your private key to “sign” data, such as files or e-mail. This allows anyone with access to your public key to verify that the source of the data, the signer, is the holder of the private key associated with the public key. This acts as an excellent way (better than a physical signature, actually) to prove that the person sending a file, for example, really is you. You can also sign the keys belonging to other people, if you can verify that it is really that person, and send it to a keyserver on the Internet that holds public keys for people to see. This allows people to validate that other people are who they say they are, helping create a network of trust (so to speak).

Enigmail adds a bunch of user interface (buttons and menus) that allows Thunderbird to easily interact with keys that you have stored on your system. It will prompt you to enter your passphrase to decrypt data e-mailed to you or to encrypt or sign data going out.

Here are some sample screenshots of Thunderbird and Enigmail in action. You can click on these for a larger version.

crypto1 This is the UI on an e-mail message when composing after Enigmail is installed. Notice the “OpenPGP” button.

crypto2 If you click on theOpenPGP button, you have options to sign or encrypt a message with a secret key that you have generated.

crypto3 If you receive a signed message from someone with Enigmail installed, a pen icon appears in the message and a notice of the signature is shown above the message headers.

crypto4 Clicking on the green bar of the notice above the message will show you details concerning the signature.

crypto5 This is what a signed message looks like to email programs that do not have Enigmail installed.

crypto6 If you choose to encrypt a message from the OpenPGP menu above, you are prompted for which public key to use to encrypt the message. If you don’t have a public key for someone, you won’t be able to encrypt mail to them. I chose myself, obviously.

crypto7 This is what an undecoded, encrypted message looks like to someone who receives it.

crypto9 If the user can decode it (they have the appropriate private key), this is how enigmail within Thunderbird will display the message. Notice that a key has been added to the icons on the right, to show it is encrypted. The normal message text will be displayed below this.

crypto8 Clicking on the key icon will display more data concerning the message encryption.

The Enigmail team does have a help page up on their site at There are also other resources available to help get people going. I’m joining the e-mail list for it as well.

My own public key is:

Version: GnuPG v1.4.7 (Darwin)