Email Encryption & My PGP Info

My PGP Info

If you’re ready to start encrypting your email, scroll down just a bit to read about how I got started. If you already use PGP (or GPG), here’s the info you may be looking for about me:

I’m currently using a key with the ID of A984EFF1. Its fingerprint is:

444B A830 BD5B 0DB0 56BD E11C 68F2 D169 A984 EFF1

I’ve published this fingerprint on my Twitter bio, on a WNYC blog post and in the sidebar of this website, among other spots. Publishing the fingerprint in several places helps you be more certain that the fingerprint and key associated with me actually belongs to me.

I’ve also published my full public key on the MIT Public Key Server here and at http://pgp.johnkeefe.net/A984EFF1.asc.

Another key, with the ID of 6E87C2D0, belongs to me but I plan to revoke it at the end of April 2015 revoked it on November 1, 2015.

Encrypting Email

Most email these days zips across the internet in an open format someone can read in transit — even though the sender’s and receiver’s mailboxes are password protected. In that way, emails are more like postcards.

Encryption can help keep information private in transit. PGP, or “Pretty Good Privacy,” is one way to encrypt email and other text. (GPG stands for “GNU Privacy Guard,” and is basically the same thing.)

Encrypting email seems the like one of the most natural ways to communicate securely, but it’s unfortunately complicated to set up. I’ve jumped in, and I'm sharing my steps here so they might help others.

Caveat & credit

I’ll say upfront that I am not an expert on encryption or operational security. By any means. I'm a journalist who would like the option of keeping his communications secure. If your life or livelihood depends on secure communications, please rely on resources provided by experts.

Also, I’ve benefited from generous journalists who are more experienced and have shared their tips and tricks. These include Jeff Larson, Mike Tigas, Harlo Holmes and Aruelia Moser. Look up their stuff. They’re awesome.

Here, then, is how I started using encryption for email.

Download

First I downloaded the GPG Suite at gpgtools.org for my system, which is Mac OS. My apologies, but I’m not familiar with GPG on other platforms.

Verify

Since the whole point of this effort is security and integrity, I wanted to be sure the file I downloaded was an exact copy of the file distributed by the GPG developers — and not something that was altered or corrupted. There are helpful verification steps described here. Here’s what I did:

  • Opened Terminal
  • Went to my Downloads folder and checked the name of the downloaded file (yours may be different, depending on the current version): GPG_Suite-2015.03-b6.dmg

  • Typed:

    /usr/bin/openssl sha1 GPG_Suite-2015.03-b6.dmg

    and got

    SHA1(GPG_Suite-2015.03-b6.dmg)= 6621fc1da5211650b6ef4aa959fdd385a6a5a6d5

  • The part after the equals sign is a “hash” of the file, providing a kind of fingerprint based on all of the data in the file. It will be different for different versions of the software.

  • I compared that result with the SHA-1 hash posted on the gpgtools.org website (again, yours may be different — though the two should match)

    That's a match, so I'm good.

(Now that I’ve been using a version of GPG I trust, when I download updates I also use GPG to do a verification. Here’s how I do that.)

Install

Having verified the software is intact, I launched the .dmg file to install GPG Suite. The suite contains a set of modules. One is called “GPG Keychain,” and another modifies Apple Mail, which likely came with your computer, so it can send and receive encrypted email.

Make a new key

Once everything was installed, I launched "GPG Keychain" from my Applications folder.

I then made a new key, with the “New” icon. (If you have an existing key, you can look it up with “Lookup Key,” searching by your email address or name, and import it.)

  • I use my real name, so people can find me in key services
  • The email address matches the one I use to send and receive my email
  • I upload my public key so people can find me
  • I use the longest key possible
  • I have my key expire
  • I use a strong passphrase (GPG tools warns you if you don’t)

Making a key this way publishes your “public key” to the world. It also stores your super-secret “private key” on the computer you are using. This “private key” is what GPG Keychain and Apple Mail will use to decode messages sent to you. It is super important to keep it super secret. This means things like using a strong passphrase, using full-disk encryption on your computer and keeping your private key off cloud services like Dropbox. Some folks keep it off their computers entirely and use a sub-key instead.

Make a revoke certificate

This was an important step, I learned. If my private key gets lost, stolen or otherwise compromised, I need a way to disable it even if I don’t have it. A revoke certificate does that.

In GPG Keychain, I clicked on my key and then went to the top menu to Key -> Generate Revote Certificate ... 

I keep the resulting file in a safe place apart from my key.

All good?

Now I fire up the Apple Mail app. If all is working well, there is a shiny green "OpenPGP" box at the top edge of a new message window.

And in the Mail preferences, there’s now a GPG window with happy indicators.

As you can see, I’ve chosen to encrypt and sign all of my Mail emails whenever possible.

If things are not working well, here are a couple of bumps I hit and solved:

  • My Mail email account’s address needed to match the address in my key. Another option is to add a second “User ID” to the key, which I did by going into GPG Keychain, clicking on the key, clicking on “User ID” and clicking on the + sign.
  • I hadn’t used Mail before, and it seemed to hang initially. Turns out it was actually was downloading all of my online mail. This can take hours(!) When it was done, I restarted Mail and things worked.

Sending encrypted email

To send someone an encrypted email, I go to “GPG Keychain” and and look up their public key, either with their email address or — even better — with their PGP key fingerprint.

As a test, I used teammate Alan Palazzolo’s fingerprint to search for his key, and then imported it.

Switching back to Mail, I typed his email address into the "To:" field and the lock icon turned blue. That means I’m ready to send him an encrypted message. (The second symbol indicates I have digitally signed the email, which is useful but not an indication that it is encrypted. The lock is what I want.)

Importantly, the subject line and other meta information, including the fact that he and I are corresponding at all, is not encrypted. Also, I trust Alan to keep our conversation private, but there’s really nothing preventing him from copying a decrypted version of my note and posting it on the internet.

What do I have wrong?

This stuff gets complicated, fast. If Citizen Four is any indication, even journalists working on the most sensitive stories make mistakes with “OpSec,” or operational security.

If you see a mistake here, or have links to more resources, please let me know. You can leave a message in the comments … or send me an encrypted email.


Top photo (CC) David Bruce / Flickr