Secure E-Mail

PGP and GPG

PGP is a means of signing and/or encrypting plus decrypting and/or verifying data. This started as normal files and as graphical mail tools became common, plug-ins or similar were used to achieve the functionality within the GUI. The mail client you use will determine how you set up PGP. As a starting point, I would recommend looking at GPG and see how that interacts with your software.

Once installed, PGP will (should) generate a key pair for you, and this is usually identified by your email address. Once created, you can send your key to other people, or to public key servers. People can then install that key into their system, and from that point can encrypt emails or even files to send to you. This is how PGP works. Your "key" is divided into 2 parts. One part is "public" and is intended to be given to anyone, it doesn't matter who has this part of the key, even your worst enemy. The other part is "private", and you keep this part of it. The PGP software won't send the private part to anyone, and locks it with a password, or even better, as pass-phrase. Choose something long and meaningful.

When someone emails you their public key, your software should recognise it for what it is, and install it locally into your PGP software. When you send someone an email, you click on the relevant icon to encrypt the email, and the rest will be taken care of. Notice that if you encrypt only, then you don't enter your pass-phrase. This is because you're not accessing your private key. You would only need to enter the pass-phrase if you are decrypting an email, or you are signing your email to let the recipient know that you and only you sent the message.

My PGP key

S/MIME

Obtaining a certificate is now more difficult than it used to be. Back in the day, Thawte had a Web Of Trust programme which enabled people to cross-certify others, and they gave these certificates for free. Thawte was then sold to Verisign, who continued the programme for many years before finally closing it down. I guess there's not a lot of money to be made in giving stuff away.

There are places available to obtain an S/MIME Certificate, or more correctly an X.509 Certificate, for that though, you would need to do your own research. Since Verisign closed down the Web Of Trust programme, I've not bothered obtaining new certificates and nearly all of my contacts have moved over to PGP/MIME.

If you do stick with S/MIME, you need to get the certificate into the email client. Exactly how this is done depends upon the type of client used.

The next stage is to send your certificate to your contact. All you need to do is create a message, and select the options to "sign" that message. If you are using Outlook, it will help if you send a "clear signed" or "detached" signature, as it will be understood by more email tools. If you'd like to put your certificate onto a website, then that's a little more involved, but can be done

Your contact should then send you a signed message, and depending upon your email client, it will probably install the certificate for you. Or you can import their certificate from a file or website. Now you have their certificate, you can encrypt your next message, and no-one else apart from you and the recipient can read it. If your mail tool is sensible, then it will automatically choose the option to encrypt a reply to an encrypted mail you receive. Very handy.