Setting up encrypted mail in Chrome and Gmail

Docs/Faqs,

The use of Gmail is now ubiquitous. Unfortunately, it’s easy to read email in transit and some national governments abuse their power to read email in transit. I have always been using PGP to encrypt email, and today I thought I’d put down how to communicate with me, or with your friends, using signed and encrypted mail. I think the biggest reason email encryption is not being used is because it’s hard to set up. So, here is a simple, step-by-step tutorial that is easy to follow.

Installing and creating a key

  1. Install Mailvelope . Click “add to chrome”, pop-up appears, click “add”
  2. little padlock icon appears on the top right of your Chrome
  3. Click little padlock icon, click “Options”
  4. At the bottom, click “Generate key”
  5. Fill in Name (you can put fictitious name, it’s good!), Email (the email you want to use, e.g. Jon.Doe@gmail.com), put in a password that you will remember. This password is never sent anywhere. It’s used so that when you want to read email that is encrypted to you, the encryption keys can be accessed.
  6. Click submit, wait for the generation to finish.
  7. Setup is done!

Obtaining keys of others

You need to get the keys of others so you can send encrypted email to them. Here is how.

  1. Look for your friend’s email here and copy the gibberish text that appears, e.g. mine
  2. Click the little padlock icon on the top right of your Chrome
  3. Click “setup” on list of things
  4. Paste the gibberish text in the textbox
  5. Click Import
  6. It should say “success … Mate Soos [or your friend’s fictitious name]… imported”
  7. Done!

Sending encrypted email

  1. Go to gmail.com
  2. Click compose. Fill in subject and recipient (these will not be encrypted)
  3. You will see a little notepad icon in the email text body. Click it.
  4. 1st Pop-up appears. Write your mail here! Note that these drafts are not saved, so you need to be careful
  5. Click “Encrypt”
  6. 2nd Pop-up comes up. Your own email address will be automatically added to “Encrypt for”
  7. You need to select at the top drop-down menu the destination email address (which you must have imported as per setup). Once you selected the destination,  click “Add” (don’t forget to click “Add’, it’s easy to forget)
  8. You now have 2 email addresses in the bottom list. One is yourself, one is the recipient
  9. Click OK. 2nd pop-up disappears. Your email is now encrypted in this popup.
  10. Click “Transfer”, 1st Pop-up disappears
  11. You are now in the compose window again. Don’t change anything, just click “Send”
  12. Done!

Reading encrypted email

  1. go to gmail.com
  2. click on email to read
  3. email window opens, email is yellow with a lock on top. Click!
  4. enter the password you used above
  5. decrypted email appears

Backing up your private keys

  1. In chrome, click the top right padlock
  2. Click Options
  3. Click Export
  4. Popup appears. Click Download
  5. The file “all_keys.asc” is now saved to disk
  6. Keep this file backed up. Done!

Sending your public key to others

You need to send your public key to your recipient so they can send you encrypted mail (and verify your signature). Also, it’s a good idea to put them on a public site, like your blog or on pgp.mit.edu.

  1. In chrome, click the top right padlock
  2. Click Options
  3. Pop-up appears. On the bottom, click the email address that says “primary”
  4. 2nd pop-up appears. On the top menu, click “Export”
  5. Here, make sure you have “Public” selected (it’s the default)
  6. Click download.
  7. Attach that file to an email to me or anyone you want to send you encypted mail
  8. Upload the contents of the file here

Try no to confuse the private and the public keys. Send the public key to everyone. Never send the private key to anyone, ever.

Closing thoughts

The security professionals would point out that trusting the public key is not discussed above. It’s true, it’s not discussed, and it’s not easy to know what to trust. However, the vast majority of the time, the resurrecting duckling principle will work well — it’s when you trust the first thing you see, just like the duckling trusting that the first thing it sees is its mother. It’s imperfect, but the web of trust is very unintuitive and therefore may bring less benefits than most think. A technology that is good but is unintuitive often harms more than most people would admit.

Trusting the first key will be good for most people. In case you are in danger of being seriously harmed for the information you are about to send, though, please try to make sure the key you got was legitimate, by, e.g. phoning up your recipient and confirming the key fingerprint (displayed on the setup page).

Note that in case your computer is compromised, the above will not help. They will be able to read your data and read your password as you type it. So, try not to visit dodgy sites, allow Windows and Mac to encrypt your drive, choose a strong login password,  use a password manager for all sites, and keep your Mac and Windows updated.