How To Guide: Secure Your Email With PGP Encryption Using Mailvelope
Cyber Security Wiki Navigation:
- Cyber Security Wiki Home
- How To Secure Your Passwords
- How To Secure Your Email
- Browser Security
- Desktop & Laptop Operating System (OS) Security & Privacy
- Smartphone Security & Privacy
- Firewall Security Setup, Settings, & Guides
Email Snooping & Spying
Email snooping is a major concern for everyone these days. Information leaks about government programs that sweep up massive loads of metadata. Systematic breaches of major webmail providers that lead to full emails being stolen en-masse by clandestine agencies. It is alarming to anyone that is concerned about their privacy.
You can wait for solutions from other companies like Mega, or wait for the Darkmail initiative to hopefully take off. Or you can use complicated current technologies like PGP to hide in plain sight now, after downloading multiple apps and doing all kinds of copy-pasting wizardry to get a message to someone.
Enter Mailvelope. This is a plugin available for Firefox and Chrome that allows you to PGP encrypt existing webmail accounts with ease.
We have selected this plugin for multiple reasons:
- Mailvelope is Open-Source, meaning that there is no "mystery code" for vulnerabilities to be inserted behind the scenes.
- It supports 4096-bit RSA encryption, considered strong by today's standards.
- It has a robust design. It encrypts your public and private keys on your local disk and password protects them.
- It generates keys locally. They are never transmitted over the internet. There is no opportunity for Mailvelope or anyone else to store the keys.
- Mailvelope intelligently prevents partial messages from being saved before conversion by creating a window offline to type messages. This prevents "draft saves" that happen regularly on webmail apps.
A Quick How-to On Using Mailvelope
After you install it, you need to generate a key-pair for Mailvelope to use with your desired email. It will generate a public and private key. DO NOT EVER SHARE YOUR PRIVATE KEY.
My demonstration will be using the Chrome Extension and Gmail, although Mailvelope is designed to work with all major webmail providers. It is currently in Beta and they are adding support for more webmail services.
To generate a key, open the Mailvelope extension and go to the "Generate Key" tab as shown below.
Fill out the appropriate information, and hit "submit". If you want maximum privacy, it is a good idea to click on the advanced button and enable 4096-bit key lengths instead of 1024 or 2048. Make sure that you assign a very strong password to your keys, they are your final line of defense if your PC is ever compromised by an attacker. After you hit submit, it will take some time to generate the keys. If you get a "this page isn't responding" message, just continue to wait, it will finish building your keys and give you a success message when it finishes.
Now that you have generated a key pair, you have a public key and a private key in your keyring. You can see your keypair in the "Display Keys" tab as shown below.
The important thing about PGP encryption is that there is a public key, and a private key. In order for someone to be able to send you secure messages, they have to have your public key. In order for you to send them secure messages, you have to have to have their public key. To find out what your public key is, you can use the "export" drop-down menu in the "display keys" tab. You will have to enter your password to get to your keys.
So in this example, I want to send a message to the VikingVPN customer care account. To do this, i need to have the public key.
The public key for customercare is below:
-----BEGIN PGP PUBLIC KEY BLOCK-----
Version: GnuPG v2
-----END PGP PUBLIC KEY BLOCK-----
So what you want to do is import this public key into mailvelope, so it knows which public key to use when you are emailing customercare. Below, I have pasted the customercare public key into the field in the import tab.
So, once you have completed this process, you are ready to send secure emails to one another with no worry of eavesdropping. Even when (not if) an agency drags up your email, they are unable to decipher the messages without having one of the private keys.
So let's send a PGP-encrypted email to customercare from sample.viking.
Below, you can see bit about how Mailvelope works in practice. When you begin to compose a new message in Gmail you will see the small overlayed button that looks like a pencil and notepad. You click that button to start writing a secure message offline. You then write your message in the window that pops up.
Once you have finished writing your message, you can click the small lock button in the message window. This pulls up a menu so you can manage who you are encrypting the message for, as shown below. You can see that I have added customercare as my target recipient. Mailvelope is robust enough to support sending out the same message to multiple users at once, using all of the relevant public keys you have imported.
Once you are finished setting up the recipients, you click the "transfer" button in the message window. This encrypts your email message with the appropriate keys. You'll see the PGP encrypted message in the Gmail window, ready to be sent, like you can see below.
The message is now unreadable by all parties, except for those with access to the appropriate private keys. The private keys are never transmitted in this process, and they are securely stored locally by the Mailvelope plugin.
It does take a couple of tries to learn the process, but this is far far simpler than older methods of using PGP. Once you are used to the process, you can encrypt an email in 5 clicks, taking less than a few seconds of extra work.
Part 2: Decrypting and reading PGP email with Mailvelope
So now you know how to securely compose a message to send out. You also need to know how to receive messages with Mailvelope. Fortunately they have made this pretty easy, as it used to be very tedious to manage PGP decryption in the past.
When you receive an email that is PGP encrypted in your webmail service of choice, Mailvelope should detect it as a PGP encrypted message automatically. Mailvelope then allows you decrypt the message using your keys. You'll see the Mailvelope overlay window pop up automatically with the "secure mail" icon as you see below.
If you wish to read your PGP encrypted message, you have to click on icon and fill out the information shown below. Mailvelope will prompt you for your password because it does not have access to your PGP keys without password authorization.
After you decrypt your message it will be perfectly readable, as shown below.
It is important to know that Mailvelope is decrypting your messages locally. This means that your decrypted messages are never exposed to the webmail service. If you click the small "x" in the upper right corner of the overlay window when you are finished reading your message, you can see the original, fully encrypted email as you can see below.
So there you have it. Very high security email via a relatively easy to use graphical user interface. After using Mailvelope a few times I have gotten used to the process and can encrypt and decrypt messages in a few seconds.
Learn why Viking VPN Service is the Fastest VPN Service Provider.