How To Guide: Secure Your Email With PGP Encryption Using Mailvelope

Cyber Security Wiki Navigation:

Email Snooping & Spying

Email snooping is a major concern for everyone these days. Information leaks about government programs that sweep up massive loads of metadata. Systematic breaches of major webmail providers that lead to full emails being stolen en-masse by clandestine agencies. It is alarming to anyone that is concerned about their privacy.

You can wait for solutions from other companies like Mega, or wait for the Darkmail initiative to hopefully take off. Or you can use complicated current technologies like PGP to hide in plain sight now, after downloading multiple apps and doing all kinds of copy-pasting wizardry to get a message to someone.

Enter Mailvelope. This is a plugin available for Firefox and Chrome that allows you to PGP encrypt existing webmail accounts with ease.


We have selected this plugin for multiple reasons:

- Mailvelope is Open-Source, meaning that there is no "mystery code" for vulnerabilities to be inserted behind the scenes.

- It supports 4096-bit RSA encryption, considered strong by today's standards.

- It has a robust design. It encrypts your public and private keys on your local disk and password protects them.

- It generates keys locally. They are never transmitted over the internet. There is no opportunity for Mailvelope or anyone else to store the keys.

- Mailvelope intelligently prevents partial messages from being saved before conversion by creating a window offline to type messages. This prevents "draft saves" that happen regularly on webmail apps.

A Quick How-to On Using Mailvelope

First, you'll install the plugin for Chrome, or the Add-on for Firefox (still in development, beta).

After you install it, you need to generate a key-pair for Mailvelope to use with your desired email. It will generate a public and private key. DO NOT EVER SHARE YOUR PRIVATE KEY.

My demonstration will be using the Chrome Extension and Gmail, although Mailvelope is designed to work with all major webmail providers. It is currently in Beta and they are adding support for more webmail services.

To generate a key, open the Mailvelope extension and go to the "Generate Key" tab as shown below.



Fill out the appropriate information, and hit "submit". If you want maximum privacy, it is a good idea to click on the advanced button and enable 4096-bit key lengths instead of 1024 or 2048. Make sure that you assign a very strong password to your keys, they are your final line of defense if your PC is ever compromised by an attacker. After you hit submit, it will take some time to generate the keys. If you get a "this page isn't responding" message, just continue to wait, it will finish building your keys and give you a success message when it finishes. 



Now that you have generated a key pair, you have a public key and a private key in your keyring. You can see your keypair in the "Display Keys" tab as shown below.



The important thing about PGP encryption is that there is a public key, and a private key. In order for someone to be able to send you secure messages, they have to have your public key. In order for you to send them secure messages, you have to have to have their public key. To find out what your public key is, you can use the "export" drop-down menu in the "display keys" tab. You will have to enter your password to get to your keys.

So in this example, I want to send a message to the VikingVPN customer care account. To do this, i need to have the public key.

The public key for customercare is below:

-----BEGIN PGP PUBLIC KEY BLOCK-----
Version: GnuPG v2

mQINBFjBdYYBEACaje3g/JwStHFSzjy3cSXFEGqg+9NBwyoiameCzmeOz0VV+Z3t
dxyll+BizMrqd8hgs/CU/t9d3Gh0sVgJLNYLYOqQ46AiE8hs9abfzytXJD35u1fJ
wZseP6SPnBBc3qi1rI7W9u2WcRdPIsMWkKRNS/8VY43BnkQt1+SYBgHkeviC8Mp5
5ZovZQ8+fXP+1WI9cry/nJWcRZmAfkTyH5HOfAxaFOaVq1nUVLZrweYi1c0BTz4q
5CHRoazqzix4Oo+09DCxXp8VjwsJqtmkTOTewakNi8+3eUDZn2SlLeNTn3sjTt3y
pZ/w4oBvHb5VtXnQ+triejjBFq/ouwZSZsFsC5eCoQqB8f5MaTybR5yWBPilQtNL
itVBOtp5OQQUrsVP9Jbk1YrsJbIy6Nzuqd8Gu2AGNTT4nZU0OEvMo/9EU9CqjMBm
bfFayNxOawuTW0CxQkzY2KxKfC2MCCaGoc12uRDuGUfc5pWPqb1J9KrNpNYcz86Z
h344ixFMTjq9Yw9EnB4hQ8bnDf4U8bGANRD61b321eqwv7fhqnSyWXwpbXtC8YpI
18K5M7LbaukRJPulDer2hqAvoYJyEh4xE2SvsBz/Jic8MbO0BWt7YQrmmsbq3aNo
eVkTs1+XirSZ9HXneut38/4lhxJBco6V33w7edhzSl94ChICW28hsxHj9wARAQAB
tKxEZXJlayBaaW1tZXIgKGtleSB1c2VkIGZvciBkZXJla0Bvc3RpZi5vcmcsIGRl
cmVrQHZpa2luZ3Zwbi5jb20sIGN1c3RvbWVyY2FyZUB2aWtpbmd2cG4uY29tLCB2
ZXJpZnkgYXQgaHR0cHM6Ly9vc3RpZi5vcmcvcGdwLXB1YmxpYy1rZXktZGVyZWst
emltbWVyLykgPGRlcmVrQHZpa2luZ3Zwbi5jb20+iQI3BBMBCAAhBQJYwXWGAhsD
BQsJCAcCBhUICQoLAgQWAgMBAh4BAheAAAoJEJUyKK2bzBkfaEIQAJClrj0EBCqM
4muNXEZSDtLiHydUmbL9PWc7P/oKNBPy2TUuPXeM9ZGQup17Zua2yoUY2BfBchSW
g9TqApGIBNnWSPsldH6Bplg8SFwTVHeUPpWHJKQhktx6arHGGAMGrcFBFVRh+xaj
35qwYmSL6gL/GRTML3M7lUMHVTV1kUXDzeqKWWjOPg3zWeXAs436ZWgwHhXOIloZ
CYIpH5uc91tD2GFGkwsmSW9cUrhi8Odox3mOgfvsRPtKKbWTStZHupPolH5y/KH7
Gn1k12bTbvzAtcNjZh0yHsxjOcsA79SloBrSWiNxTTSIG1kPH+zaDS7GigB7d0B9
nu6g/zNq3qFzWGTC9Mif4YxQZyVxdQQhnLBuH0DQE2htKh6fBZkS1MW2KxNtmhwG
jv/DIBiKi0R3a9jLOQbCsjN7+p/1M55edp1xmZ1FiufUuP1Sns3VfGEkMoqgwIod
zEUPd9yOjPGQORVzRazrOyuf54wsdW99OtksORl5Gj64t5Ps+rgD71AF485WCQEZ
VcEuczWeFgIdVI5GW9yb3WCID8XbGuBcX+7Kogx/QLLc53qCskuG4UqlCbOWgoz8
d9bLhHZFOlzpHA/T3qO6Mfehxsq7uXCyUKdTlpm8k2G37KgCpWjpjJzyoumRNd9t
TW7Ta3Txk7IeTvP/BE/Qpd6qqZilPBUttKhEZXJlayBaaW1tZXIgKGtleSB1c2Vk
IGZvciBkZXJla0Bvc3RpZi5vcmcsIGRlcmVrQHZpa2luZ3Zwbi5jb20sIGN1c3Rv
bWVyY2FyZUB2aWtpbmd2cG4uY29tLCB2ZXJpZnkgYXQgaHR0cHM6Ly9vc3RpZi5v
cmcvcGdwLXB1YmxpYy1rZXktZGVyZWstemltbWVyLykgPGRlcmVrQG9zdGlmLm9y
Zz6JAjcEEwEIACEFAljBegMCGwMFCwkIBwIGFQgJCgsCBBYCAwECHgECF4AACgkQ
lTIorZvMGR91Cg/+IZkuZkZDJIjRIuf3kS/DdWDWYX99pfLa3K2uJb8Pg3JYVFg4
6e2kbM3+NeBChNPCcvrb4lBcID6Kwiab8sCcDKNY+fFNbrSXsWrKVXSt6KKepaCa
8gptG6o23QpkXmAhNSJuji0kuK49sXjPpERKcemtgJ5YdAYI7lx+Ws7OCZPbIl4h
RjXsjyv9tdSE2n2EapNHZYQr9DFkOA33tfcwDhXgWOiLefukjrEX7xJd4mGkjBLz
rI8tuB+QQZd+oK4qYUDS8lzg0SE1N4lDWxRphO+DyEhJeHK9HMBhAtXCbYFD/G9F
gD3BBhrO2yHvITKade1aiB4yvNEE0Qglh3tIFMwHxeD0Zli4N/EnAhT/B0NgNAt+
L15G9JYGGhLROJwoujhiafyh4gG0FdgAPAuQoZAyzDUm/+I+MLFfxnjjt4iRXOU7
LR2JTSvPJOCD70HLoOrxUrpNDYIBDSH2YZxQLM7rquVr3+5gSXHNPwtbJfcDZt6I
G8imX2uXh1cD/yqeGh28HMpg0B1tY+jkeqWZrCJ5qFXM4Pc8SpSHLNxEBx+Cr/wo
gUasmBeYqo39hFpG4yGzq4D6sA97kvNH7hPe43+5UwfyshLaqhXCcTbcdWez0u9R
ec4lcip5lqtD21Ec60WUxvloa9BjqExLFN+Sw8MRxGHreiaFmfECocNS8re0s0Rl
cmVrIFppbW1lciAoa2V5IHVzZWQgZm9yIGRlcmVrQG9zdGlmLm9yZywgZGVyZWtA
dmlraW5ndnBuLmNvbSwgY3VzdG9tZXJjYXJlQHZpa2luZ3Zwbi5jb20sIHZlcmlm
eSBhdCBodHRwczovL29zdGlmLm9yZy9wZ3AtcHVibGljLWtleS1kZXJlay16aW1t
ZXIvKSA8Y3VzdG9tZXJjYXJlQHZpa2luZ3Zwbi5jb20+iQI3BBMBCAAhBQJYwXpf
AhsDBQsJCAcCBhUICQoLAgQWAgMBAh4BAheAAAoJEJUyKK2bzBkfmB8P/irmsEIT
RobllHrnjA5Lbt98680l8QKwoBhI9zMiIOTeunE8dBs14yV81NN8TkHyH4+35krW
0ct6LPgMpwwnLgRqKiGVzD8CfKMSLdDtYnCPYxEc2Qdp0QtLs6ov1Axf2e1lwyqo
kn6RkzYR8SPrdFcK8qrOGERsFS4Nor0pflGyIRzjFWsZozPpZ34fUXUy1Uo2ip/b
ac5FwxBAWCv9a7QqFtuAwyCvrpV0gRKR8U8p+zQckxcpnpCf17RSVar0L55ApGgM
T7ZPYTJJMOKkqK1nrqOmDj6JZQ18yuCGumwL3oI2ZM20kno6NEZF93dIIXXTH/Xy
oUEgLLVnYTMTLCGTtHwkKv0ZDY2LslKL7YZbGTAx7dvAyPFpdPegfPNkXzuiKASX
kXK+Xe8kW8h942RkaC1B7lM3J8Fh8st4WkdGacjmJG+pApb8yuB6S5bQWcG/RfyJ
4XM+Vcc48yi3D4+MLjU3/FIxS6NxnTpIwuKuiQc+50K55DGxVm3NuEmm5hnnNJ9v
5C1kumBdYac1lAcWMGBIAqay1lCjCIvY08U08iQiDAlPXZqnM/1+a1bsgRM0oXzJ
cjABqQE8RqPQh4FrWgrS2ldxeHO5q6iQ6EntZQrPq5DohX8isqV6w1o1jxOqJbys
Q4HigxMKleIo3X8MuZ4zGZsuEArKqL7OOIQ4uQINBFjBdYYBEADDQNQBOotiXi2Z
3CgkUSI8nGNDTtY1mCyX2YyHlpofwlyfVPeChlGUPMpy9PYw9sBYGs0gnQMkxUn8
fyoVH49UFSyjp0FSL24+57IGHuz+tdgLMIL3ZMUuaML3VW7LE5jCVNp10VT0XxxO
YJXrcsdwDVjZgSqu6OpKGbyCZcTYt8vyObovP5EkTFdmx/JBVMZozjtdAmDOjPMq
W0aEnh9tkDhtCmnGEXsmtJgFkpBUGY5Kwq7Slv1N+RHP6Vl2RUWsbcwjPJWTj/gZ
Kritte9evSX4IIS6U3DvKdB1QB/86rtzZiOU3/vTl118Dz5pETf54/1U7BDmWrvy
OsUzfljFhkT5qDT0M+1JNTSAi0jNijVCKcnMCnSdJ8R8BfctUCDQIkN3duUfpStN
M6deFKzvLhC9La93Z4fsi2quWioZOta+4VkHnI9yPATAdJ2LuhZDuSvpwcswBz3G
JCKRVte6dM5QRG/5NBCoosd3FFdBFN/B1tDqwJnaIJKbG5v8ZiPqcKEiv/9txXyD
SWHP4TYZcCF9zQbwJv3ooCtdS+m1mNpBo1L6CA0YXCPVYzdvq5tpN4vvSePkW8E5
ue/5knY7TREGvYvcRRaCdnyzEkKxI/eP33R2xgiJdS3Zh3ACzXzI0cIBGeeml2f+
nLEcbDRaNbf2w4ppB8auJCh0/tzqaQARAQABiQIfBBgBCAAJBQJYwXWGAhsMAAoJ
EJUyKK2bzBkf9LcP/1RtF79eLtK2i7uBh3g7VDk7kOXjRR1m7nouh57H+Zl2ZOR/
BTmWxUNeLBWC92ANLdy7fnYa6BVBs+peyxpN/PPMq3sMqi99Vpwpttv0cNEfq4Ny
pAiYGbTZRtf41SbsnH2HfC/Gg/H/7bSKpMp5CYzN7vCJFVrWVXq9kMLli8dT5Sj2
ZqbnNkl1HbAgzGsMHXWf6cUVwNDBm/9ylFo9Oa8ST2JlmHx45grlcyGpgNiha3SD
t2GxSS5yrxiVOWURn7wyYE18gO/8vql5gq2GdPB8ERMlj8ieAB5vxljDwb4ZBIs0
l3ACez4/SHZS7mWpwnyLXr+3wFf9mLfFclLN7Qq34ykSN4VenZ8vcM8nSTfhwyh4
Nz3GFSMmf35XeI974bsnrCOsW6PEMGKail01w4aeqfsVaG/UNZJqcGOFwFG/S+js
Ypsqw+ohFtcQxfky82pkIL7+uDPc9kRfq1sBjyQUY/57PxGsVqsXotYhJ2NlhHD2
gbdKznNu7ENdwcJNjM39U8/HCs8BlmB7L5omx4A3DoJdhh3Vtr1G96PuN7P94L6L
SbuOYquIy0jGNqNE4lzVHawW+8MPYEvnlf1V0/0GgJqHiK/N5id85dutwWum3cF3
2vqMnkQEr059fTASKHqr2urbJto1VKz4K5WAQib+PtoTTSrqMevYxy/vnPQR
=U6aA
-----END PGP PUBLIC KEY BLOCK-----

So what you want to do is import this public key into mailvelope, so it knows which public key to use when you are emailing customercare. Below, I have pasted the customercare public key into the field in the import tab.



So, once you have completed this process, you are ready to send secure emails to one another with no worry of eavesdropping. Even when (not if) an agency drags up your email, they are unable to decipher the messages without having one of the private keys.

So let's send a PGP-encrypted email to customercare from sample.viking.

Below, you can see bit about how Mailvelope works in practice. When you begin to compose a new message in Gmail you will see the small overlayed button that looks like a pencil and notepad. You click that button to start writing a secure message offline. You then write your message in the window that pops up.



Once you have finished writing your message, you can click the small lock button in the message window. This pulls up a menu so you can manage who you are encrypting the message for, as shown below. You can see that I have added customercare as my target recipient. Mailvelope is robust enough to support sending out the same message to multiple users at once, using all of the relevant public keys you have imported.



Once you are finished setting up the recipients, you click the "transfer" button in the message window. This encrypts your email message with the appropriate keys. You'll see the PGP encrypted message in the Gmail window, ready to be sent, like you can see below.



The message is now unreadable by all parties, except for those with access to the appropriate private keys. The private keys are never transmitted in this process, and they are securely stored locally by the Mailvelope plugin.

It does take a couple of tries to learn the process, but this is far far simpler than older methods of using PGP. Once you are used to the process, you can encrypt an email in 5 clicks, taking less than a few seconds of extra work.

Part 2: Decrypting and reading PGP email with Mailvelope

So now you know how to securely compose a message to send out. You also need to know how to receive messages with Mailvelope. Fortunately they have made this pretty easy, as it used to be very tedious to manage PGP decryption in the past.

When you receive an email that is PGP encrypted in your webmail service of choice, Mailvelope should detect it as a PGP encrypted message automatically. Mailvelope then allows you decrypt the message using your keys. You'll see the Mailvelope overlay window pop up automatically with the "secure mail" icon as you see below.



If you wish to read your PGP encrypted message, you have to click on icon and fill out the information shown below. Mailvelope will prompt you for your password because it does not have access to your PGP keys without password authorization.



After you decrypt your message it will be perfectly readable, as shown below.



It is important to know that Mailvelope is decrypting your messages locally. This means that your decrypted messages are never exposed to the webmail service. If you click the small "x" in the upper right corner of the overlay window when you are finished reading your message, you can see the original, fully encrypted email as you can see below.



So there you have it. Very high security email via a relatively easy to use graphical user interface. After using Mailvelope a few times I have gotten used to the process and can encrypt and decrypt messages in a few seconds.


Learn why Viking VPN Service is the Fastest VPN Service Provider.