Encrypted email using gmail (google mail)

One of the problems with using browser-based email is that it is not friendly to encryption. Webmail also lacks a few other attributes that are standard in email.

There are several applications that encrypt e-mail. Some are proprietary, which often means you have to buy them and they also often only work with one platform. It limits the usefulness of encryption if you can for example, only use it for work e-mail when sending e-mail to colleagues. With proprietary systems there is also the backdoor question: Can providers supervisors and others read your encrypted e-mail if they choose to?

Bear in mind that if you run encrypted personal mail on a work machine, it may arouse the suspicions of your employer.

There is a highly respected mail and file encryption program that is available free and will work with Windows, Mac, Linux and Unix. It is known as pgp (Pretty Good Privacy) or gpg (Gnu Privacy Guard).

If you use gmail, you can still send and receive encrypted e-mail, you just use a mail program rather than a browser like Firefox. You will be able to send and receive e-mail with any user who also uses pgp.

Thunderbird is a popular email programme that works with most email providers, cable networks (such as Comcast), telephone companies (such as Verizon) etc. It can be downloaded free to the system of your choice. Thunderbird works on Windows, Mac and Linux.

Install thunderbird.

https://www.mozilla.org/en-US/thunderbird/ Thunderbird Download Page

Then install gmail on thunderbird:

How to install gmail on Thunderbird

When thunderbird is working with gmail, you can now use thunderbird for all your gmail and other mail too, the one interface can have several email addresses, such as yahoo, comcast etc.

Thunderbird does not automatically encrypt; for that you need a plug-in that uses pgp called Enigmail.

Install Enigmail

Setting up gpg with thunderbird the first time is cumbersome, but once it is set up and configured, it adds little overhead or complexity to sending and receiving e-mail.

With Thunderbird the encryption is done with the Enigmail plugin.

Download Enigmail plugin

You will download a file that looks like "enigmail-". Make a note of where it has been downloaded to.

Open Thunderbird. Select "Tools" from the menu at the top of thunderbird and select add-ons Manager. In that page select the gear icon at the top right of the page. In the drop down pick install Add-on from file. Navigate to the directory where you saved the .xpi file and select that.

You should close and restart thunderbird. The at the menu at the top of thunderbird you will see Enigmail, select that, then select "Set up Wizard". You will be walked through the installation. Your passphrase is the tricky bit.

After Enigmail is installed, you can if you wish tweak various parameters like your passphrase, expiration date etc.

Enigmail automates much of the difficult parts of using encryption and as a bonus, if you don't have gpg loaded on your machine, it will download it from the net and the wizard will help you configure it.

What is public-private key encryption?

Gnu Privacy Guard (gpg) is what is known as public-private key encryption. There are lots of explanations on the web and in books as to the philosophy of this. Simply put, it relies on complex combinations of asymmetric equations, or ones that are easy to do one way and hard the other way - think of how simple it is to square a number (just multiply it its own number of times) but how much more work it is to find a square root (square numbers smaller and larger than the root of the target repeatedly, narrowing the bracket around it each time until you get the target). Then imagine trying the same procedure with a fractional exponent. A public-private encryption algorithm uses much more complex equations to generate a set of keys, one available to all and one kept secret.

Briefly, and simply this is how it works:

You are Fred and you want to send an encrypted e-mail to Mary. You have Mary's public key, she can give it to you in an open e-mail, or you can get it from a common repository or third party. You compose your e-mail and send it off to Mary which calls up your private key. You will then be asked to add Mary's public key if there is any question or it will automatically add the key. The encryption is a combination of your private key and her public key. When she receives your e-mail, she needs your public key and her private key to decrypt the e-mail.

Your private key is protected with a passphrase (A long password) Only you have this key and passphrase. Protect them both, and change them as necessary. Remember that the most important part is a really good passphrase. There are some really good ways to make a solid passphrase. Long and complex and hard to guess is best. Random words good; a list of your children in chronological order bad. More on passphrases:

Making a Passphrase

Note: The above URL mentions using dice. You can buy dice from the Electronic Frontier Foundation, which is a good way to support them.

You can encrypt files as well using this technique. If you send an e-mail with a file attachment, that too is encrypted.

Your computer(s) with Thunderbird and Enigmail installed will be the only device that can read and send encrypted mail using your private key. You can run your key on several devices: say a laptop, a desktop, etc. Your gmail browser interface will still work, but encrypted emails will not be decrypted and so will appear as gibberish on a web page.

Note that using public<>private keys the exchange is between just two parties.

What to do with your public key:

You want to distribute your public key widely. You can e-mail it to people you know, you can put it on your own web page, or you can put it on the MIT (Massachusetts Institute of technology) key server.

To propagate your public key as a file, you need to generate the public key as an ASCII (known as .txt to many) file. This is the key others need to read encrypted mail you send to them and send encrypted mail to you.

Enigmail makes this simple.

When you are composing an email in Thunderbird, you can attach your public key with a couple of clicks. On the top of the Message compose window is a button Attach My Public Key. Click on that and your key will be attached to the e-mail so the recipient will have your key as an attachment. They can save it to a file and use it, or if they have Thunderbird and enigmail can add it to their gpg keyring. A keyring is a file of all the public keys you have gathered. You can look at your keyring with Enigmail. In Thunderbird, select Enigmail, then in the drop down menu select Key Management. Your Public and Private keys will be listed along with all the public keys you have gathered.

Exporting your Public Key to a file:

In Thunderbird, select Enigmail on the top menu. Then select Key Management. Highlight your key, it will have your name and e-mail address on it. In the Thunderbird top menu now select File and select Export Keys to File. A dialog box will pop up, select Export Public Keys. A navigation window will pop up and you cam select what directory you want to save it in. When you have navigated to the directory (I have a directory called security for such files), click on Save and your file will be saved into that directory, for you to distribute. The file will have a name in this format:


You can rename the file to anything you like. What is important is the file itself. Do not edit the file, if it is corrupted it won't work. You can copy and paste the text or send it as a file.

Putting your key on a public server:

We will use the MIT server as an example:

Open your browser on https://pgp.mit.edu/

Lower down that page it says Submit a key. Paste your ASCII armored key into that window, then click on Submit this key..

Your public key is now on the key server. Anyone wanting your public key so they can send you encrypted e-mail or a file can get your public key.

Getting a key off the MIT server is pretty simple:

Open your browser on https://pgp.mit.edu/

At the top is Extract a Key. In the Search String box you can enter the known key connected to the key file, or even just the e-mail address of the entity you wish to send to.

For example, either jmacassey@gmail.com or F564E69F will work.

If they are on the server you will get a line with some data on it. Click on the key and you will get the PUBLIC KEY BLOCK. Copy and paste or save it. If you save it from a browser, it may have extraneous cruft before and after the file block delineator.




This shouldn't give you trouble, but you may want to use a text editor like notepad, TextEdit, vim or emacs to clean it up. DO NOT use a word processor such as Word, Libreoffice etc. as it will add odd characters.

Importing Keys.

Enigmail has a smart feature, if someone sends you an encrypted e-mail out of the blue, it will search for that key, or of they also sent their public key as an attachment it will incorporate it.

If you happen to have someone's public key in a file, saved from a remote location, handed to you on a thumb drive etc. you can Select Enigmail, then Key Management, then under File in the top Menu select Import Key, you will get a finder and can steer to the location of the key and import it.

Further Reading

Using e-mail encryption on a daily basis is a good practice. Under the hood, encryption is complex and involves high level math, but that shouldn't dissuade you from using it.

Whereas cryptography means to obscure information, and you can encrypt words whether written, transmitted or stored digitally, traditional cryptography has traditionally meant that the sender and receiver share the same decoding method, the key. This has meant that anyone knowing that key can decrypt the message. Traditionally the best way to enable security was to change the keys frequently. The Achilles heal was then distributing these keys to all users of the cypher. It also meant that many people then knew those keys.

With Public/Private key encryption, the person encrypting the message is the only person who knows the key. Also the person receiving the key decodes by knowing their private key. So knowing the recipients public key is all that is needed to generate a message that only the recipient can read. Anyone intercepting the message not being the holder of the senders public key and the recipient's private key will only see gibberish.

A good explanation of public-key encryption is here:


For a full version of GPG with associated explanations, there is GnuPG. This does require you use a terminal. GnuPG will run on several platforms - MacOS, FreeBSD, NetBSD, OS/2 and Solaris amongst others.

For Microsoft Windows users there is Gpg4win which provides a graphical interface.

For Apple Mac users there is GPG Tools. It is a simple to use Graphical Interface, will automatically work with Apple's Mail.app. Installing and using GPG Tools

A compact list of gpg commands is The GNU Privacy Handbook

This tutorial is put together by:

Julian Macassey


Contact me with any questions.