This article will discuss the methods to send information securely over email using GPG/PGP as the main encryption tool. The difference between PGP and GPG is mainly that PGP is a proprietary solution controlled by Symantec, and GPG is the open-source standard that is defined by RFC 4880. Functionally, each format is virtually identical due to GPG being the offspring of the original PGP standard. Because there are numerous email clients, specific GPG settings will vary. For this tutorial, we will use Gmail and Thunderbird as examples.
Typically, there are several methods to send encrypted information.
- Encrypt an individual file and then attaching that document to an email.
- Encrypting the email message itself (using a stand-alone client like Thunderbird, which comes with the ability to encrypt emails automatically).
- Using a browser plugin that interacts with web-based email like these extensions.
How Does GPG/PGP Encryption Work?
Using secure encryption is not as difficult as it seems once you understand the basic ideas behind the concept. Using GPG we create a public and private key and the user we want to send information to also creates a public and private key. We simply use that user’s public key to encrypt our message to him, and he uses his private key to decrypt it. When he replies, he does the same with us. Ensuring private communications is a requirement today to share sensitive information easily across an insecure network.
Encrypt A File
To begin, we can use a simple method to encrypt a single file in order to transfer our data securely. The first method is called Symmetric Encryption and uses a password know to both users. To accomplish this, we use the following gpg commands on a Linux server.
root@host:~# gpg -c file.txt ┌──────────────────────────────────────────────────────┐ │ Enter passphrase │ │ │ │ │ │ Passphrase: ____________________________ │ │ │ │ <Ok> <Cancel> | │ | └──────────────────────────────────────────────────────┘ gpg: directory '/root/.gnupg' created gpg: keybox '/root/.gnupg/pubring.kbx' created root@merovingian2:~#
When we use the -c flag, gpg prompts us to enter a passphrase twice. In this case, because there is a new encryption used, a new keyring is also created.
We can then send that file to someone who uses the same passphrase to decrypt it.
root@host2:~# gpg file.txt.gpg ┌──────────────────────────────────────────────────────┐ │ Enter passphrase │ │ │ │ │ │ Passphrase: ____________________________ │ │ │ │ <Ok> <Cancel> | │ | └──────────────────────────────────────────────────────┘ gpg: AES256 encrypted data gpg: encrypted with 1 passphrase root@host2:~# ll -rw-r--r-- 1 root root 934 Dec 11 09:55 file.txt -rw-r--r-- 1 user user 491 Dec 11 09:54 file.txt.gpg
As you can see, the decryption left the gpg file in place along with the new file it created on the receiving server.
Encrypt a File Using a Public Key
In the following set of commands, we encrypt a file using an external user’s public key that we have already stored locally. The first command encrypts and signs the file with the remote user’s public key. The ‘–armor’ flag creates an ASCII armored output text, and the ‘-r’ flag encrypts the message specifically for the user’s name or ID. We would then attach that file to an email and send it. The recipient will then need to download the file and decrypt it using their private key.
root@host:~# gpg --encrypt --sign --armor -r firstname.lastname@example.org mysecret.txt root@host:~# gpg --decrypt mysecret.asc > mysecret.txt
The second command decrypts the file on the users end and outputs it to a specific filename. This method can be used across any platform.
Encrypt Email in Thunderbird
This method uses the native OpenPGP functionality built into Thunderbird that is now integrated into its application. In the image below, you can see that we have downloaded, installed and begin with the latest Thunderbird email application 78.5.1.
Setup Account and Add External Keys
Step 1. Create an Email Account.
In the first step, we create an email address. Click on the Email button to start the process.
This opens the Thunderbird account setup window.
Step 2. Add Info
Now, we add our name, email address, and password information. Next, click on the Configure manually button to enter our server information connection details. You can find this specific information in your cPanel account under Email Accounts > List Email Accounts > Connect Devices.
Then click on the Re-test button to verify the connection settings. If successful, you will see a green check, followed by “The following settings were found by probing the given server.” This message indicates the connection was successful. Click on the Done button to complete the setup.
You will then see the app doing a password check. Checking password…
If successful, we will then be returned to the main window. You should now see a new email address in the top-left corner of the Local Folders tab.
Step 3. Check Encryption
Next, we will go into the Account settings > End-to-end encryption tab to set up our personal key.
Step 4. Add PGP Key
As you can see, I do not have a personal key set up for this email address. Let’s do that now. Click on the “Add key” button. A new window will pop up, asking us if we would like to create a new key or import an existing key. Here we will create a new key. Select the checkbox “Create a new OpenPGP key” and click continue.
This open a new window allowing us to choose the identity was want to use. It also prompts us to select the length of time our key will be active. This setting defaults to three years but can be any timeframe you choose. Next, we decided on the RSA option.
We now click on the Generate key button. This opens a new window with info on key generation. Click on the confirm button, and the key generation process will continue.
This process will take several minutes to complete!
Once the process completes, the updated settings window will be shown, letting us know our key has been created successfully.
From this point, we scroll down and select the Require encryption by default checkbox to send the encrypted message to selected recipients.
We can now close the setting tab and proceed to our next step.
Step 5. Add Public Keys
To send an encrypted message to a recipient, we need to import their public key. This allows us to encrypt the message using that key. Once encrypted, the message cannot be read unless they have the correct private key that corresponds to the public key we used to encrypt the message. To locate someone’s public key, we can get it from them face to face, via email, or search for their email address at one of the locations below.
Once we have imported their key, we should select the trust level for the individual. If they match their ID, and we can verify it, we then import it into our PGP key stores.
Now, we can send our encrypted message to them. Click on the Write button to create a new email to our recipient.
Once the editing window opens, we can click the top menu dropdown to verify our settings. Once everything looks correct, and our message is completed, we click send to deliver the message.
And when the message is received, the email client will automatically decrypt it.
On the receiving end, the message looks similar to any other email message except, if you look at the full email, you will see the public encryption key has been added after the initial message.
Note: It is imperative to create a backup of your OpenPGP key and store it in a secure location, apart from your local computer. Once you have a personal key configured, you can control the use of encryption or digital signing in an individual message that you send.
Requirements to Send an Encrypted Message
- Your personal key must be set up and selected.
- You must have the public key for each recipient you are sending an encrypted message. Public keys can be attached to an email message of a correspondent or located in one of the public key stores located online.
- You must verify that the public keys of your recipients belong to them. If you accept someone’s public key without verifying it, you can expose yourself to a Man In The Middle attack (MITM).
- If you do not have a public key for each recipient, the message will be blocked, and Thunderbird alerts us. At this point, we can choose between not sending the message at all or disabling encryption and sending the message without protection.
The second method is to use web-based email clients like Gmail. Both Firefox and Chrome browsers provide the ability to install extensions that can assist us with this task. Two of the best options are:
- https://flowcrypt.com/ – Google Chrome Extension
- https://www.mailvelope.com/en – Google Chrome Extension
Using encryption does not have to be a complicated issue. It can be used in multiple ways to encrypt and deccrypt files in order to transfer data securely over an insecure network. Our Support Teams are filled with experienced Linux technicians and talented system administrators who have intimate knowledge of multiple web hosting technologies, especially those discussed in this article.
Should you have any questions regarding this information, we are always available to answer any inquiries with issues related to this article, 24 hours a day, 7 days a week 365 days a year.
If you are a Fully Managed VPS server, Cloud Dedicated, VMWare Private Cloud, Private Parent server, Managed Cloud Servers, or a Dedicated server owner and you are uncomfortable with performing any of the steps outlined, we can be reached via phone at @800.580.4985, a chat or support ticket to assisting you with this process.