Secure Your Email With a GPG Key Pair
Privacy-conscious email services have grown in popularity over the last couple of years, and while companies like Proton and Tutanota are leagues ahead of the mainstream, there's still a better way to do email for security-minded people.
The problem with these ‘privacy-first’ services is that they generate and manage your encryption keys for you, meaning they come in contact with the private key used to decrypt messages. This wouldn’t be so bad if they weren’t often used via web apps that rely on JavaScript to work, making them vulnerable to code injections that allow attackers to siphon the mailbox password used to decrypt the private key.
What about the companies behind these services, though? Shouldn't they protect their users from any form of surveillance? The simple is answer is no. They obviously have to obey laws and will log IP addresses and cooperate with the authorities without question.
Having understood their shortcomings, we know nothing's stopping them from using their own vulnerabilities to serve malicious code to a targeted individual (based on a specific IP address, for example) if they were compelled to do so. Proton itself writes:
“While we can offer more protection and security, we cannot guarantee your safety against a powerful adversary.”
So what can you do to fix this?
Manage your own keys
For the purpose of this exercise, we're going to step away from the usual suspects and register an account with Posteo for the price of 1 EUR per month.
Note: Providers like Disroot and Riseup offer secure email for free if you don't want to pay. You can create an account on either of them and continue following this guide.
Posteo is a traditional email provider with a strong privacy policy that encrypts your data at rest. It's comparatively cheap, encourages users to create and manage their keys, and can be used with email clients like Claws Mail or Thunderbird.
Just follow along with Posteo's documentation until you feel ready to download Thunderbird and generate your first GPG key.
You ready? Alright! Fire up your Linux terminal and type the following command:
gpg --full-generate-key
Select option 1 (RSA and RSA) and set the key size to 4096
To make things simpler, we will not set an expiration date
Leave the name blank and enter your new Posteo email address. Skip the comment
Generate a 7-word passphrase using KeePassXC (or use a 6-sided dice + EFF's large wordlist)
Follow the on-screen instructions (click things, type random words, etc.)
Well done! You've got your GPG key pair all set up. Now you'll need to export the public key and pair it up with Posteo. To export the pub key, you can use the following command:
gpg --armor --export example@posteo.net >example.asc
Linking it all together
Set up Posteo in Thunderbird following the instructions outlined here. This step enables us to use a trusted email client and eliminates the need to log into Posteo's webmail from this point on.
Now that we've got everything ready, our last task is to import the GPG key you generated into Thunderbird. To do this, right-click on your email address, click Settings, then head to End-To-End Encryption and prepare to add your key.
This is one of those rare occasions where you need to export your private key because Thunderbird needs it to decrypt any encrypted messages you receive.
To export the private key, enter this command into your Linux terminal:
gpg --export-secret-keys --armor >my-secret-key.asc
The file this command creates is the one you need to import.
And there you go! You've got a new email from a trusted provider while retaining full control over your encryption keys and avoiding insecure web apps.
Ask your friends to exchange public keys with you so you guys can communicate, and rest easy knowing all your secrets will follow you to the grave.