Sending secure email – a basic guide

binary text with the word 'hacked' super-imposed over it

Sending secure email means you can send private encrypted messages between 2 parties. And I’m going to help you get set up and you’ll see why you should start to send secure email when possible.
PLUS: I’m also going to tell you the downsides of sending secure email.

What you’ll learn

  1. Why you should be sending secure email
  2. How to send secure email
  3. Disadvantages of sending secure email
  4. Finally, If it’s worth sending secure email

Although there is a difference between PGP and GPG, I shall be using the term interchangeably in this post. However, if you want to dig deeper visit the Go Anywhere page on the differences between PGP and GPG.

Why you should consider sending secure email?

In these days of government snooping and with Internet crime being on the rise it makes sense that you want to keep your private data private. Furthermore, unprotected Wi‑Fi networks are huge at the moment, with everywhere from cafes and supermarkets to taxis and busses all offering you free access to the Internet.

There are even plans in the USA for the government to create a “Super Wi‑Fi” network. While this would of course be huge but there are opponents to Super Wi‑Fi, although this would be a huge convenience for many but at the same time if it’s not handled properly it has the potential to be a windfall for cyber criminals.

Granted, these free Wi‑Fi networks are often partitioned away from the main business side of their Internet connection but you still have to ask yourself who is sharing this insecure access with you. To put it into perspective: You wouldn’t take all the security precautions off of you home internet router and allow just any passer-by to access your network, would you?

If someone did manage to get into your device over the Internet, you don’t want them reading your conversations with your closest friends or your bank manager.

If you do use public Wi‑Fi then Kaspersky has some basic free advice on using public Wi‑Fi connections

How to send secure email?

To start sending secure email you need to:

  1. create a secure public/private key pair.
  2. add your PGP key to your email client.
  3. get the public key of the person you want to send an email to.
  4. send a test email (optional).

Create a secure public/private key pair

Microsoft Windows
Although I don’t use Microsoft Windows myself, I have found Gpg4win in the creation of this post and it seems like a fairly straightforward piece of software.
However, if you have any other suggestions for sending secure email in Microsoft Windows then please leave a comment below and I’ll alter this post to reflect that.
MacOS
Again: I don’t use MacOS myself, but I have heard that GPGTools is a handy piece of software for these occasions.
Linux
In Linux I suggest following the advice from Fedora on Creating GPG Keys. Although it uses the command line I am assuming that if you are a Linux user you’re probably used to the terminal.

Add a PGP key to your email client

As the mixture of operating systems and email clients could be huge I’m going to pass you off to the OpenPGP website as it has a list of plugins to add PGP/GPG key to email clients. These cover quite a few of the various operating systems and email clients.

Getting your public key to other people

If you want to start sending secure emails you need to get your public key to the other person and here are just a few of the ways you can do that:

Public Key Server
There are several public key servers that anybody can add their public keys to. These allow you to search for your contacts and download their public keys. A major advantage to public key servers is that there are several email clients or plugins that automatically search for keys to your contacts. Examples of key servers are:

Add your key to your emails
Of course you could always take the direct approach and send a copy of your public key to anybody you email, attaching your key to at least the first email. A word of warning though; as I point out in the Disadvantages of using secure email section some of your contacts could find this annoying.
List your key on your website (if you have one)
If you are lucky to have your own website you could place a copy of your public key on your contact page. It doesn’t have to be a website though; it could be your Facebook profile.
Screenshot of my contact page with an option to download my public key.
If you have a website you can always add your key to your contact page.
Screenshot of the PGP directory with my address listed as the result of a search
Here is my entry in the PGP directory
Screenshot of a blank email with an option to attach your public key by clicking a button
With Enigmail it’s simple to attach your key to emails
Screenshot of my Facebook profile showing that you can add PGP keys
My Facebook profile showing PGP keys

Send a test email (optional)

Although you don’t have to exchange emails I prefer to send at least a test email before any sensitive data is exchanged. This means you can confirm that you have each others’ public keys and maybe even send a secure test message.

Screenshot of decrypted email after sending secure email
Result! This email has been decrypted as a result of sending secure email

Disadvantages of sending secure email

My aim is not to convince you that you should be sending secure email. Instead, it’s to give you the knowledge so that can decide whether you should be sending secure email or not. So with that in mind here are a few down sides to securing your emails:

What isn’t encrypted is the emails Subject and other headers; this means that your emails Subject and other information such as the sender and the receiver will still be visible to any snoopers on the line.
You can’t read the encrypted emails on devices that don’t have the appropriate private keys installed
If you quickly want to access your emails on a device that doesn’t have your private key or doesn’t support PGP keys then you will not be able to access your encrypted emails from that device.
People may not want the hassle of setting up their own keys
Although you may have a public key there is no saying that the people you want to communicate with will even be willing to go to the trouble of setting up a key.
Your attached key shows up as a .asc attachment
Letting people know you have a public key can often be a pain! I currently add my key to at least the first email that I send to a person. That way they know I have one available. The problem is whether you want to send your emails with an attachment the receiver won’t even recognise (.asc)… of course you can always compress the attachment so that it has an extension like .zip but that can cause a few additional security concerns. However, if they do open the .asc key file in a text editor all they will see id garbled text anyway.
If you lose your key your emails are useless
It’s essential that you keep your key(s) safe as you can’t access your emails if you don’t have them. However, the good news is that revocation keys are easy to create. These can invalidate your key should you lose it…again, you will need to keep this key safe.
Only the contents of the email are encrypted; not the email itself
This means that any attachments you send will be encrypted as well as the body of the message. But what isn’t encrypted is the emails Subject and other headers; this means that your emails Subject and other information such as the sender and the receiver will still be visible to any snoopers on the line.

Is it worth sending secure emails?

I personally think that despite the disadvantages, it is worth the hassle and the positives out-way the negatives. In addition, as a Software Engineer/Web Developer I can use my public key for other tasks such as signing code that I add to a public project or I can easily set up authentication using my key instead of passwords.