Private and secure email communication with PGP

This is my third post about a secure and private work environment running on Linux OS for crypto investors. Today's post is about secure communication, especially via email. We'll list a few privacy friendly web email service providers and talk about PGP. We'll first look at PGP which stands for Pretty Good Privacy and it is indeed pretty freaking good for its purpose - making your message completely unreadable by unintended recipient. We'll use gpg utility for email encryption. The GNU Privacy Handbook is the authoritative how-to. Whatever time you spend on encryption, it's sure worth it. This pretty good introduction to Pretty Good Privacy is a great place to begin. Even people familiar with PGP might learn something new as the video also talks about other applications of encryption.

Alternatively, you can use the GUI softwate Seahorse to generate keys. Here is detailed tutorial with screenshot. If you use command line, use gpg2 utility instead of gpg. gpg seems to have integration problem with Evolution, the email client. Now let's look at what privacy friendly web email services we have aside from Google, Microsoft and the like:

• ProtonMail
  ProtonMail is an open-source, end-to-end encrypted email service developed by a group of researchers from MIT and CERN. According to their website, "...[ProtonMail's] security measures are intense: end-to-end encryption and user authentication protocols so rigorous even the creators can't read user emails." ProtonMail's JavaScript requirement has been deemed by some as suspicious, but it's used for openpgpjs, a JavaScript implementation of OpenPGP. At this time Protonmail does not support IMAP/SMTP or POP3 due to the technology ProtonMail utilizes within web browsers to encrypt and decrypt your messages. So, for now, ProtonMail can't be integrated with email clients like Evolution, Thunderbird or MS Outlook.

• Tutanota
  This is another open-source, encrypted email service. Tuta too doesn't support IMAP/SMTP or POP3.

• mailbox.org
  It has a few more extended privacy features and that's why I'm currently using it. First, it has IMAP/SMTP or POP3 support. So you don't need to use browser to send or receive email; email client supported. Second, you can provide your PGP public key and the moment your incoming email reach mailbox.org server, it will be automatically encrypted with your public key. No one, not even mailbox.org operators, can look into your email.

Now we take a look at how PGP, Evolution email client and mailbox.org in tandem offer a secure and hardened configuration for communication.

PGP, Evolution and mailbox.org

I assume you already created your private and public key pair. That's all needed from PGP part. Now log into your mailbox.org account and go to Account Settings. Under Email tab, select Inbox encryption. Paste your public key in the textbox and check Activate PGP encryption for incoming e-mails. Now all your incoming emails will be encrypted with this public key. Only you can open (decrypt) the emails with your private key, even if the the sender doesn't . Public key upload should look like:

Let's turn to Evolution email client to finish our setup.
First add/create an account in Evolution with your mailbox.org credentials. See here for instructions to setup mailbox.org account in Evolution. In left pane, right click on your email account ([email protected]) and select Properties. In the pop window, click on Security. In the OpenPGP Key ID text box, type the public key ID. Key ID is an eight character string; get it by running gpg --list-key in the terminal. Alternatively just type your email address [email protected] in the text box.

If you did everything, you now have a private and secure email setup. Congrats! In the next post we'll learn about hashing password and generating "random" (those familiar with hashing algo would understand seeming random string is indeed determined by input) long password that's easy for you to remember or create same password on any computer or mobile phone without having to memorize a scrambled string. We'll also talk about two factor authentication.