Sending secure messages, know also as cryptography, has been a part of our collective history for thousands of years. At its most basic, a key is used to change the message from readable text into something that is illegible. Then once sent, the recipient uses a key to transform the illegible message back into a form that is readable again. Anyone that intercepts the message while in transit will not be able to read it without the key.
A simple example of such a technique is the alphabetic letter replacements used in a child’s decoder ring. In fact it is the basis of what is known as the Caesar Cipher, which was one of the earliest known forms of cryptography used by the Roman emperor Gaius Julius Caesar. One of the challenges inherent in using a single key to both encrypt and decrypt a message is getting the key to both the sender and the receiver securely. Once the key has been compromised, then all communications can be deciphered and read by anyone holding the key.
The basics of Pretty Good Privacy
Enter Pretty Good Privacy or PGP for short. PGP uses what is known as public key cryptography. This allows one to publish their public key to the world while keeping their private key secret. Anyone with access to the public key can then encrypt information that only the owner of the private key, also refereed to as the secret key, can decrypt. With PGP, others will use your public key to encrypt a message that they send to you, and in turn you will use others’ public keys to encrypt messages that you send to them.
It may be best to think of the process of sending encrypted messages in reverse. You must have a desire to receive encrypted messages, not send them. So rather than think of it like “I want to encrypt my message before I send it,” you need to think of it as “I need to encrypt their message before they receive it.” Since only a private key can be used to decrypt a message, it is very important that everyone protect their private key. For that reason access to one’s private key is protected by what is known as a passphrase, or simply put, a very long password.
OpenPGP solutions for OS X
OpenPGP is the standard that PGP technologies like GnuPG, an open source implementation of PGP, use to ensure that they work with other technologies that implement OpenPGP. GPGTools (Free, Mac), which is based on GnuPG, is one such tool that makes sending and receiving encrypted messages on OS X as easy as sending and receiving unencrypted messages. It does so by installing a plugin to Apple Mail.
Download and install GPGTools – After downloading and installing the latest release of GPG Suite from gpgtools.org (which has been updated for OS X Mavericks and is backward compatible to 10.7), you will need to create both a public and a private key for the email address at which you would like to receive encrypted messages.
Create a public and private key – For the Apple Mail plugin to work properly, it is important that you create a private and public key for an email address that you are using in Apple Mail. During this process you will be asked to provide your passphrase. This passphrase will keep others from using your private key. Once completed, you are ready to receive your first encrypted email.
Publish your public key – To make your public key easy for others to find, you can upload it to a Keyserver. Keyservers exist as a sort of online directory of public keys. You can search a keyserver using someone’s email address. If that email address has a public key on the keyserver, then you can download it and send encrypted messages to that email address.
Share and collect public keys – If you do not what to publish your public key on a keyserver, you can manually export your public key and decide how best to distribute your public key to those you want to receive encrypted messages from. Before anyone can send you an encrypted message, they must have access to your public key.
Sending encrypted email – From this point forward, when you send an email message to someone for whom you have a public key, you will have the option to encrypt the message you send to them. Simply press the button on the email to encrypt the message. The GPGTools plugin for Apple Mail will search your list of public keys for one associated to the email address matching the recipient of the message.
OpenPGP solutions for iOS
On iOS the options are not quite as elegant. oPenGP ($3.99, Universal) and iPGMail ($1.99, Universal) are two products that will both encrypt and decrypt your OpenPGP messages. Each does a good job at managing your public keys and encrypting messages.
Importing keys – Both products offer Dropbox integration for management of you public key files. They can search keyservers for public keys as well as use iTunes to sync your collection of public keys. So getting your collection of public and private keys onto your iOS device is a straightforward process.
Receiving secure messages – Neither of the apps are actual mail clients. You will need to copy and paste your encrypted messages from the iOS Mail app in order to decrypt a message. This process can be tedious when the encrypted text is embedded in the body of the email message and not sent as an attachment. Both apps support the automatic decrypting of any encrypted file sent to the app via iOS’s “Open in…” capability.
Sending secure messages – Sending secure messages is much easier than receiving them, as each app has the ability to send an email directly from within the app. In both apps, you select the recipient of the message, type your message, encrypt and send. You can also encrypt a message to be sent via iMessage or any other form of communication by copying the encrypted text to the clipboard.
Design vs function – Choosing which of the two apps is best has been a challenge. oPenGP at first seemed to have a cleaner design and as a result was a little easier to use. But as I have sent more and more secure messages, the mechanics of iPGMail have started to grow on me and now feel more natural. One thing that iPGMail does that oPenGP does not is generate a public and private key.
Protecting the messenger’s privacy
While technologies like PGP do a good a pretty good job at securing the contents of the message, they do not offer much in the way of protection for the messenger’s privacy. Sending encrypted messages using OpenPGP does not encrypt the headers of each message, which includes all of the internet traffic location information including the to and from email account information. It also does not protect the history of messages sent and received nor the account information stored on the email provider’s mail servers.
Private Swiss email accounts – If you are looking for a solution that does a pretty good job at protecting your privacy, then perhaps you need to look towards Switzerland. Given the political nature of the Swiss (or lack thereof), data centers in this neutral country are seeing more and more business lately. One such email provider is MyKolab.com. With a data center based in Switzerland, it offers a unique privacy alternative to popular online free email services. Starting at just $65/yr for personal email only, this is certainly a good place to start.
Anonymous surfing – Taking both your security as well as your privacy one step further, you will find NeoMailbox. Offering an anonymous surfing service in addition to its secure email hosting solution, NewMailbox will also help protect the way you connect to the internet. Even if privacy is not a major concern to you personally, using a tunneling service similar to the one offered by NeoMailbox can help resolve one of the biggest security threat of our era: free Wi-Fi hotspots. With a privacy combo pack costing around $90/yr, this product offers a whole lot more for an additional $25 annually.
Featured photo courtesy Shutterstock user Maksim Kabakou.