Many times we do need to send confidential information via email and we do share critical info using email. This info is then maintained on servers forever - one copy on your account and other on receivers account and can be read / sniffed by people who owns the servers/data. Also servers are backed up and they do ensure users emails are not lost in case of any failure. In practice your confidential info has many copies around the globe that can land up in anyone's hand.
We all do use popular email services like, gmail/outlook/yahoo/etc. and they do provide secure login over HTTPS/SSL. Email you sent is encrypted from your computer to gmail (as example) server. This email is then forwarded to receivers email server in clear text(un-encrypted format) and can be sniffed by various networking tools.
Web emails (Gmail, yahoo, outlook, etc.) store your emails as you draft/compose them. Every line you type gets backed up immediately. Any confidential info that you typed gets stored on server and even if you remove/delete those lines, there is already a backup created on servers to refer for Google (example). Thus even if you wipe out confidential content from your email before you send, its still now maintained on server forever and you cant remove it!
How do you then send confidential info that only receiver can read it ? How can you ensure that you email stored on servers is encrypted ?
Solution is to use PGP (Pretty Good Privacy) technology which was invented in 1991 by Phil Zimmermann. Yes, its been long time that technology to secure emails is available, however its complicated setup that keeps people away from usage. There are right set of tools available for you to make it easy and send secure emails right from your browser.
With extensive internet usage in our daily routine and our data in cloud, you need to protect your confidential data in all forms. You need to manage your confidential data the way its transferred & stored. PGP comes in handy here and learning it will help you in long run.
How it works?
PGP uses modern day Public-Private key encryption model combined with conventional secret key for faster encryption. People who wish to send secure emails, need to create a public & private key pair using tools(listed below). Public/private key is nothing but a big mathematical value used to encrypt and decrypt a message. Public-key part of it can be shared with everyone whereas private-key part is to be stored securely and not to be disclosed to anyone. Any message/text, encrypted by public-key can be decrypted only with Private-key is the rule.
To use PGP, you need to first generate public-private key pair. You then need to share your public-key to people so that they can encrypt their message using your public-key and you can then decrypt that message using private-key. If you wish to send secure email, then you need to get receivers public key for encrypting the message.
In PGP, a session key or secret-key is also involved. This is to speed up encryption/decryption of your email. This secret-key is generated randomly when you send email and is only used for that email communication. Secret-key is then encrypted using receivers public key.
What do you achieve using PGP ?
- Only receiver can read your emails
- No one with access to email servers can read / decrypt your emails or modify it
- Your data is secure while its transferred from one server to another
- With additional PGP setup, you can ensure that the email is coming from trusted friend and that no one on the route has seen or modified it.
What are high level steps that I need to take ?
- Create Public-Private Key pair using tools
- Share public-key with friends
- Store Private-key securely and no one should have access to it
- Use PGP tools to encrypt emails and send it
Mailvelope as browser extension tool for PGP:
There are couple of client side tools that you need to use to create public/private keys and then use them in local email client(outlook/thunderbird/etc.). Instead of that there is a better option - Mailvelope. This addon is available for Chrome and Firefox. https://www.mailvelope.com/
Mailvelope has resolved the complexity behind PGP and made it easy for every day internet users. Here is video that explain how to setup and use Mailvelope
How to secure you public/private keys:
- You should be using password manager for storing your passwords. These password managers generally provide secure notes or text boxes for additional notes. Use them to store your public/private keys. Do export keys from Mailvelope and store them in your password manager.
- Do not setup Mailvelope on public computer. Uninstall mailvelope if you no longer use laptop to send / receive emails