This tutorial is meant for journalists with little or no understanding of email encryption. It covers setting up an encrypted email account, so you can start communicating privately with sources.
For journalists, encryption is important — both for your work on sensitive issues and for the security of your sources. Popular web-based email services such as Gmail, Yahoo, Outlook, which journalists often use as “personal email addresses” do not encrypt your messages. This means your emails can be read by the companies providing the email service (and any hacker who gains access to the companies), and your info is often used to sort you and your contacts into particular demographics, usually — but not exclusively — for advertising purposes. Put simply, if you read and compose emails in your browser (Internet Explorer, Firefox, Chrome, Safari) or in an unencrypted separate App, your emails are being read (and stored) by others.
Luckily, there is a way to encrypt your emails, even if you use one of these email services. We’ll be downloading an open-source email client called Thunderbird, which is free and allows you to encrypt messages, so only you can see your emails. Let’s get started.
NOTE: Reader Mark Gamache points out you should use Tor when accessing public keys online (if you don’t understand what this is, keep reading). He also recommends you verify the key in multiple ways before sending secure email, and — this can’t be stressed enough — if you’re discussing confidential stuff, don’t stop being paranoid.
Skip to section:
1. If you’re on Windows, download and install Gpg4Win. If you’re on Mac, download and install GPG Suite. Use all the default settings to complete installation. These programs are stable and open-source. It is called “open-source” because the program is written transparently, in a code viewable to anyone, ensuring it operates exactly as it claims. Each version of the program is inspected by thousands of people for glitches, bugs or other problems, which ensures stability as well.
2. Download the Thunderbird email program here. This is a widely used email client with a stellar reputation.
3. Install the application. Once installed (and after dragging into your Applications folder, if on a Mac), open the application. Proceed to set up the email account you’ll use for encrypted communication. (Note: Not all communication will need to be encrypted, but this allows you to send private emails if you so choose.
4. Once your email address is set up in Thunderbird, you should see emails from your inbox (if you have any) start to appear. To encrypt and read others’ encryptions, you’ll need an extension for Thunderbird. Luckily, that’s exactly what open-source Enigmail does.
5. Open Thunderbird and go to Tools > Add-Ons and search for “Enigmail.” Make sure to download the correct Add-On developed by “Enigmail” or its creator, “Patrick Brunschwig”. (At the time I’m writing this, only Enigmail 1.6 is available.) After downloading, restart Thunderbird.
Setting it up
2. On the “Signing” page, select Yes, I want to sign all of my email. This will signal to others with encrypted email programs (such as Thunderbird) that your messages are truly from you. Those without encrypted email programs will still see your emails the same as they did before.
3. On the “Encryption” page, you have the choice to encrypt by default, or encrypt just for certain recipients. We’ll select No, I will create per-recipient rules for those that sent me their public key instead.
4. On the “Preferences” page, select Yes. If you see a “Key Selection” page, select I want to create a new key pair for signing and encrypting my email.
5. The “Create Key” page will explain the basics of how your communication works. Put simply, you’ll share part of your encryption (called the “public key”) with your contacts, but will keep the rest of your encryption secret (called your “private key”) so only you can crack the whole code. Because the private key must be kept secret, this page prompts you for a passphrase so only you can unlock it. (I recommend using a full sentence passphrase, such as thequickbrownfoxjumpsoverthelazydog, instead of a shorter password that’s easier to crack. If you can’t remember this password, write it on paper somewhere — DO NOT store it digitally.) Select Continue.
6. Select Continue again to create your key, which by default will be a 2,048-bit encryption valid for five years.
7. On the “OpenPGP Confirm” page, select Generate Certificate. This will make a “revocation certificate” — essentially telling others not to communicate with that key any more. In the event you lose or accidentally share your private key, you can revoke the certificate. (Special thanks to blitchiz and phyzome for their clarification on this.)
8. Almost done! On the next page, enter the passphrase you created in Step 5. You will be prompted to move your revocation certificate to a CD or Floppy Disk. It is a good idea to store this separately from your computer.
9. Click Done.
10. We have one last step. Select your email account on the left sidebar (above “Inbox”). Click View Settings for this account and then select the OpenPGP Security tab on the sidebar. Make sure the Use PGP/MIME by default box is checked (this lets you encrypt stationary, pictures and files instead of just raw text).
11. Click OK. You’re now encrypted and ready to talk with sources!
Let’s test it out
1. Compose a new email by clicking the Write icon or pressing Ctrl+N (⌘+N on Mac OS X). You’ll notice an OpenPGP button in the toolbar. Click it, and select Encrypt message. You may be prompted to enter your passphrase.
2. Send a test email to anyone else using encrypted email, or to me at firstname.lastname@example.org (I’ll try to respond as soon as I can). For faster testing, you can send an email to yourself, using the same email address you just set up.
3. After sending an encrypted email to yourself, open your browser and log in to Gmail (or whatever web-based email client you used before you became the tech-wizard you are now). Open the message you just sent yourself. You’ll notice a jumbled mess of text, which Google cannot read natively. This can, however, be read by the intended recipient, if they’re using an encrypted email client like you are.
4. When your encryption-enabled recipient responds to your test email, they’ll encrypt a response using the public key embedded in your initial email. Because that encryption can only be cracked with your private key (on your computer), no one will be able to read their email response except for you.
5. You can now promise secrecy/anonymity to sources. Unless you lose (or share) your private key, no one else (including Google) can figure out what a source emailed you!
Make yourself accessible
Lastly, it’s a good idea to make your public key (not your private key!) available online to others. This is so others can initiate secure email communication with you, instead of having to wait to receive your encrypted email first.
I recommend putting your public key on your website (if you have one), or copy-pasting it online and linking to it on your Twitter or Facebook page. Here’s how to do that, again using free tools:
1. In Thunderbird, go to the menu and navigate to OpenPGP > Key Management. You should see a list of known encryptions on your computer. Right-click on your email address and select Copy Public Keys to Clipboard.
2. Go to Pastebin.com and paste your text into the text box. You should see a box that begins with “—–BEGIN PGP PUBLIC KEY BLOCK—–“.
3. To make sure the right email address is included, type in “Email: [your email address]” on line 2 and press Enter to move everything else down a line.
4. Click “Submit.” You may be prompted to enter a captcha code. You should see your data pasted on a new page.
5. Click Raw at the top. Copy the URL of that page, and put it on your personal website or on social media for tipsters to access. Now your sources can come to you!