Email Encryption for Journalists: Beginner’s Tutorial

Posted on Updated on

EFJJOURNALIST TUTORIALS: Encrypted Email | Encrypted Chat | Encrypted Web Browsing

This tutorial is meant for journalists with little or no understanding of email encryption. It covers setting up an encrypted email account, so you can start communicating privately with sources.

Introduction

For journalists, encryption is important — both for your work on sensitive issues and for the security of your sources. Popular web-based email services such as Gmail, Yahoo, Outlook, which journalists often use as “personal email addresses” do not encrypt your messages. This means your emails can be read by the companies providing the email service (and any hacker who gains access to the companies), and your info is often used to sort you and your contacts into particular demographics, usually — but not exclusively — for advertising purposes. Put simply, if you read and compose emails in your browser (Internet Explorer, Firefox, Chrome, Safari) or in an unencrypted separate App, your emails are being read (and stored) by others.

Luckily, there is a way to encrypt your emails, even if you use one of these email services. We’ll be downloading an open-source email client called Thunderbird, which is free and allows you to encrypt messages, so only you can see your emails. Let’s get started.

NOTE: Reader Mark Gamache points out you should use Tor when accessing public keys online (if you don’t understand what this is, keep reading). He also recommends you verify the key in multiple ways before sending secure email, and — this can’t be stressed enough — if you’re discussing confidential stuff, don’t stop being paranoid.

Skip to section:

Getting Started


1. If you’re on Windows, download and install Gpg4Win. If you’re on Mac, download and install GPG Suite. Use all the default settings to complete installation. These programs are stable and open-source. It is called “open-source” because the program is written transparently, in a code viewable to anyone, ensuring it operates exactly as it claims. Each version of the program is inspected by thousands of people for glitches, bugs or other problems, which ensures stability as well.

2. Download the Thunderbird email program here. This is a widely used email client with a stellar reputation.

For this tutorial, I'm using the latest release of Thunderbird on Mac OS X. It is also available for Windows and Linux.
For this tutorial, I’m using the latest release of Thunderbird on Mac OS X. It is also available for Windows and Linux.

3. Install the application. Once installed (and after dragging into your Applications folder, if on a Mac), open the application. Proceed to set up the email account you’ll use for encrypted communication. (Note: Not all communication will need to be encrypted, but this allows you to send private emails if you so choose.

4. Once your email address is set up in Thunderbird, you should see emails from your inbox (if you have any) start to appear. To encrypt and read others’ encryptions, you’ll need an extension for Thunderbird. Luckily, that’s exactly what open-source Enigmail does.

5. Open Thunderbird and go to Tools > Add-Ons and search for “Enigmail.” Make sure to download the correct Add-On developed by “Enigmail” or its creator, “Patrick Brunschwig”. (At the time I’m writing this, only Enigmail 1.6 is available.) After downloading, restart Thunderbird.

Make sure your version of Enigmail is the legitimate one, released by Patrick Brunschwig.
Make sure your version of Enigmail is the legitimate one, released by Patrick Brunschwig.

Setting it up


1. Upon restarting Thunderbird, let OpenPGP Setup Wizard guide you through the setup process.

Use the OpenPGP Setup Wizard to walk you through the process.
Use the OpenPGP Setup Wizard to walk you through the process.

2. On the “Signing” page, select Yes, I want to sign all of my email. This will signal to others with encrypted email programs (such as Thunderbird) that your messages are truly from you. Those without encrypted email programs will still see your emails the same as they did before.

3. On the “Encryption” page, you have the choice to encrypt by default, or encrypt just for certain recipients. We’ll select No, I will create per-recipient rules for those that sent me their public key instead.

4. On the “Preferences” page, select Yes. If you see a “Key Selection” page, select I want to create a new key pair for signing and encrypting my email.

5. The “Create Key” page will explain the basics of how your communication works. Put simply, you’ll share part of your encryption (called the “public key”) with your contacts, but will keep the rest of your encryption secret (called your “private key”) so only you can crack the whole code. Because the private key must be kept secret, this page prompts you for a passphrase so only you can unlock it. (I recommend using a full sentence passphrase, such as thequickbrownfoxjumpsoverthelazydog, instead of a shorter password that’s easier to crack. If you can’t remember this password, write it on paper somewhere — DO NOT store it digitally.) Select Continue.

6. Select Continue again to create your key, which by default will be a 2,048-bit encryption valid for five years.

7. On the “OpenPGP Confirm” page, select Generate Certificate. This will make a “revocation certificate” — essentially telling others not to communicate with that key any more. In the event you lose or accidentally share your private key, you can revoke the certificate. (Special thanks to blitchiz and phyzome for their clarification on this.)

8. Almost done! On the next page, enter the passphrase you created in Step 5. You will be prompted to move your revocation certificate to a CD or Floppy Disk. It is a good idea to store this separately from your computer.

9. Click Done.

10. We have one last step. Select your email account on the left sidebar (above “Inbox”). Click View Settings for this account and then select the OpenPGP Security tab on the sidebar. Make sure the Use PGP/MIME by default box is checked (this lets you encrypt stationary, pictures and files instead of just raw text).

11. Click OK. You’re now encrypted and ready to talk with sources!

Let’s test it out


1. Compose a new email by clicking the Write icon or pressing Ctrl+N (⌘+N on Mac OS X). You’ll notice an OpenPGP button in the toolbar. Click it, and select Encrypt message. You may be prompted to enter your passphrase.

2. Send a test email to anyone else using encrypted email, or to me at matthew.d.schrader@gmail.com (I’ll try to respond as soon as I can). For faster testing, you can send an email to yourself, using the same email address you just set up.

Screen Shot 2014-06-01 at 2.11.46 AM
When composing a private email, click the yellow “OpenPGP” icon on the top toolbar to make sure “Sign message,” “Encrypt message” and “Use PGP/MIME” are selected.

3. After sending an encrypted email to yourself, open your browser and log in to Gmail (or whatever web-based email client you used before you became the tech-wizard you are now). Open the message you just sent yourself. You’ll notice a jumbled mess of text, which Google cannot read natively. This can, however, be read by the intended recipient, if they’re using an encrypted email client like you are.

Screen Shot 2014-06-01 at 2.24.17 AM
This encrypted code is what Google will see when you send encrypted messages through Thunderbird.

4. When your encryption-enabled recipient responds to your test email, they’ll encrypt a response using the public key embedded in your initial email. Because that encryption can only be cracked with your private key (on your computer), no one will be able to read their email response except for you.

Thunderbird will be able to read encrypted email responses you get, though Google (and any others eavesdropping) will only be able to see the scrambled letters, nearly impossible to decrypt.
Thunderbird will be able to read encrypted email responses you get, though Google (and any others eavesdropping) will only be able to see the scrambled letters, nearly impossible to decrypt.

5. You can now promise secrecy/anonymity to sources. Unless you lose (or share) your private key, no one else (including Google) can figure out what a source emailed you!

Make yourself accessible


Lastly, it’s a good idea to make your public key (not your private key!) available online to others. This is so others can initiate secure email communication with you, instead of having to wait to receive your encrypted email first.

I recommend putting your public key on your website (if you have one), or copy-pasting it online and linking to it on your Twitter or Facebook page. Here’s how to do that, again using free tools:

1. In Thunderbird, go to the menu and navigate to OpenPGP > Key Management. You should see a list of known encryptions on your computer. Right-click on your email address and select Copy Public Keys to Clipboard.

2. Go to Pastebin.com and paste your text into the text box. You should see a box that begins with “—–BEGIN PGP PUBLIC KEY BLOCK—–“.

3. To make sure the right email address is included, type in “Email: [your email address]” on line 2 and press Enter to move everything else down a line.

Copy-paste your public key into this box, and be sure to insert a line in the top section with your email address in it.
Copy-paste your public key into this box, and be sure to insert a line in the top section with your email address in it.

4. Click “Submit.” You may be prompted to enter a captcha code. You should see your data pasted on a new page.

5.  Click Raw at the top. Copy the URL of that page, and put it on your personal website or on social media for tipsters to access. Now your sources can come to you!

You can include your Pastebin link in your Twitter bio. I've used the website http://is.gd to shorten my Pastebin link into something easier to remember.
You can include your Pastebin link in your Twitter bio. I’ve used the website http://is.gd to shorten my Pastebin link into something easier to remember.

Questions or comments?


Feel free to email me at matthew.d.schrader@gmail.com. Bonus points if you email me using your encryption.

Advertisements

2 thoughts on “Email Encryption for Journalists: Beginner’s Tutorial

    Roo said:
    June 2, 2014 at 5:54 am

    Nice guide. May want to add that people will need to install GnuPG (https://www.enigmail.net/documentation/quickstart-ch1.php#id2489032). The easy way of doing that is to go for Gpg4win, but I don’t know if it’s needed for using it on a Mac.

    Like

    google api console said:
    August 24, 2014 at 1:46 pm

    Just want to say your article is as astounding. The clarity in your
    post is just great and i can assume you’re an expert on this subject.

    Well with your permission allow me to grab your feed to keep up to date with forthcoming post.

    Thanks a million and please keep up the rewarding work.

    Like

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s