Kit #11. I need to send emails that only the recipient can read
How can I be sure that the contents of my emails are completely confidential?
You need to send sensitive information to your colleagues or friends, but you’ve heard that once messages leave your computer they travel through a strange no-man’s-land where you lose control over who might see your communication. You have a suspicion that someone is eavesdropping. If this happens when you’re sending sensitive information, you and the people you write to might get into serious trouble.
Once your email or chat message leaves your computer, it travels through many nodes or points along the way such as routers, servers and middle boxes where it can be intercepted, read and stored for future access. The internet’s underlying infrastructure was built for openness and interoperability and therefore unfortunately does not guarantee privacy.
What you should do
You must make careful decisions about your email provider and the software you use if you want to make sure that your messages can’t be read by anyone other than the intended recipient.
Encrypt your communication using OpenPGP. This will convert your messages into a format such that if an unauthorised person intercepts them, they’ll see a sequence of letters and numbers that won’t make any sense to them. Only those who have the intended recipient’s passphrase will be able to revert it back to the original form. There are a few different ways of achieving this:
- Mozilla Thunderbird in combination with the Enigmail extension (Windows, OS X). This is the preferred way of doing it as the encryption is done in a standalone mail client rather than in a browser which could be susceptible to more vulnerabilities.
- Mailvelope browser extension with your webmail. This method is the easiest way to use OpenPGP, if you are used to checking your email over the web, as you won’t need to set up a separate desktop email client. However browsers are particular targets of malware and surveillance, so it is not advisable if you need to communicate very sensitive material.
In each of the above methods, you will create two files – a keypair – consisting of what are known as your public and private keys. You will have to share your public key with anyone you wish to communicate with. (Read more about how PGP works here) .
Keep in mind
- The message body and attachments of an email message can be encrypted. However, the other information that travels along with every email (including the subject, addressees, sender, dates and servers through which the message travels) is not encrypted.
- The email you encrypt can be decrypted only if the addressee has her/his own private OpenPGP key and knows the passphrase that allows her/him to use it. Consequently, anyone in control of her/his private OpenPGP key could read the message you sent.
- Encryption is illegal in some countries. Check whether this is the case in your country before you start using encryption, just to be aware.
Where to find more help
- Read introductions to public key cryptography and to mail encryption with OpenPGP.
- Learn more about email encryption.
- Learn more about how to use OpenPGP in Thunderbird with Enigmail.
- Tips on responding to suspected email surveillance.
- Learn about encryption-related laws in each country.