Avoid Security Agencies from Spying on your Emails
You should know this even if you have nothing to hide!
Discovering matt.might.net
A few days ago I was reading an article my friend shared about how a vaccine is developed. Following through a few links shared in that article I discovered matt.might.net and it felt like I had discovered some kind of a treasure chest.
I’ve been so bored at my regular day job as I’ve been feeling very stagnant for a few months, not learning anything new and just doing the bare minimum, sort of getting by. Seems like discovering this website is what I needed to get back up. You should definitely checkout this blog!
Securing emails
On the home page Matt had shared his PGP key to communicate with him securely. I thought it was interesting that Matt had provided this key and wanted to know how I can set it up for myself. I found some help on his blog and completed the setup for myself.
Even though I won’t be using this during my daily email communications, it would be fun to set it up and send my first encrypted message. Doing things just for fun, reminds me of my days at grad school. After I started working for corporates I lost this craving for “doing things for fun” and I’m trying to get it back. I think I’ll write another post about this sometime.
I’m running macOS Catalina and there would be some steps which are macOS specific, so if you are on any other OS you might have to google alternatives to that step for your OS, or leave a comment and I’ll try to help.
Setup GPG tool and key
Install GPG Tools — [GPG Suite](https://gpgtools.org/)
After the setup completes, as part of your first steps, you’ll be promoted to create a new key. Fill in your information — Name, Email, Password(make sure it is a strong one)
What we are doing here is creating a pair of public and private key to encrypt your communications using Asymmetric encryption.
As soon as you click Generate Key you are promoted to upload the key to the Key Server. Do it, it helps other users discover your public key.
NOTE: You’ll receive an email to verify the upload on the key server. Make sure you verify the upload by clicking the link in the email.
Email Client
Even though the steps we discuss here are for Apple Mail. But you should be able to do this with any email client or even in the browser with some googling along the way.
Now, for the rest of the article I assume that Apple mail is already setup for the email you just created the key. If not, you can open Apple Mail, go to Preferences > Add Account, follow through the steps, it’s quite simple and intuitive.
I’am on macOS Catalina so I had to manually enable the GPG Plugin for Apple Mail. Go to Preferences > General > Mange Plug-ins, check the GPGMailLoader. Apply and Restart. You might not have to do this if you are running an older version of macOS, but go and verify anyway.
Sending your first encrypted email
To send an encrypted email to someone, you need to know their public key. But for now we only know our own email’s public key, so you are going to add your own email as recipient. This would be the easiest way to test because like me, you might not have any friends that use encrypted email setup. So your first encrypted email is going to be to your own self.
If you do have a friend’s public key you can import it by running the following command in your Terminal.
gpg --import <path_to_friends_public_key>
Now go to Apple Mail, compose a new mail and add the recipient as your self (or your friend if you have imported their public key).
You should see 2 toggles to the right of the Subject Field.
The first one means the message is encrypted. It means that your message is transmitted securely over the network and no one can sniff it and read/change it. Recipients public key is used to encrypt this message.
The second one means the message is signed. This will ensure that email is coming from you because you have used your signature. To sign you need the sender’s private key.
Add some text to the body of the email, I’m going to write “This message did not reach NSA” and send it.
We covered most of the important stuff from the senders point of view. Let go over to the recipients side and understand things.
Receiving an encrypted email
As a recipient you need your private to decrypt the message that has been encrypted with your public key.
If the recipient has an email client like Apple mail setup with the private key, which we do, the client will handle the decryption of the message and will also extract senders signature meta info to conveniently show to you.
Click on the tick mark icon to the left of “Signed” to view the senders signature. In this case sender and receiver are the same, so you’ll see your email here.
But if the recipient is viewing this on a client/browser that doesn’t have the the private key, the email will not be decrypted automatically and you’ll see just 2 attachments.
You can check the contents of these files, none of them contains the message you sent. So now you know that the information was sent in encrypted form and no one was able to spy on it. The encrypted.asc file contains the message, along with other metadata. You can ignore the noname file for now.
Now, I wanted to know how can I extract the message from .asc file received in the mail using the private key, manually. Normally this is not what anyone would do, because the email client would probably be already setup. But let’s just do it for the fun of it.
Download encrypted.asc and run the following command in the Terminal —
gpg --decrypt <path_to_downloads_folder>/encrypted.asc
A bunch of information will be printed on the terminal, including the message — “This message did not reach NSA”.
This decryption was made possible by the private key already imported in gpg tool when you created it at the beginning.
Conclusion
Now you know how to send and receive encrypted emails. Go find a friend and ask him to setup encrypted emails so you can talk about the secret project which you want to hide from the govt. over email :D
If you don’t want to use Apple mail, you can easily find other alternatives that will work for your client/browser. Export the key pair we just created from gpg and import it in the tool of your choice.