Baby Steps: A Starter Guide to Encrypting Your Email

If you aren’t thinking about privacy or ‘magical immunity juice’ these days, you should be. And you should be encrypting your emails. Not the letters home or weekend plans (although that might be useful, too), but the important stuff. Professionally, that means your communication with sources. Knowing how to encrypt your correspondence means being serious about what you do.

Don’t think so? Listen to this segment from NPR’s On the Media about how Glenn Greenwald almost didn’t get to talk to Edward Snowden because he couldn’t be bothered with security details. You want to be a rockstar? Get technical. 

There are lots of resources out there to get you started, but you should commence with this handy how-to by Alan Henry over at Lifehacker. Don’t get bogged down by all the acronyms — PGP, GPG, WTF? — just download the plug-ins and get started.  I asked him a few questions via email this week to help explain some of the kinks I was running into as a lay(wo)man. 

Some things to remember: 

1) Like having no friends on Instagram, encryption only works if the people you’re corresponding with know how to do it, too. You need to generate a public ‘key’ so people can use it to read your message, and vice-versa. Spread the word. I asked Henry to break it down for me:  

If I wanted to send you an encrypted message, I would first find a way to obtain your public key – whether you email it to me, I get it from your website or social profile, or you post it to Dropbox, whatever. Then, when I open compose my email, my email program uses a random key to encrypt the actual message, and then your public key to encrypt the random key…This means that the only person who can get that random key and ultimately read the message is someone with your private key, which should only be you. 

Got that?

2) As far as I understand, there are not very good solutions for mobile emailing. Henry says that he got some good recommendations from his readers for an Android based PGP client and he’s researching any for iOS. Know of any? He also warns against the lure of third party providers: 

A lot of people prefer to look to another provider to give them “secure email,” folks like Lavabit and Silent Circle, who just closed (but that hasn’t stopped more from popping up!). This has stifled public, open options that people can run and host themselves, because…why run a mail server when Google already has Gmail and everyone’s using it?

3) There’s also another way to stay secure called S/MIME that you may have heard of because lots of big organizations use it. But Henry said it’s not a good option for a journalist in the big, wide world: 

The problem is that for the public to use it, they have to find an authority they trust, and it’s not supported by a large number of popular email clients. The big ones do – Outlook, Thunderbird, etc, but a lot of other ones, like Sparrow,, and so on don’t offer full and complete support, and that’s needed for it to work. Those two reasons are why it doesn’t have much of a public foothold, while PGP does. Also, it’s pretty terrible for webmail.
One thing’s clear though — it’s time to start generating your public and private keys. Henry agrees that we’ll start seeing more people take a “personal approach” to security, since it’s so easy. The only hard part, according to him, is “getting everyone else to be as secure as you are.” Like I said: spread the word.
Are you already on the encryption bandwagon? Share your experiences, tips, and advice in the comments.