Using Open Source to Protect Email

Open source applications like Thunderbird and GnuPG are useful -- and free -- ways to secure your email.
(Page 1 of 2)

Even if you're not sending industrial secrets out in your everyday e-mail, there might be plenty of things you'd rather not have winging around in the clear. One way to make sure your e-mail is free from eavesdroppers is through the use of public key encryption (PKE). PKE isn't just the preserve of large organizations. There are open source encryption solutions that enable smaller companies and individuals to use the technology at no cost-most commonly to encrypt and digitally sign e-mail messages.

In the business world, PGP Corp.'s public key encryption platform is the big player. What's interesting about this commercial platform is that it adheres to the OpenPGP standard - an e-mail encryption standard defined by the OpenPGP Working Group of the Internet Engineering Task Force (IETF) Proposed Standard RFC 4880. OpenPGP was actually derived from PGP, the pioneering public key encryption program created by Phil Zimmerman back in 1991 which is the basis for PGP Corp.'s platform.

The good news is that there's a completely free, open-source implementation of the OpenPGP standard called GNU Privacy Guard (or, more commonly, "GPG"). Since any OpenPGP compliant software (should) work with any other, this means that GPG is compatible with PGP. Like any open-source alternative to a commercial product there are differences between PGP Corp.'s platform and GPG in terms of support and additional features, but GPG offers solid public key encryption and key management features as an alternative to a system such as that offered by PGP Corp., on a number of platforms including Windows, Linux, UNIX and OS X.

To illustrate GPG's use I'll concentrate on the Windows platform for the simple reason that 90 percent of all desktops and laptops run Windows-if you use another platform then the general information will still apply even of the details are slightly different.

GPG is actually a command line tool, but thanks to some handy plug-ins to popular e-mail clients you shouldn't ever have to learn any of the commands. (But like most command line tools, if you do take the time to master the commands you'll find GPG much easier to control directly than through a front end.)

The first step to running GPG is to run the Windows installer, which you can download from GPG's web site:

GPG for Thunderbird

The next step is to find a GPG plug-in for the e-mail client you intend to use: In this article we'll use the open-source Thunderbird 2 e-mail client, although plug-ins of varying quality are available for many more clients including Eudora and Outlook Express on Windows, Thunderbird, KMail and Evolution on Linux, and Thunderbird and on OS X.

The GPG plug-in for Thunderbird is called Enigmail, which you can download from Enigmail's download page and then install into the e-mail client. (Don't skip the download stage and try to install it directly if you are running Firefox or your browser will try to install Enigmail into itself instead of Thunderbird.)

Once Thunderbird has been restarted you'll see an "OpenPGP" menu item, and clicking this will bring you to the OpenPGP Key Management window. It's from here that-by clicking the "Generate" option-you can create your own public and private keys. These can be associated with a particular e-mail address, or you can choose to use this key pair with two or more e-mail addresses you might use. You'll also be asked for an optional passphrase to protect your key.( It's a good idea to use this feature-otherwise anyone with access to your computer will be able to sign messages in your name and decrypt confidential incoming messages.) There's also a comment box, where you can add a description of yourself (such as "Managing Director of Rubens Inc.") which makes it much easier for anyone searching a key server for your public key to identify you correctly.

Once you click "Generate Key" a key pair is created, after which you'll be asked if you want to create and save a revocation certificate, which you can use to invalidate your key pair at some future time if it becomes compromised. The final step-if you want your public key to be widely available-is to upload it to a key server by choosing the "Upload Public Keys option."

Next page: Sending Encrypted Messages

Page 1 of 2

1 2
Next Page

Tags: Linux, email, Firefox, privacy

0 Comments (click to add your comment)
Comment and Contribute


(Maximum characters: 1200). You have characters left.