Encryption is important. There are very few people that would doubt that, especially in media.
Too often the places we work in and the people we seek to expose are in a position to intercept, listen and read our communications. There are many tools available, but they are frequently difficult to understand, much less use.
Modern web-based email systems all operate on SSL. This means that the website’s address starts with HTTPS and all communications between your machine and the mail server should, in theory, be encrypted. This is, often, good enough.
It’s quite difficult, but not impossible, to break this. Basically, unless you know your correspondence is being monitored, the rest of this article isn’t relevant.
However, as I said before, sometimes the people and organizations we cover do specifically target individual journalists. A stolen password or a confiscated laptop can mean access to private email. You may simply not trust Google. In this case, another level of encryption is needed. A level that makes it practically impossible to read mail without literal centuries of computing power to crack the code.
In cases like this, PGP (or the open source version GnuPG) is the gold standard. Even the United State’s National Security Agency is known to despise the product because it’s so difficult to crack. In the past, using PGP has been complicated and time consuming.
Today I’m going to explain how to use a simple tool that greatly streamlines the process. It’s only a first step though, and there are many greater levels of security. PGP can, for instance, also be used to encrypt files for transmission. That is outside of the scope of this article though, and there are numerous resources available for people looking to take the next steps.
First, I need to explain a central concept. PGP uses what is called “asymmetrical encryption." Unlike normal encryption, in which the same password is used to encrypt as well as decrypt, PGP uses one key to encrypt (the “public” key”) and a separate key to decrypt (the “private” key). This means that the public key can be distributed far and wide, to anyone that would want to send you messages.
However, because you keep the only copy of the private key, you are the only one able to decrypt and read messages encrypted with your public key. Also, since the private key is also protected by a regular password, even if the private key falls into the wrong hands they may not be able to decrypt anything.
There are many programs that can use these keys to encrypt and decrypt, and as long as they use PGP or GPG-standard tools, the messages are compatible (with small exceptions that I won’t be getting into now). Here we’ll being using a plugin called Mailvelope to use GPG with Gmail. This plugin is available for both Chrome and Firefox, but all screenshots here are for Chrome, but the steps are very similar for either browser.
As I said before, this is just the first line of defense, and there are many more steps you can take. Security is a mindset, not just a toolset, and getting in the habit of making sure you use the appropriate level is by far the most difficult part of security.