Encrypt your Gmail Email!

If you want to be sure that your email can be read by no one but you, then it needs to be encrypted. You'd be surprised to find out who might want to read your email. I was.

One of the best encryption systems is called GPG encryption which is an open-source version of PGP encryption. PGP stand for Pretty Good Privacy and is actually an understatement made by a programmer who didn't want to be too optimistic about how secure it is. However, as it turns out, PGP is has actually proven itself to be extremely good. It's been around for many years, being maintained by the best coders in the world and it hasn't been cracked.

In this Instructable, I'll walk you through the simple process of setting up GPG and then installing a Firefox plugin that will make it easy to encrypt your Gmail.

Remove these ads by Signing Up

Step 1: How it works

The principle behind GPG encryption is easy. Anyone who wants to play creates a public key and a private key. Your public key is the part of the encryption that you make public. Your private key is the part of the encryption that you never share with anyone under any circumstance.

The two keys work together so that you need both to decrypt anything. To send an encrypted message to someone you lock the message with their public key and when they get it, they can unlock it with their private key. If they want to respond, then they encode the message with your public key and you can read it with your private key.

Of course, this only works so long as you can trust that you have been given the right public key and that you know who you are talking to. One of doing this is by having a key signing party with your close friends. You all show up at a given location at a given time and exchange public keys. Then you have a list of trusted public keys with which you can communicate. This is often referred to as a web of trust.

rejoraju says: Mar 13, 2013. 2:29 AM

Find out how to encrypt your mail in Chrome and Mozilla in a very simple steps, no need to be tech savvy to do this work.

Learn how to Encrypt your mail in Gmail using Chrome

http://www.techxure.com/2013/01/encrypt-your-mail-using-safe-gmail.html

and also see how you can encrypt your mail in Mozilla

http://www.techxure.com/2013/03/encrypt-your-mail-in-mozilla-firefox.html

jacktrades says: Jul 11, 2012. 7:19 AM

You can also try:
www.safegmail.com

It's a browser extension for Gmail, PGP like.

kpatel18 says: Oct 23, 2011. 2:45 PM

Yup now a days gmail has 2 step security features also so no 1 can hack your mail.
< a href=”http://thexbit.com”>

pabloreyas says: Oct 9, 2011. 7:04 AM

This is the beast service for Secure Encripted Email!
http://securitykrypto.blogspot.com/2011/09/secure-email.html

Rhada says: Oct 11, 2011. 12:40 AM

Yeah is true, i use this service from 11 month and is really Excellent!
they have also a very good support.
For who want know more go here http://en.kryptotel.net/kryptomail.html

bfarnsworth says: Aug 26, 2011. 2:23 PM

It is discontinued. http://getfiregpg.org/s/gmailstatut

bijikenyot says: May 24, 2011. 9:03 PM

--BEGIN LOCKTHETEXT--
m3/cTRAQEBCgaQodPyz1yg42E+V8xge7TIA6W3S1a7E=
--END LOCKTHETEXT--

-nokia PIN

Mark Regan says: Nov 19, 2008. 2:52 AM

But I thought that gmail automatically appends your IP address. Therefore, "big brother" can easily trace any encrypted message back to your computer and, with or without a search warrant, even via a "black bag job", find out what you typed even before it was encrypted. There is no easy, reliable method of ensuring that anything is confidential anymore.

Cheswick32 says: Jan 19, 2011. 6:14 PM

If u use TOR to surf gmail, u essencially cant be traced

bijikenyot says: May 24, 2011. 8:59 PM

psssst......voice down

bradleybc says: May 22, 2008. 6:38 PM

Hasn't been cracked? C'mon, a cipher cracking util run on the fastest desktop PC would take about 22,000 years to decipher. On the other hand, the NSA's "BrainChild" supercomputer can solve it in about 20 minutes. So, it really depends on who you are trying to hide information from...

muzac says: Sep 25, 2008. 2:58 PM

Actually, agents from the Secret Service themselves are admitting that if something is encrypted with PGP, it's pretty much impossible even for them to crack (mentioned in this article). The NSA may be able to crack it, but I've seen no published cases on this. It seems like if someone encrypts with PGP, anyone (including the government) wanting to decrypt the info tries to just find ways to swipe the key from somewhere, instead of a "brute force" method.

franklinonline says: Aug 21, 2010. 9:21 AM

For all we know, they could already have cracked it a long time ago, and they already read everything encrypted or not. They just aren't telling us to give us a false sense of security.

hacktalk.connection says: Oct 1, 2008. 5:13 PM

The thing is, with enough time anything can be cracked but without knowing how long the original passphrase was it's pretty hard to do anything. My passphrase is in the neighborhood of 16+ characters which means they would have to make a list of all the possible strings that are 16 characters long, 17 characters long, etc until they cracked it. Without knowing that my passphrase is 16 characters at least though, you'd have to run through all the 1 character, 2 character, 3 character, 4 character, etc. passwords possible and finally be able to crack the passphrase. It'd take a wicked long time but eventually anything can be bruteforced. Just me $.02

franklinonline says: Aug 21, 2010. 9:20 AM

If you were a suspect for a crime, they would probably just install malware on your computer, steal your password and not have to brute force anything. Or they can force you to reveal your passwords with torture or sever criminal penalties.

chamunks says: Sep 5, 2012. 9:39 AM

l2crypto https://class.coursera.org/crypto-preview/lecture/index

Its all about reducing your odds. The best method for decrypting hashes is rainbow tables but that was solved by adding salt to the hash's. Private Public key crypto is much more complex by requiring multiple factors required to decrypt ans since gpg is an opensource crypto its been reviewed publically by many its very difficult to decrypt anything gpg related without two things your private key and your passphrase. You'd really have to try hard to replicate either of these things.

M4industries says: Aug 9, 2010. 9:01 AM

I think it's discontinued.

si says: May 27, 2008. 6:11 PM

FWIW, I use a combination of a Truecrypt (Windows/OSX/Linux) encrypted volume to store a Keepass (Windows) database to maintain my passwords. There are similar password managers to Keepass for OSX and Linux. This means I only ever have to know one (very strong) password, all my other passwords are generated using Keepass, and are typically 30 random characters (including non alpha-numeric characters) or whatever the maximum number and type allowed by the particular system. This means I don't know my own Gmail password, and because the password database is double encrypted (Truecrypt volume + Keepass db) with AES, I can safely keep it on my USB flash drive, and not be worried if I lose it. The other nice thing about Keepass is you can attach files, so I also have my PGP keys stored in there as well. Yes, it's putting all your eggs in one basket, but it's a redundant, strong and secure basket!

eecharlie says: May 29, 2010. 11:15 PM

So, does this mean that your USB stick holds, in addition to your keepass db in a truecrypt volume, stand-alone & multi-platform versions of both keepass and truecrypt? Otherwise, wouldn't you only be able to access your passwords (and gmail) if you're on a computer with all that already installed?

And maybe you throw a couple firefox plugins on there while you're at it?

threecheersfornick says: Jul 30, 2008. 10:29 PM

But aren't you hooped if you lose the usb key? You'd never be able to open your email again.

si says: Jul 30, 2008. 11:39 PM

Ah...yes, you are correct, but there was one other tool I didn't mention as I didn't want to get too geeky :) I also use a version control system - Subversion - which I use to store (amongst other things) the Keepass database on. This means I can have a (working) copy of the encrypted keepass file in multiple areas, on my usb key, on my home pc, etc. and I use Subversion to keep these up to date. Subversion by default does not transfer or store securely, there are ways around this, but it's not necessary since my Keepass db is encrypted with AES.

vov35 says: Dec 12, 2010. 10:34 AM

hmm... an 'ible on secure subversion perhaps?
or just an explanation...

shadowspydre says: May 22, 2008. 8:04 PM

Really glad for this helpful and useful guide. I'm using a PC and I'm sure many others are too. Can we get a guide for using GPG on our boxes? Thanx.

Lampoon says: Jan 11, 2010. 7:40 PM

Here is a guide to use GPG on a PC!

http://www.encrypt-the-planet.com/freeemailencryption.htm

gumper1 says: Feb 6, 2010. 5:07 PM

Thanks for that link Lampoon. If I install Gpg4win as the website says, can I send it to someone on a Mac to decrypt it or would I need to install a different product or encryption engine?
Also does this also encrypt images, attachments or do I need to do something separate for that?

btibloke says: Sep 1, 2009. 12:41 PM

It isn't much different... Find the GPG software for your operating system;
(see http://gnupg.org)
install the software (instructions on the GnuPG site)
install the Firefox plug-in
create your key-pair
send your public key to your friends and/or conspiratos
keep your pass phrase Long and Private

that is about it.

When your friends send their keys open it with GPG or save it to a file and double-click to install

REAL6 says: Oct 21, 2008. 9:42 AM

The easy way to Encrypt your gmail is this:

WHen you are on your gmail account, in the address bar, where it says http, type an S after http. now its encrypted.

so it would look like this

https://mail.google.com

juno2800 says: Dec 4, 2009. 1:05 AM

Hey, yeah, chumby32 (below) has it right. There are two kinds of encryption at work here. Using httpS will encrypt the connection between your web browser and gmail's servers. This is good! It means nobody on the network can see what you are looking at or typing while you are logged in to gmail. This is especially good if you are checking your email from somewhere public like a cafe. However, once the email leaves your outbox it is still sent in the clear over the internet (through intermediate email servers, routers, etc.) until it reaches its destination. This means it is possibly stored on other servers too. All of the computers that handle the message en route see your email plain as day, and it could be read by anyone with access.

PGP uses encryption slightly differently - it scrambles the actual contents of your message. This means that when you scramble a message all of the intermediate servers transmit the scrambled version as well. The only person (hopefully!) that can see the unscrambled message is the recipient at the end who decodes it using their key.

Don't get me wrong - HTTPS is good and you should use it! But it only encrypts your current connection, not all of your emails.

I believe there is a setting inside your gmail preferences to always turn on HTTPS.

chumby32 says: Oct 24, 2008. 8:58 AM

What you are suggesting as a solution does not encrypt the email. It only encrypts one's connection to the gmail website.

Using your method, any server that stands between gmail and the email's recipient can read the email you sent.

The point of the Instructable is to prevent anyone except for the recipient from reading the email.

Guanabana says: Apr 27, 2009. 10:26 AM

This might sound like a stupid question ...but does the encryption work for the Gmail chat as well? If not, please tell me what is the best way to encrypt gmail chats?

juno2800 says: Dec 4, 2009. 1:03 AM

To encrypt chats check out the "Off The Record" (OTR) plugin for Pidgin. Pidgin works on linux, mac, and windows, and lets you use all of your other types of chat accounts - msn, google talk, etc. It's cool!

http://www.cypherpunks.ca/otr/
http://www.pidgin.im/download/

dawcee says: May 15, 2008. 7:11 PM

what about the terrrists? like: im in ur airport 'kriptin up my emailz. this 'ible along with the pneumatic sniper rifle 'ible is bound to cause a terror chain reaction unravelling democracy as we know it. I mean I'm with Jorge Arbusto, there must be some WMD's out there somewhere. Oh wait, this is probably just for sending the illegal kind of porn to illegal-porn-lovin' friends. Also I'll probably try it out for myself ;) thanks w1n5t0n (Thw1n5t0n).

markf says: May 22, 2008. 3:24 PM

That's probably why encryption software (like GPG) is classified as weaponry under US federal law. That way it can, hypothetically, be regulated the same way that guns are. If an American sends a copy of GPG to a buddy in another country, they are breaking the law by illegally exporting "firearms". More reason than ever to support the ACLU, EFF, and NRA.

DeepWater says: Jul 7, 2009. 11:01 AM

When they pry my private key from my cold dead fingers...

barf_malak says: Apr 30, 2009. 7:54 PM

this will not work on my computer!!! i am running xp and ubuntu! plz helppp

orken says: Mar 8, 2009. 10:29 AM

Nice guide. But, it might be worth to point out that you really don't need anything else than the GPG software itself and FireGPG if all you're gonna do is encrypt your GMail (at least on Windows, not sure how that works out on Mac and Linux). Also, if you're a Thunderbird user, do check out the excellent Enigmail plugin which removes pretty much all of the annoyance that comes with managing the keys for your contacts everytime you send or receive a mail.

fotoflo says: Dec 29, 2008. 10:32 PM

Hey, Check out gwebs' new MailCloak, www.getmailcloak.com. Much easier then firegpg, also works on yahoo, MSN, etc.

DELTAWOLF05 says: Jun 29, 2008. 10:48 AM

WOW thanks for the info! i m still copy pasting mine into an encryption program. this looks a lot eraser.

threecheersfornick says: Jul 30, 2008. 10:27 PM

A lot eraser?

DELTAWOLF05 says: Aug 3, 2008. 6:08 AM

easier

sampablokuper says: Jun 12, 2008. 8:57 PM

I must be missing something. Why is it necessary to have an "anonymous" Gmail account? What if I want to be able to send GPG-encrypted messages from my regular Gmail account, for instance? Is that somehow insecure because it's not "anonymous"? Apologies if I've got the wrong end of the stick; I just want to be sure my understanding's correct.

stepnsteph says: Jun 27, 2008. 2:26 PM

There is nothing stopping someone from using their real email address. This is actually encouraged if you want to use encryption for professional purposes or if you want to grow your "web of trust". A PGP signed message is digitally signed and can therefore be traced back to you, unless of course you do not use your real name when you create your keys. You could do that if you wanted to go by a unique nickname. Doing so opens the (theoretical) possibility of someone impersonating you because it becomes impossible to verify your identity. If you live in an area of the world where your messages could get you arrested by the government or even killed then the anonymous account is definitely the way to go. Otherwise, it's probably not necessary, but it may be fun.

sampablokuper says: Jun 27, 2008. 3:46 PM

Thought so. Thanks for the clarification!

sudont says: May 25, 2008. 2:41 PM

I already know how to encrypt my e-mail. Tell me how to get my lazy friends to start encrypting theirs, and decrypting mine.

Blattman says: Jun 12, 2008. 11:14 AM

Hahaha thats great!

Biotele says: May 29, 2008. 12:13 AM

hQIOA+c0mc6Civ2uEAf+PYEJPiYZaeMNL5JIffYBUscfg2nyqraT8ZnKZ84OcbdW
IZ2Ih/BcqeuMAwvlQzjMBOudv9MUnJTvYQG/pjOvhXW2uo66X56tsHzcde+wM9Ya
2LC5bPz41sUJKWKIRR6c8/VHeijXOnOrvjEsMGqUcAz4FRl1qxSp5WGmE7+GHy4h
my15EyZymyiFPCIMr/ew1cmqpJ2D+07ie3OSbKnE9wCo2RPsKxaP+NljX+wIV5Cw
KpEi3NRNgy5qDv3/9jv/XbfenFESrQvX51NvXVsDnREUdqCRNdmw/CHM7KLCZY5g
u4YlbTfikkJeuIFcS75U7nu95z1/sxlko1fpIbRnbQf/RIfH+u3qJmWxPXs1etB2
8LeEAK2eKnoOaPmLHpMmsJ056hxuch+X38r239Pug7iHs3oOgp/GtAiurZz4cQVU
OncUbYH9kCDCFwFd2TimQ39mX5y3OR0fpdZIb13FIgSxMhBzuC9S4N46SrZd/oQk
YZ/N14/JqcXguv1t2e9JAVrV4Ebw14DI6E5CpQ6vRjrWaSE90Sr84cSbOWWHnEfn
dvCqM89Zt/ub0WjRJQVqQOv7hbQNDIg5vk0k3CxAjBOm86vvT/2PJkf1K0BpYze9
uJ2Bzo+7yXdOG9w+qGGfgneWb/ZRQ6wmiu1v7uZwvm+yEJIFkkjEi0IxIdaqWpww
qtKyAfcq2WWbKAOz/izs8qW+mX64ayBavVX3F6jZMu4AXVUfFZySopGwpO0GeG4k
sobY50pywLR28FJiz/NeLqUhULoB1BiJ1huRjWXFUIBKqYufUOPGepeqw6i1f6we
iHsohjyfhFF1DQrc5WXvEneBy1vj5hN5uP6Vvw79fp21L1SwT91DtL6Q7434TBLN
LRzXJGxvDJ0KDLK4Z7FuBJPq4Ca0frrGgQ0fYlwpH/nMX3oDSw==
=tgL8

Gwailo_Davis says: May 23, 2008. 6:23 AM

You might want to add one simple additional security element ... SSL. When you sign on to GMail, it does establish an SSL (Secure Sockets Layer) connection for the sign-on, but then drops back to HTTP in the clear. If you want to have your entire GMail session secured against eavesdropping, then be sure to sign on to HTTPS://mail.google.com This way your entire email session will remain encrypted from your PC through the net up to GMail's servers.

Der SchmetterlingsjÃ¤ger says: May 23, 2008. 10:39 PM

Just get the Better GMail add-on from Lifehacker, and check the "Force encrypted connection" box. Good stuff.

HardCoreHacker says: May 22, 2008. 4:31 PM

This is great. Can you use this in IE?

Rectifier says: May 22, 2008. 2:53 PM

Personally, I read my Gmail with Evolution via IMAP. Evolution is a linux email program which has built-in support for pgp signing and encryption using the local gpg keys on your machine. I consider a local program that calls GPG directly to be more secure than a firefox extension. You can also use commandline programs like mutt, which support encryption very well. I SSH to my personal server and use mutt to check email on the go, rather than webmail interfaces. By the way, why is everyone always concerned about encrypted things being untraceable? When I sign my email (I rarely encrypt mail, but almost always sign it) I usually sign it with a key using my real name, to prove it was sent by *me*, and not modified, not to make it untraceable...

GorillazMiko says: May 17, 2008. 4:55 PM

I think so far, all your Instructables have been featured.

dawcee says: May 22, 2008. 2:53 PM

I think they've all been featured because w1n5t0n is *probably* one of Cory Doctorow's pen names. Not sure if you know this, but he's kinda a big deal on the interwebs, not to mention well connected. Clever marketing for his new book I'd say. If by some chance it's not Doctorow posting these, the fact that they get exposure through boingboing.net and Cory's blog craphound.com would raise their profile significantly. Also hi Cory, I'm a big fan.

Adiventure says: May 22, 2008. 1:16 PM

I'm kinda confused on step 4, why can't the gmail be traced back to you? Before you can encrypt anything, you need to make sure that you open a Gmail account that by no means can be traced back to you. This means that you have to be liberal about giving them your real name and address when you sign up. You should also always use a TOR server.

kolrobie says: May 15, 2008. 2:54 PM

You could use customizegoogle addon for firefox to remove the ads and make all the mail pages https (they are only https at the beginning of the sign on part). It's a neat idea, but I don't have that many personal emails to make use of it.

razordu30 says: May 15, 2008. 11:19 AM

Great Instructable!

I do this myself and it can be fun; when I was trying to learn more about it the resources were relatively limited, so this instructable is great for anyone else interested in it.

The only thing annoying thing about encrypting is that you can't search for items anymore. This was a hassle when my friend and I were using encrypted messages to talk about meeting up, and I was trying to find which email had the address and phone number.

*decrypt* "No..." *decrypt* "Grrr..." *decrypt* "For the love of..."

The firefox plugin works GREAT, though, and it's pretty neat to see absolutely no ads around your Gmail (since it's context-based, google has no ads relevant to ciphered text)