Encrypt your Gmail Email!

If you want to be sure that your email can be read by no one but you, then it needs to be encrypted. You'd be surprised to find out who might want to read your email. I was.

One of the best encryption systems is called GPG encryption which is an open-source version of PGP encryption. PGP stand for Pretty Good Privacy and is actually an understatement made by a programmer who didn't want to be too optimistic about how secure it is. However, as it turns out, PGP is has actually proven itself to be extremely good. It's been around for many years, being maintained by the best coders in the world and it hasn't been cracked.

In this Instructable, I'll walk you through the simple process of setting up GPG and then installing a Firefox plugin that will make it easy to encrypt your Gmail.

Remove these ads by Signing Up

Step 1: How it works

The principle behind GPG encryption is easy. Anyone who wants to play creates a public key and a private key. Your public key is the part of the encryption that you make public. Your private key is the part of the encryption that you never share with anyone under any circumstance.

The two keys work together so that you need both to decrypt anything. To send an encrypted message to someone you lock the message with their public key and when they get it, they can unlock it with their private key. If they want to respond, then they encode the message with your public key and you can read it with your private key.

Of course, this only works so long as you can trust that you have been given the right public key and that you know who you are talking to. One of doing this is by having a key signing party with your close friends. You all show up at a given location at a given time and exchange public keys. Then you have a list of trusted public keys with which you can communicate. This is often referred to as a web of trust.

sampablokuper says: Jun 12, 2008. 8:57 PM

I must be missing something. Why is it necessary to have an "anonymous" Gmail account? What if I want to be able to send GPG-encrypted messages from my regular Gmail account, for instance? Is that somehow insecure because it's not "anonymous"? Apologies if I've got the wrong end of the stick; I just want to be sure my understanding's correct.

stepnsteph in reply to sampablokuperJun 27, 2008. 2:26 PM

There is nothing stopping someone from using their real email address. This is actually encouraged if you want to use encryption for professional purposes or if you want to grow your "web of trust". A PGP signed message is digitally signed and can therefore be traced back to you, unless of course you do not use your real name when you create your keys. You could do that if you wanted to go by a unique nickname. Doing so opens the (theoretical) possibility of someone impersonating you because it becomes impossible to verify your identity. If you live in an area of the world where your messages could get you arrested by the government or even killed then the anonymous account is definitely the way to go. Otherwise, it's probably not necessary, but it may be fun.

sampablokuper in reply to stepnstephJun 27, 2008. 3:46 PM

Thought so. Thanks for the clarification!

sudont says: May 25, 2008. 2:41 PM

I already know how to encrypt my e-mail. Tell me how to get my lazy friends to start encrypting theirs, and decrypting mine.

Blattman in reply to sudontJun 12, 2008. 11:14 AM

Hahaha thats great!

Biotele says: May 29, 2008. 12:13 AM

hQIOA+c0mc6Civ2uEAf+PYEJPiYZaeMNL5JIffYBUscfg2nyqraT8ZnKZ84OcbdW
IZ2Ih/BcqeuMAwvlQzjMBOudv9MUnJTvYQG/pjOvhXW2uo66X56tsHzcde+wM9Ya
2LC5bPz41sUJKWKIRR6c8/VHeijXOnOrvjEsMGqUcAz4FRl1qxSp5WGmE7+GHy4h
my15EyZymyiFPCIMr/ew1cmqpJ2D+07ie3OSbKnE9wCo2RPsKxaP+NljX+wIV5Cw
KpEi3NRNgy5qDv3/9jv/XbfenFESrQvX51NvXVsDnREUdqCRNdmw/CHM7KLCZY5g
u4YlbTfikkJeuIFcS75U7nu95z1/sxlko1fpIbRnbQf/RIfH+u3qJmWxPXs1etB2
8LeEAK2eKnoOaPmLHpMmsJ056hxuch+X38r239Pug7iHs3oOgp/GtAiurZz4cQVU
OncUbYH9kCDCFwFd2TimQ39mX5y3OR0fpdZIb13FIgSxMhBzuC9S4N46SrZd/oQk
YZ/N14/JqcXguv1t2e9JAVrV4Ebw14DI6E5CpQ6vRjrWaSE90Sr84cSbOWWHnEfn
dvCqM89Zt/ub0WjRJQVqQOv7hbQNDIg5vk0k3CxAjBOm86vvT/2PJkf1K0BpYze9
uJ2Bzo+7yXdOG9w+qGGfgneWb/ZRQ6wmiu1v7uZwvm+yEJIFkkjEi0IxIdaqWpww
qtKyAfcq2WWbKAOz/izs8qW+mX64ayBavVX3F6jZMu4AXVUfFZySopGwpO0GeG4k
sobY50pywLR28FJiz/NeLqUhULoB1BiJ1huRjWXFUIBKqYufUOPGepeqw6i1f6we
iHsohjyfhFF1DQrc5WXvEneBy1vj5hN5uP6Vvw79fp21L1SwT91DtL6Q7434TBLN
LRzXJGxvDJ0KDLK4Z7FuBJPq4Ca0frrGgQ0fYlwpH/nMX3oDSw==
=tgL8

Gwailo_Davis says: May 23, 2008. 6:23 AM

You might want to add one simple additional security element ... SSL. When you sign on to GMail, it does establish an SSL (Secure Sockets Layer) connection for the sign-on, but then drops back to HTTP in the clear. If you want to have your entire GMail session secured against eavesdropping, then be sure to sign on to HTTPS://mail.google.com This way your entire email session will remain encrypted from your PC through the net up to GMail's servers.

Der SchmetterlingsjÃ¤ger in reply to Gwailo_DavisMay 23, 2008. 10:39 PM

Just get the Better GMail add-on from Lifehacker, and check the "Force encrypted connection" box. Good stuff.

HardCoreHacker says: May 22, 2008. 4:31 PM

This is great. Can you use this in IE?

Rectifier says: May 22, 2008. 2:53 PM

Personally, I read my Gmail with Evolution via IMAP. Evolution is a linux email program which has built-in support for pgp signing and encryption using the local gpg keys on your machine. I consider a local program that calls GPG directly to be more secure than a firefox extension. You can also use commandline programs like mutt, which support encryption very well. I SSH to my personal server and use mutt to check email on the go, rather than webmail interfaces. By the way, why is everyone always concerned about encrypted things being untraceable? When I sign my email (I rarely encrypt mail, but almost always sign it) I usually sign it with a key using my real name, to prove it was sent by *me*, and not modified, not to make it untraceable...

GorillazMiko says: May 17, 2008. 4:55 PM

I think so far, all your Instructables have been featured.

dawcee in reply to GorillazMikoMay 22, 2008. 2:53 PM

I think they've all been featured because w1n5t0n is *probably* one of Cory Doctorow's pen names. Not sure if you know this, but he's kinda a big deal on the interwebs, not to mention well connected. Clever marketing for his new book I'd say. If by some chance it's not Doctorow posting these, the fact that they get exposure through boingboing.net and Cory's blog craphound.com would raise their profile significantly. Also hi Cory, I'm a big fan.

Adiventure says: May 22, 2008. 1:16 PM

I'm kinda confused on step 4, why can't the gmail be traced back to you? Before you can encrypt anything, you need to make sure that you open a Gmail account that by no means can be traced back to you. This means that you have to be liberal about giving them your real name and address when you sign up. You should also always use a TOR server.

kolrobie says: May 15, 2008. 2:54 PM

You could use customizegoogle addon for firefox to remove the ads and make all the mail pages https (they are only https at the beginning of the sign on part). It's a neat idea, but I don't have that many personal emails to make use of it.

razordu30 says: May 15, 2008. 11:19 AM

Great Instructable!

I do this myself and it can be fun; when I was trying to learn more about it the resources were relatively limited, so this instructable is great for anyone else interested in it.

The only thing annoying thing about encrypting is that you can't search for items anymore. This was a hassle when my friend and I were using encrypted messages to talk about meeting up, and I was trying to find which email had the address and phone number.

*decrypt* "No..." *decrypt* "Grrr..." *decrypt* "For the love of..."

The firefox plugin works GREAT, though, and it's pretty neat to see absolutely no ads around your Gmail (since it's context-based, google has no ads relevant to ciphered text)