Protecting Your Privacy with Encryption#

The following offers a brief overview of a few FOSS encryption tools that you can download and install to enhance the privacy of your interactions online.

This is important. If we only use encryption when we're working with important data, then encryption signals that data's importance. If only dissidents use encryption in a country, that country's authorities have an easy way of identifying them. But if everyone uses it all of the time, encryption ceases to be a signal. No one can distinguish simple chatting from deeply private conversation. The government can't tell the dissidents from the rest of the population. Every time you use encryption, you're protecting someone who needs to use it to stay alive. Why We Encrypt by Bruce Schneier

This document is light in content but the links contain added documentation that may be helpful. An hour or two of your time should be enough to set up your GnuPG key pair and encrypted email communications.

If you'd like some background on how encryption works, start by reading An Introduction to Public Key Cryptography and PGP, a Surveillance Self-Defense (also an excellent read) tutorial from your friends at the Electronic Frontier Foundation [Donate!]

Thank you!

Brief Introduction to GnuPG#

The GNU Privacy Guard (GnuPG) is a complete and free implementation of the OpenPGP standard (also known as PGP).

The current recommended version is GnuPG 2.x

Creating your public/private key pair#

Command line forms are shown here: Mac, Windows and even GNU/Linux have GUIs available.

After installing GnuPG, you'll need to generate a new key pair:

gpg --gen-key


The generated key is actually a key pair: a public key that you can give to anyone, and a private key that you protect with a passphrase. A file encrypted with someone's public key can only be decrypted by a person who posseses the associated private key. You can also sign a document (encrypted or not) with your private key so that others who have your public key can verify that the document was signed by you - and only you.

For quick help on the command line, do:

gpg --help

Note that the email integrations below do not require the command line; you just have to have created your key pair and shared your public key. But we show a few more commands first.

Encrypting a file so only your friend can read it#

First, you have to look up your friend's public key on a key server:

gpg --keyserver --search-keys 'fen labalme'

This will list all the keys that match "fen labalme". You could call Fen (or look at his business card on which he included his key id) and see that (1) is the correct key, and anyway, the others two are (revoked), (expired) or just plain ancient. Entering the number "1" will import that key into your public keyring so that you can use it in the future. Look up some other co-workers or friends - if you're not sure of the key don't import it without verifying at least the last eight hex digits of the key id with them directly.

Now you can encrypt a file so only your friend (in this case, Fen) can read it (the optional --armor argument creates an easy-to-cut-and-paste version of the encrypted document):

gpg --armor --output doc.asc --encrypt --recipient doc

You can go a step further and sign the encrypted file by adding the --sign argument:

gpg --armor --output signed.asc --encrypt --sign --recipient doc

Decrypting a file encrypted with your public key#

To decrypt a file, simply do:

gpg --decrypt signed.asc --output newfile

Upload your public key to GPG key servers#

You'll want to upload your public key to a keyserver so others can send you encrypted files. To send your key to a keyserver, you need to know your key ID. You can print the information on all keys you have the private key for by running

gpg --list-secret-keys

This will generate output like the following:

gpg --list-secret-keys
sec   rsa4096/446DB63655C12656 2016-03-23 [SC]
uid                 [ultimate] Fen Labalme <>
uid                 [ultimate] Fen Labalme <>
ssb   rsa4096/F5176136558CF34A 2016-03-23 [E]

You can see the key ID, 446DB63655C12656, on the first line describing the key after the text sec rsa4096/ (where sec is short for "secret" and rsa4096 describes the key type and length). Now you can send your public key to the key servers with this command (using, of course, your key id):

gpg --send-keys 446DB63655C12656

After some time for propagation (give it a few hours to a day) you can look up your public key by entering your email address or key id into a key search engine like

More GnuPG information#

You'll want to get your key signed and grow your web of trust. And you'll want to integrate your key with your email client.

Encrypting your email#

You use email every day. Sending normal (un-encrypted) email is like sending a post card via the Post Office, as the mail will pass through many hands from sender to recipient and could be read by any of those people along the way. Largely because of the volume (and assuming that neither party is particularly famous) both the post card and the email is expected to pass along its way without anyone reading it. But they could.

In the case of post cards, generally it would be celebrity or a particularly interesting photo that might cause the card to be read. Email, however, can be easily be scanned for specific content by sophisticated computer programs residing anywhere along the path. Scanning is most prevalent at internet hubs like your ISP, and the justification (usually not made public) for scanning your email may include a search for:

Bottom line: while your post cards are likely not being read, your emails are at the least being scanned by automated sniffers. But it is possible to wrap your post card-like email in a secure envelope known as encryption. If you use strong encryption, it can actually be impossible for even the NSA to decrypt the ciphertext without your cooperation (or perhaps NSA-injected malware in your computer that steals your private key and passphrase).

Once you have created a GnuPG key pair and have added public keys of people you want to correspond with, there are many ways that you can integrate GPG with your email, several are described here:

Mailvelope (for Gmail in Chrome & Firefox)#

Mailvelope integrates GPG with your Gmail using a Chrome or Firefox extension.

GPG Suite (for Mac OSX Mail App)#

See GPGTools (not yet fully integrated with Sierra)

Enigmail (Mozilla Thunderbird)#

Enigmail works with Mozilla Thunderbird and GPG to deliver a seamless encrypted email experience.

More Email References#


ProtonMail is a free and secure email service that provides arguably better security than GPG encrypted email sent via (say) Gmail as it not only encrypts but the service does not harvest/index/resell metadata, such as who is emailing whom and when. For the best results, both sides must be using ProtonMail.

Private Browsing#

Using Tor or a paid VPN (such as PIA and there are others; be sure to choose an exit node that is not in the U.S.) is the best route, but the two simple and free services below will have little impact on your browsing experience and can go a long way to minimizing the data others collect about you:

Edit on GitHub

Documentation built with MkDocs using a modified Windmill Dark theme