Chapter 5: Email
Email is very likely the means by which you most frequently contact colleagues and sources. Vitally, it is the means by which a new source could contact you. Therefore, having secure email, not only for everyday use with colleagues but as a secure channel for initial contact, is important for any investigative journalist.
The risks to your email communications include an adversary doing any of the following:
- Reading email content
- Reading subject header
- Seeing who you are contacting, how often and when
- Intercepting email attachments
- “Man in the middle” attacks (an impersonator intercepting communications)
- Seeing where you are emailing from (location)
- Use strong passwords
- Use a trustworthy email provider
- Encrypt your email
- Verify your keys
- Put minimal information in your email subjects
- Email from Tails (if/when you need to)
- Use anonymous email addresses for select purposes
For protection against most non-state level actors, using a very strong password is a good defence against unauthorised access to your email account. However, for state level actors, it may be no defence at all.
An email provider that is ‘trustworthy’ is one who has a good basic security infrastructure, and who won’t hand over your data to an intelligence agency in a hurry. If you do not trust the country where the email provider is based, it is best not to use an email address there. For example, we know that the default position of the US and UK intelligence agencies is to record and store as many email communications as possible. Even if you don’t feel your email communications to be of relevance to these agencies now, they will be retroactively accessible should you and/or your work become relevant in the future.
So, if you don’t trust the US approach to email privacy, be aware that the email providers based there (Outlook, Gmail, Riseup, etc...) may be subject to that approach. Some email providers are thought to be more co-operative than others, but unless you run your own server (or the organisation you work for runs their own server in a country with good privacy laws, like Switzerland or Iceland), we should assume that your emails and email metadata are not secure with any email provider. Other considerations are whether you have to hand over your mobile phone number, a postcode/address, or another of your email addresses in order to register an account with a provider, as you may want to avoid donating that information in future (and especially if/when you use an anonymous email address).
Metadata is data about data. Email metadata includes both the sender's and recipient’s names, emails and IP addresses, server transfer information, date, time and time zone, unique identifier of email and related emails, content type and encoding, mail client login records with IP address, priority and categories, subject of email, status of the email, and any read receipt request.
This information is extensive and revealing alone, but many intelligence and law enforcement agencies (and in some cases, individual hackers) are also able to retrieve the full email content.
You can’t easily protect the metadata of your emails, so you should be minimalistic or obsfucatory in your subject line, and you may wish to hide your real location/IP address by using the Tor browser.
Example: US government authorities requested access to the metadata of an unnamed user of Lavabit, a secure email provider, as well as the company’s private encryption keys (allowing access to user’s passwords) in the summer of 2013. Presumably, they asked for this because they were unable to covertly gain access themselves. The attempted breach was thought to be because NSA whistleblower Edward Snowden had an email account with Lavabit. The founder of Lavabit was legally restricted from discussing the exact requests of the US government – as is anyone approached in this way (which makes evaluating the security of our email providers all the more difficult). Rather than allow a breach of users’ privacy, the founder suspended Lavabit altogether, in August 2013.
However, you can protect the privacy of your email content by using ‘public key cryptography’. Public key cryptography scrambles the content of your email into (thus far) unbreakable code using the recipient’s ‘public key’. The encrypted email can then only be decrypted using the intended recipient’s ‘private key’.
The following instructions recommend the GNU Privacy Guard, ‘GPG’ (an open source implementation of Pretty Good Privacy, or PGP).
Using GPG, whilst very different to normal emailing, is not difficult and you will get used to it very quickly. Understanding exactly how it works, however, is slightly more challenging.
Keys are essentially unique long sets of numbers, and each user of email encryption has a key pair – a public key, and a private key.
Your public key: Your public key is what people will use to encrypt emails that they send to you. Like listing a phone number in the phone book, you can choose whether to list your public key on the public keyserver or not (if it is a secret or anonymous email account, you may not wish to upload the key to the keyserver). If you choose to list your public key on the keyserver, it will be openly available so that anyone can contact you securely.
Your private key: Your private key allows you to decrypt emails from others who have contacted you using your public key. Although your public key is then freely available, the private key in the key pair is exactly that – private! A private key corresponds to your public key, ensuring that no one else can have unauthorised use of your public key. You will probably never even see your private key – it lives and works under the bonnet of your GPG software
The length, randomness, and sophistication of strong public key cryptography (4096 bit keys, as per our instructions below) are such that the encryption remains, as far as we know, unbreakable.
Importantly, you should always verify that the keys of the people who you send encrypted mail to really do belong to your intended recipient. Although the email address belongs to the person you want to contact, there is a small chance (at high-risk levels) that their purported public key might not. This is known as a ‘Man-In-The-Middle’ (MITM) attack – the covert interception of communications by the impersonation of a target. You need to make sure that both the email address and the public key definitely belong to the individual concerned. See ‘verifying keys’ later in this chapter.
At higher risk levels, for those who wish to hide the real identities of themselves and/or others communicating, anonymous email accounts should be used, unassociated with any other aspect of your online identity - they should not be connected with you in any way. Gmail and Hotmail tend to request a phone or alternate email address, so these providers are not ideal for anonymous accounts. In many countries, GMX and Yandex, allow users to create accounts without such identifying information.
However, if you create an anonymous email address from an internet connection that is associated with you, your anonymity may already be compromised. Furthermore, when you send and receive emails, you are doing so by connecting to the internet – thus your location is known by the internet provider (and potentially, an adversary). If you want your identity and location to be anonymous, you can use an anonymous account to send unencrypted emails through webmail on the Tor browser (see chapter 3); or you can use the Tails operating system, which hides the real location of all of your laptop’s communications with the internet (see chapter 2). Tails’ desktop email client (which supports encryption) sends and receives information/mail to and from the internet through Tor, thus hiding the real location of the connection.
You might only want to protect your location in the field rather than identity per se. For this, using the Tails operating system is the only answer.
Note that email encryption does not hide metadata such as who you are talking to, the email subject, or your location (though, as discussed, you can hide your real location by using Tor/Tails). For people at all risk levels, it is a good idea to be minimalistic or obsfucatory in your subject line.
You can’t encrypt or decrypt email from your smart phone. Whilst it is possible to set up on some Android phones, it is highly inadvisable because mobile phones are fundamentally insecure anyway (see chapter 7).
Neither can you encrypt or decrypt mail in your web browser (unless you are using the Tails operating system) – you will use the Thunderbird email client on your desktop, with the added encryption software, to encrypt and decrypt mail.
Finally, you can only send encrypted emails to other people who also use encrypted email. This used to be a rather small community of people but in a post-Snowden world, it is growing exponentially.
1.1. UBUNTU/LINUX: Thunderbird email client and GPG encryption software
Ubuntu comes pre-loaded with Thunderbird (email client) and GPG encryption software.
Use the Ubuntu search tool on the top left hand of the desktop to find it.
1.1. MAC: Download Thunderbird email client and GPG encryption software
You will need to download:
- An email client/mail manager for your desktop - we recommend Mozilla’s open source ‘Thunderbird’
- GPG – Gnu Privacy Guard, which is encryption software
- https://gpgtools.org/ The first pink download box, ‘Download GPG suite’ will be the latest version – click on it to download. Click on the download when complete, and follow the wizard to install.
When the downloads are complete, open Thunderbird from your Downloads and drag the Thunderbird icon into the Applications folder.
You will need to download:
- An email client/mail manager for your desktop - we recommend Mozilla’s open source ‘Thunderbird’
- GPG – Gnu Privacy Guard, which is encryption software
- http://www.gpg4win.org/download.html The first green download box will be the latest version of GPG – click on it to download. Click on the download when complete, and follow the wizard to install.
1.2. UBUNTU/LINUX, MAC and WINDOWS:
On Windows, click on your Thunderbird Setup download. Thunderbird will offer you a brief Setup Wizard – select the standard install, confirm the program file location, and click next to complete and finish the install.
Open Thunderbird. If you are opening Thunderbird for the first time, it may prompt ‘Integration’ - skip this, and uncheck ‘Always perform this check when starting Thunderbird’.
Thunderbird will now prompt you to configure your email account, and offer you a new email address. Click ‘Skip this and use my existing email’. Enter the email address you would like to use for encryption and the password. You should decide whether you select ‘Remember password’ or not. It may be safer if you don’t allow your laptop to remember your password, but you will then need to enter the password every time you access the account on Thunderbird. Click ‘Continue’.
Note – if you are using an anonymous email address, obviously, do not enter your real name!
You should see, ‘Configuration found in Mozilla ISP database’.
Troubleshooting: If you receive the error message, ‘Configuration cannot be verified’, it may be because your email provider uses two-factor verification (e.g. lots of Gmail accounts use ‘2-step’ verification). In this case, you mail provider may email you, or present a web browser, with a notification of an attempted login via a mail client, and ask for your authentication. Alternatively, some Gmail users who use 2-step verification may need obtain an ‘application-specific password’ – you can do this on the ‘authorizing applications and sites’ page on your Google Account settings. For more information, visit:
2. Enigmail security extension
At the top of the Thunderbird window, click on Tools > Add-ons > Extensions. If you see ‘Enigmail’, you already have Enigmail. If not, go to the search bar in the upper right of the window, and search for ‘Enigmail’. Click ‘Install’, and restart Thunderbird. When Thunderbird restarts, you can close the ‘Add-ons Manager’ tab.
Note: if you do not have a menu bar at the top of the Thunderbird window, right-click on the 3-line menu icon on the top right hand side of the Thunderbird window and tick ‘Menu bar’.
3. Key pair
At the top of the Thunderbird window, click on Enigmail > Key Management. Back up to the top toolbar, click > Generate > New key pair
- The email address you wish to use for encrypted mail should be selected
- Tick ‘Use generated key for the selected identity’. Select key to expire in five years
- Enter a passphrase (this is the passphrase for your encrypted mail – not just your online mail account – it should be very strong).
- The ‘Comment’ box adds a public comment to your public key if you list it on the keyserver (so don’t use this for a password hint!)
- Under ‘Key expiry’, the Key should expire in five years
- Click the ‘Advanced’ tab, and select the maximum key size of 4096, and Key type ‘RSA’
- Click ‘Generate key’ and move your mouse around the screen whilst it generates your key (this aids the ‘randomness pool’ from which the key is configured). This may take a few minutes.
- A box will appear informing you that the key generation is completed. Click ‘Generate Certificate’ in this box (this creates a revocation certificate that you will need when you wish to invalidate your key, for example, if the key pair is lost or compromised). Save the revocation certificate somewhere safe. You will now be asked to enter your passphrase in order to complete this action.
Go back into Thunderbird to change some settings.
Basic > Passphrase settings: here you should select how long you want Thunderbird to remember your key pair passphrase for
Sending: Select ‘Manual encryption settings’ and tick
Key Selection: Tick ‘By Per-Recipient Rules’, ‘By Email Addresses according to Key Manager’, and ‘Manually if Keys are Missing’
Advanced: we recommended that you tick ‘Re-wrap signed HTML text before sending’ as HTML text does not work well with encrypted emails.
Saving folders locally
This is particularly useful for saving drafts – you don’t want your draft, unencrypted emails being saved on your online mail folders. Rather, you should save them locally on your hard disk to have more control over their security.
In the menu bar on the left hand side of the Thunderbird window, you will see all your email folders. At the bottom, are ‘Local Folders’ – right click and select ‘New Folder’. Creating ‘Sent’ and ‘Draft’ local folders may be helpful.
Click Edit (Linux) or Tools (Mac/Windows) > Account Settings > Copies & Folders. You can select where to store your messages here. For example, under ‘Drafts and Templates’, select ‘Local Folders’ as the location to keep your message drafts.
In the same window [Edit (Linux) or Tools (Mac/Windows) > Account Settings] click OpenPGP Security > tick ‘Encrypt draft messages on saving’.
Email in plain text
HTML does not encrypt well, so you will write messages in plain text instead.
Edit (Linux) or Tools (Mac/Windows) > Account Settings > Composition & Addressing. Untick ‘Compose messages in HTML format’
Share your PGP signature with contacts
You should always sign encrypted messages to help the recipient verify that you are the real sender. Sharing your PGP signature with the people you email, even when the email is not encrypted, also helps the recipient (if they also use Enigmail) verify that you are the real sender of the message (not an impersonator). If the recipient does not use PGP encryption, signing unencrypted mail indicates that you usually use PGP encryption – or to the uninformed, it may be mildly confusing!
Edit (Linux) or Tools (Mac/Windows) > Account Settings > OpenPGP Security
‘Enable OpenPGP support (Enigmail) for this identity’ should be ticked.
Tick ‘sign encrypted messages by default’. If you wish, you may select ‘Sign non-encrypted messages by default’ – when you sign a message, whether encrypted or not, it helps the recipient (if they also use Enigmail) verify that you are the real sender of the message (not an impersonator). Click ‘OK’.
Publicly list your public key
Uploading your public key to the keyserver is like listing your phone number in a phonebook. It allows people to search for your name/email address, and locate your public key in order to send you an encrypted email. This is very useful for journalists who invite encrypted mail and wish to protect source confidentiality. However, if you are setting up encryption for an anonymous email address that you will use only to communicate with specific, high risk individuals, of course there is little to gain from uploading your public key to the keyserver.
Enigmail > Key management.
Tick ‘Display All Keys by Default’. Right click your email address, and select ‘Upload Public Keys to Keyserver’ if you want people to be able to contact you. The default keyserver (pool.sks-keyservers.net) is fine.
To search for anyone’s public key
Search for a name/email address to see if a person has a public key listed, so you can send them encrypted mail (like searching for a number in a phonebook).
Enigmail > Key management > Keyserver (in the top toolbar) > Search for keys. Enter the person’s name or email address and browse the results. Tick the email address of anyone whose key you’d like to import and press ok.
Import a key
If you already have your contact’s key on a file or online, but need to import it to your key manager on Thunderbird.
Importing a key from file:
In Thunderbird, go to Enigmail > Key management. Now go back up to the top toolbar to click on File > Import keys from file.
Importing a key from email:
If your contact has attached their public key in an email, right-click on the .asc attachment and click ‘Import OpenPGP Key’. The attachment may look like:
Importing a key from a public key block:
Many people have their full public key ‘block’ (i.e. the full public key in text) on their website. This allows people to trust the website as the source of the key rather than the keyserver, and may help prevent man-in-the-middle attacks.
Simply copy the whole key block (the entire block, as shown below), then in Thunderbird go to Enigmail > Key management > (back up the top toolbar) Edit > Import keys from clipboard > click ‘Import’ in the confirmation box.
-----BEGIN PGP PUBLIC KEY BLOCK----- Version: GnuPG v1.4.11 (GNU/Linux)
END PGP PUBLIC KEY BLOCK-----
Make sure that the person you think you are communicating with is certainly who they say they are
In Thunderbird, go to Enigmail > Key management > right-click a selected email address > Key Properties. Here you will see the person’s key ID and fingerprint. You can verify that the key does indeed belong to the person by exchanging fingerprints by another communication means (in person, on the phone, on their business card/website), and checking they match exactly. In the same window you can then click Select Action > Set Owner Trust > and select how much you trust that the key does in fact belong to the individual concerned.
Add a regular email signature
With your name, job title, website, email address/es, PGP fingerprint, etc…
Edit (Linux) or Tools (Mac/Windows) > Account Settings
Here you can enter signature text to attach to your emails.
Edit (Linux) or Tools (Mac/Windows) > Account Settings > Composition & Addressing
Select ‘Include signature for replies’
Receiving new mail
You can decide how frequently the mail client searches for new messages.
Edit (Linux) or Tools Tools (Mac/Windows) > Account Settings > Server settings
Send an encrypted email
When you have completed the set up, send a test email to someone else who has encrypted mail. Import their key or find it on the keyserver, and be sure to verify it and sign your trust of their key before you try to send an email (otherwise the email client might not actually let you send them encrypted mail – Thunderbird will encourage good InfoSec in this way!).
Choose a recipient whose key you have already imported, verified, and set owner trust for. Write your email, and before you click ‘Send’, either click on the padlock icon to close it and encrypt the message, or go to ‘Enigmail’ within the email compose window and click on ‘Encryption Off’ to turn the encryption on. Press ‘Send’, and the confirmation box should tell you that the email is both signed and encrypted (if not, go back and check you ticked to encrypt). Click ‘Send Message’, and your encrypted email will be sent!
Now that you have sent this person an encrypted email, a default setting should be created whereby all future emails to this contact will automatically encrypt.
Share your public key with an individual
The first time you send a contact an encrypted email, you should attach your public key so that they can respond by encrypting an email back to your key. In the email compose window, to the right of the encryption padlock and signing pencil icons, there is an option to ‘Attach My Public Key’. Select this to attach your public key to the email. Alternatively, click ‘Enigmail’ > ‘Attach My Public Key’.
You can encrypt and decrypt attachments to your emails with GPG too
When sending a file as an attachment to an encrypted email, you can choose whether or not to encrypt the attachment too. Write the email, attach a file as normal, and click ‘Send’. Before the email sends, you will be given four options. The first option is to just encrypt the message but not the attachments. The second is to encrypt the message, and to also individually encrypt attachments. Opt for the second choice (‘Encrypt and sign each attachment separately and send the message using inline PGP’), and click OK. Then your confirmation box will pop up as usual, telling you the message and attachments are signed and encrypted – click ‘Send Message’ to confirm, and the email and attachment will be sent.
When someone sends you an encrypted email attachment, right click the attachment and click ‘Decrypt and Save As’. Save it in your chosen location, and then go to that location to find/open the attachment.
Of course, if you are mailing an attachment that has already been encrypted by other means (e.g. VeraCrypt), you don’t need to encrypt it again using GPG.
Add a new account
You may wish to add another email account to Thunderbird, whether you intend on using encryption on that account or not.
In Thunderbird go to Tools (or ‘Edit’ on Linux) > Account Settings > Account Actions > Add mail account.