Encryption and Gmail

Last time we looked at how you can use GPG and Enigmail to digitally sign or encrypt messages in Thunderbird. But today many people use web-based mail, and one of the most popular is Google’s Gmail. Others include Outlook.com and Yahoo, but using any of them is pretty similar. So since I have a Gmail account handy, I will use that to demonstrate encryption in web mail accounts.

The important thing you must keep in mind is that this relies on you using your GPG keys to either sign or encrypt the message before it leaves your computer, what Steve Gibson calls Pre-Interent Encryption, or PIE. The flaw in what Lavabit did (discussed in previous lesson) was to use keys that the mail provider controlled, and these keys could be (and were) demanded by the the government.. If you use your own GPG keys that you control, no provider (Google, in this case) is even capable of giving anything to the government other than a blob of random nonsense.

To do this, I will use an extension for Google’s Chrome Browser called Mailvelope. This is also available for Firefox, but in my case I use Chrome to access my Gmail account., so using a Chrome extension makes sense for me. The first thing to do is go to the Chrome store, search for Mailvelope, and install it.

Once you have Mailvelope installed, you need to give it your keys. Go to the Options for Mailvelope in your Chrome extensions, and select Import keys. This will let you import your keys, but they have to be pure ASCII text files for this to work. And on your hard drive they are not pure ASCII. So you need to do an export. You can do this several ways:

  • To get your private key, used for decrypting messages to you, you can issue the command:    gpg –export-secret-key -a “User Name”. This will display your key as ASCII text in the terminal window, and you can paste it into Mailvelope.
  • To get your public key, used by others to encrypt messages to you, issue the command: gpg –armor –export “e-mail address”
  • Or, if you already set up Thunderbird with GPG and Enigmail, you can export both at once by opening the OpenPGP Menu, selecting Key Management, then click on your own key to select, then going to the File menu and selecting Export Keys to File. You will then be asked if you want to include the Secret Key. Say yes, and you will be asked to approve a file name and location for the exported file. You can then open this *.asc file in Mailvelope’s Import screen, and you should see two green lines that say “Success – Public Key…” and “Success – Private Key…” and that they have been added to your key ring.

NOTE: This process of exporting and importing keys is the best way to move your keys to other computers, particularly if you have a multi-platform environment where you want  to use Linux, Windows, and Mac computers.

Now, with Mailvelope installed, start to compose a message in Gmail. You will get the normal Compose window, but one thing will be different. There is now an “Edit” on the right side of the window:

New Compose window after installing Mailvelope

New Compose window after installing Mailvelope

This is the icon with a yellow pencil on top of a sheet of paper. If you click that another window opens for you to create your encrypted message. You just type your message here:

Composing an encrypted message in Gmail using Mailvelope

If you now click the Transfer button you will get a pop-up window warning you that you are trying to send unencrypted data online. So what you need to do is click the Lock icon. This opens a Window where you need to select a recipient for this email. Remember that you can only encrypt email to a person for whom you already have a public key! The public keys you have installed on your key ring will be available here, so click on the right one to select it, then click the Add button. Then click OK. This will generate the encrypted message. Then click Transfer to put it into the body of your Gmail message. This will now look like this:

Encrypted message in Gmail using Mailvelope

So, at this point you have a completely encrypted message, but nothing has left your computer. If you now click the Send button your message will be sent, but Google will have no idea what it says, and neither will anyone else who does not have the private key of the recipient.

Decrypting with Mailvelope

This is easy. If you receive an encrypted message in your Gmail account, you will have an overlay over the message with an icon of an envelope and lock:

Receiving an encrypted message with Mailvelope















Your cursor will turn into a key, and if you click on the icon yo will be asked to provide your passphrase. If you can do this successfully, the message will decrypt.

Digital signing with Mailvelope

As of the time I write this (February 2014) Mailevelope does not support digital signing, but they are working on it and I hope this will be added soon. Obviously they put the priority on ensuring that you could securely encrypt messages, which is not a bad priority.

Listen to the audio version of this post on Hacker Public Radio!

 Save as PDF