Our emails are now digitally signed

Why?

So you can be sure the email came from us and the content we sent is the content you received.

How?

Every email now has a PGP encrypted signature. Many email clients can automatically detect this and verify both us and the content. If not you can take the signature and verify it with a public key server such as https://keys.openpgp.org

Do I have to?

No, you can ignore it and still read the email in plain text. At the end some email clients may show the digital signature. It will look like this – which is shorter than many disclaimers!

-----BEGIN PGP SIGNATURE-----

wsD5BAABCAAjFiEE1ydEuYxMEiBwFgeqJ+eC9bQ181wFAmDkneIFAwAAAAAACgkQJ+eC9bQ181zL
zAv9FZoxG0DSys0VqOYFHIGs/FAZc7e4QIfXIsvlYSkUFPCifot6p9d0MkBYkFKUg3EU3LjK+DAy
uvteaF71Hr5JwYeWagsDpFxsVefWyxb4TDaAwCLzCNwR8YshFdCc9T6QOO6NmJj63jDJgzOHeQcV
MdrtJXrKvIt6JbAip2DP2O2dMqMtkF61FSiUuRiIEsHqHhtpBfvMDlvS/9qrZiPCPDFtxOOdEpvf
2mFOMnbwvoqe40fYC+bAUzKdZtzCx74xmL4IWzi4GMCVx9dYc9BzKUs1JAF0JnsqG2e/IfvqPjDl
DDRTj2zD6UhbZE6DBTZ7OIqV51Edb/xk85rslCw4SvC8vyOHBtQk82/pUaVP+hRi+wVk8UzWVLe5
hMBTTDPOoH1W3jIFh/1TltRNJkq5tSxyEHUk0d8KUNNt6fKxVSLjQkgRjbd1rHuoMau2z8dbGMGy
vqQt2ccHygNeAgWDbxqlwwLic4KPWTM8IllsSTwvFWqFrJZUVPpDc49Mdfg3
=knMy
-----END PGP SIGNATURE-----

But if it’s plain text it isn’t encrypted is it?

Correct. Anybody who may intercept it can read it. But they can’t change it because the signature is unique to every message and the sender. If it doesn’t match – signature verification will fail.

Can I have it encrypted?

Yes – all we need is access to your public PGP signature. We encrypt with that and you decrypt with your own private key. That hides sensitive data such as passwords from prying eyes. You can use our public signature to encrypt stuff you send to us. Everything is securely encrypted.

What’s with all this public/private thing?

Your email client may have either inbuilt or as an add-on a PGP module to generate a public and private key pair for each email address. The public key enables others to encrypt the content they send to you while your private key decrypts it. Only you can read the email sent to you.

With signatures – and that’s what we are doing today. Our private key encrypts the signature and anyone can use our public key to verify the authenticity of the sender and contents.

It’s the same methodology used in any secure website (using https://). The stuff sent to you is encrypted with the website’s private key. Your browser decrypts it with the website’s public key. Stuff you send back using their public key can only be deciphered by the website using its private key. Evesdroppers just see gobblygook.

Is it difficult for me to set up this keyserver thing?

Moderate. You will have to do your own research into the software and setup pertinent to the email systems you use and all your devices. Suffice to say we did it in a single day starting from zero. But then we do manage all our own email systems. But if you want to try we are willing guinea pigs.

What are you using?

Our desktops and laptops use Thunderbird email client with the Enigmail plugin. Our webmail system is based on Roundcube with the Enigma plugin. Our Android devices use K-9 email client with OpenKeychain. Our preferred key server is: https://keys.openpgp.org

Further reading …

Comments are closed.