Secure Your Email With a GPG Key Pair
Privacy-conscious email services have grown in popularity over the last couple of years, and while companies like Proton and Tutanota are leagues ahead of the mainstream, there's still a better way to do email for security-minded people.
What about the companies behind these services, though? Shouldn't they protect their users from any form of surveillance? The simple is answer is no. They obviously have to obey laws and will log IP addresses and cooperate with the authorities without question.
Having understood their shortcomings, we know nothing's stopping them from using their own vulnerabilities to serve malicious code to a targeted individual (based on a specific IP address, for example) if they were compelled to do so. Proton itself writes:
“While we can offer more protection and security, we cannot guarantee your safety against a powerful adversary.”
So what can you do to fix this?
Manage your own keys
For the purpose of this exercise, we're going to step away from the usual suspects and register an account with Posteo for the price of 1 EUR per month.
Just follow along with Posteo's documentation until you feel ready to download Thunderbird and generate your first GPG key.
You ready? Alright! Fire up your Linux terminal and type the following command:
Select option 1 (RSA and RSA) and set the key size to 4096
To make things simpler, we will not set an expiration date
Leave the name blank and enter your new Posteo email address. Skip the comment
Follow the on-screen instructions (click things, type random words, etc.)
Well done! You've got your GPG key pair all set up. Now you'll need to export the public key and pair it up with Posteo. To export the pub key, you can use the following command:
gpg --armor --export firstname.lastname@example.org >example.asc
Linking it all together
Set up Posteo in Thunderbird following the instructions outlined here. This step enables us to use a trusted email client and eliminates the need to log into Posteo's webmail from this point on.
Now that we've got everything ready, our last task is to import the GPG key you generated into Thunderbird. To do this, right-click on your email address, click Settings, then head to End-To-End Encryption and prepare to add your key.
This is one of those rare occasions where you need to export your private key because Thunderbird needs it to decrypt any encrypted messages you receive.
To export the private key, enter this command into your Linux terminal:
gpg --export-secret-keys --armor >my-secret-key.asc
The file this command creates is the one you need to import.
And there you go! You've got a new email from a trusted provider while retaining full control over your encryption keys and avoiding insecure web apps.
Ask your friends to exchange public keys with you so you guys can communicate, and rest easy knowing all your secrets will follow you to the grave.