Hi!

I've just listened to Steve Gibsons' Security Now. On the podcast, he mentioned about end to end encryption on emails. I am curious how am I going to implement it. On my previous company, we are using PGP and even though I don't know much about it they told me it is secured. Can someone briefly explain to me how this works and how I can implement it? For example on emails, do I need to configured it on top of the MTA? Or can I just install it on the application layer such as the mail browser (Mozilla Thunderbird, Outlook, KMail, Evolution)? Thanks.

I'm far from an expert on this, but my experience is that it is easy to administer at the application level, at least on Thunderbird. In Linux the "statndard" I'm aware of is and openPGP and GPG is a widely-used implementation. In Thunderbird, I've found the Enigmail extension to be an easy way of using encryption on emails.

So, how is it possible to decrypt from one client to another? I mean, for example if two email account users have different mail client. For instance, I am using Microsoft Outlook and I would want to encrypt my email using PGP and the receiver would have a Thunderbird mail client. Should it be implemented on the servers' end or the clients' end?

If both implementations follow the standard, it shouldn’t matter which you use on either end.

How PGP or openPGP (Pretty Good Protection) works is it creates a key from random data. It stores the key as your private key. To share your key, you make a public key which is different from your private key. You will have to provide your public key to people that you acknowledge as trustworthy. I suggest putting your public key on a disk instead sending it through emails. Though the government might spy on you and probably state you as a terrorist is one of the consequence of encrypting emails. I suggest using it to encrypt your valuable data on your system, so thieves can not retrieve your personal information even when they steal your disks.

If you want a secure connection to share your information, setup VPN.

I don't know what distribution your using or what mail client your using either but I'm using Gentoo and Evolution. Gentoo has a setup guide on how to create your key and such. And then setting up Evolution to use your key to sign and encrypt email is as simple as checking the boxes in your preferences.
http://www.gentoo.org/doc/en/gnupg-user.xml
Although that guide is specifically for Gentoo, other than the installing part, everything else should be the same.
Good luck!

How about the other end? How will they be able to decrypt the message? Do I have to send out my key to the receiver?

Well if they have a decent mail client like Thunderbird, Evolution, etc. it will check the key server automatically and decrypt for you. You don't send your key to receiver (though you can) you instead send it to the key server, the receiver looks for your key on the server, and then saves it to his keyring of trusted keys.

PGP, GPG uses a Public Key and a Private Key as stated earlier to encrypt and decrypt messages.

You PUBLISH your public key on a Key server. I use pgp.mit.edu to publish mine. the key is then replicated to other PGP key servers automatically.

When you encrypt an email you use your Private key to encrypt or sign the message, the other end would retrieve your public key from the key server in order to verify the signature or decrypt the message..

Wait a minute you say.. what good does it do to encrypt a message in that fashion if ANYONE can retrieve my public key from the servers ? You are absolutely correct.. This method is best used for just Signing a message to verify the content has not been changed. if you wish to Send an encrypted message securely to another party you should:

Retrieve the receiving parties Public key from the key server. Use their Public key to encrypt the message you are sending to them. Only their matching private key will be able to decrypt the message that has been encrypted using their public key.

Now on to other important matters when dealing with PGP/GPG
GPG Key Signing Party HOW-TO This document covers how to create your keys, Public/Private/REVOCATION CERTIFICATE. It then goes into detail on how to verify other peoples identities, and how to retrieve their keys from the key server and how to sign them and then how to send the signed key back to the server.. All of this is greatly simplified using the Enigmail plugin with Thunderbird..

NEVER under ANY Circumstances should you let anyone have access to your Private key. If you feel your private key has been compromised, it's time to put your revocation certificate to work to tell the key servers that the old key is invalid. Once you have done that you should generate a new set of keys and a new revocation certificate. Store the Revocation certificate in a safe place.. maybe several because without it you cannot revoke your old keys..

Thanks...Very well said.. I'll try to experiment on this one once I have the time.

Since this GPG post popped back up today I'll mention the Debian Package of the Day from Feb 18th.. it was called signing-party.

Signing-party provides a little application that will take your public key and format a Page creating a PostScript file you can print out with your email address and Public key signature to hand out at a key signing party.. very handy !!

apt-get install signing-party ghostscript

Now you have a nice PS or pdf file you can print that you can cut up little slips of paper for the Key signing party.. Each slip has your key information nicely formatted..

Really slick !!

Thanks man...This is very cool!