emailselfdefense.fsf.orgEmail Self-Defense - a guide to fighting surveillance with GnuPG encryption

Due to Enigmail’s PGP functionality being migrated into Icedove and Thunderbird, steps 2 and 3 of the guide are currently out of date. Thank you for your patience while we’re working on a new round of updates.Email Self-Defense English - v5.0 español - v5.0 français - v5.0 Türkçe - v5.0 čeština - v4.0 Deutsch - v4.0 ελληνικά - v3.0 فارسی - v4.0italiano - v5.0 日本語 - v4.0polski - v5.0 português do Brasil - v3.0 română - v3.0русский - v5.0 Shqip - v5.0 svenska - v4.0简体中文 - v5.0 Translate! Set up guide Mac OSWindowsTeach your friends This site’s tor onion service Share We fight for computer users’ rights, and promote the development of free (as in freedom) software. Resisting bulk surveillance is very important to us. Please donate to support Email Self-Defense. We need to keep improving it, and making more materials, for the benefit of people around the world taking the first step towards protecting their privacy. Sign up Enter your email address to receive our monthly newsletter, the Free Software Supporter Bulk surveillance violates our fundamental rights and makes free speech risky. This guide will teach you a basic surveillance self-defense skill: email encryption. Once you’ve finished, you’ll be able to send and receive emails that are scrambled to make sure a surveillance agent or thief intercepting your email can’t read them. All you need is a computer with an Internet connection, an email account, and about forty minutes. Even if you have nothing to hide, using encryption helps protect the privacy of people you communicate with, and makes life difficult for bulk surveillance systems. If you do have something important to hide, you’re in good company; these are the same tools that whistleblowers use to protect their identities while shining light on human rights abuses, corruption, and other crimes. In addition to using encryption, standing up to surveillance requires fighting politically for a reduction in the amount of data collected on us , but the essential first step is to protect yourself and make surveillance of your communication as difficult as possible. This guide helps you do that. It is designed for beginners, but if you already know the basics of GnuPG or are an experienced free software user, you’ll enjoy the advanced tips and the guide to teaching your friends . #1 Get the pieces This guide relies on software which is freely licensed ; it’s completely transparent and anyone can copy it or make their own version. This makes it safer from surveillance than proprietary software (like Windows or macOS). Learn more about free software at fsf.org . Most GNU/Linux operating systems come with GnuPG installed on them, so if you’re running one of these systems, you don’t have to download it. If you’re running macOS or Windows, steps to download GnuPG are below. Before configuring your encryption setup with this guide, though, you’ll need a desktop email program installed on your computer. Many GNU/Linux distributions have one installed already, such as Icedove, which may be under the alternate name "Thunderbird." Programs like these are another way to access the same email accounts you can access in a browser (like Gmail), but provide extra features. Step 1.a Set up your email program with your email account Open your email program and follow the wizard (step-by-step walkthrough) that sets it up with your email account. This usually starts from "Account Settings" → "Add Mail Account". You should get the email server settings from your systems administrator or the help section of your email account. Troubleshooting The wizard doesn’t launch You can launch the wizard yourself, but the menu option for doing so is named differently in each email program. The button to launch it will be in the program’s , under "New" or something similar, titled something like "Add account" or "New/Existing email account." The wizard can’t find my account or isn’t downloading my mail Before searching the Web, we recommend you start by asking other people who use your email system, to figure out the correct settings. I can’t find the menu In many new email programs, theis represented by an image of three stacked horizontal bars. Don’t see a solution to your problem? Please let us know on the feedback page . Step 1.b Install GnuPG If you are using a GNU/Linux machine, you should already have GnuPG installed, and you can(some GNU/Linux systems respond to the Ctrl + Alt + T shortcut). # Enter gpg full-generate-key to start the process. # To answer what kind of key you would like to create, select the default option: 1 RSA and RSA . # Enter the following keysize: 4096 for a strong key. # Choose the expiration date; we suggest 2y (2 years). Follow the prompts to continue setting up with your personal details. Depending on your version of GPG, you may need to use gen-key instead of full-generate-key . You can set further options by running gpg edit-key [your@email] in a terminal window. Set your passphrase On the screen titled "Passphrase," pick a strong passphrase! You can do it manually, or you can use the Diceware method. Doing it manually is faster but not as secure. Using Diceware takes longer and requires dice, but creates a passphrase that is much harder for attackers to figure out. To use it, read the section "Make a secure passphrase with Diceware" in this article by Micah Lee. If you’d like to pick a passphrase manually, come up with something you can remember which is at least twelve characters long, and includes at least one lower case and upper case letter and at least one number or punctuation symbol. Never pick a passphrase you’ve used elsewhere. Don’t use any recognizable patterns, such as birthdays, telephone numbers, pets’ names, song lyrics, quotes from books, and so on. Troubleshooting GnuPG is not installed You can check if this is the case with the command gpg version . If GnuPG is not installed, it will bring up the following result on most GNU/Linux operating systems, or something like it: Command ’gpg’ not found, but can be installed with: sudo apt install gnupg . Follow that command and install the program. gpg full-generate-key command not working Some distributions use a different version of GPG. When you receive an error code that is something along the lines of: gpg: Invalid option "full-generate-key" , you can try the following commands: sudo apt update sudo apt install gnupg2 gpg2 full-generate-key If this resolved the issue, you need to continue to use the gpg2 identifier instead of gpg throughout the following steps of the guide. Depending on your version of GPG, you may need to use gen-key instead of full-generate-key . I took too long to create my passphrase That’s okay. It’s important to think about your passphrase. When you’re ready, just follow the steps from the beginning again to create your key. How can I see my key? Use the following command to see all keys: gpg list-keys . Yours should be listed in there, and later, so will Edward’s ( Section 3 ). If you want to see only your key, you can use gpg list-key [your@email] . You can also use gpg list-secret-key to see your own private key. More resources For more information about this process, you can also refer to The GNU Privacy Handbook . Make sure you stick with "RSA and RSA" (the default), because it’s newer and more secure than the algorithms the documentation recommends. Also make sure your key is at least 4096 bits if you want to be secure. Don’t see a solution to your problem? Please let us know on the feedback page . Advanced Advanced key pairs When GnuPG creates a new keypair, it compartmentalizes the encryption function from the signing function through subkeys . If you use subkeys carefully, you can keep your GnuPG identity more secure and recover from a compromised key much more quickly. Alex Cabal and the Debian wiki provide good guides for setting up a secure subkey configuration. Step 2.b Some important steps following creation Upload your key to a...