emailselfdefense.fsf.orgEmail Self-Defense - a guide to fighting surveillance with GnuPG encryption

Email Self-Defense English - v4.0 čeÅ¡tina - v4.0 Deutsch - v4.0 ελληνικά - v3.0 español - v4.0 فارسی - v4.0 français - v4.0 italiano - v3.0 日本語 - v4.0 português do Brasil - v3.0 română - v3.0 русский - v4.0 Shqip - v4.0 svenska - v4.0 Türkçe - v4.0 简体中文 - v4.0 Translate! GNU/Linux Mac OS Windows Teach your friends Share We fight for computer users' rights, and promote the development of free (as in freedom) software. Resisting bulk surveillance is very important to us. Please donate to support Email Self-Defense. We need to keep improving it, and making more materials, for the benefit of people around the world taking the first step towards protecting their privacy. Bulk surveillance violates our fundamental rights and makes free speech risky. This guide will teach you a basic surveillance self-defense skill: email encryption. Once you've finished, you'll be able to send and receive emails that are scrambled to make sure a surveillance agent or thief intercepting your email can't read them. All you need is a computer with an Internet connection, an email account, and about forty minutes. Even if you have nothing to hide, using encryption helps protect the privacy of people you communicate with, and makes life difficult for bulk surveillance systems. If you do have something important to hide, you're in good company; these are the same tools that whistleblowers use to protect their identities while shining light on human rights abuses, corruption and other crimes. In addition to using encryption, standing up to surveillance requires fighting politically for a reduction in the amount of data collected on us , but the essential first step is to protect yourself and make surveillance of your communication as difficult as possible. This guide helps you do that. It is designed for beginners, but if you already know the basics of GnuPG or are an experienced free software user, you'll enjoy the advanced tips and the guide to teaching your friends . #1 Get the pieces This guide relies on software which is freely licensed ; it's completely transparent and anyone can copy it or make their own version. This makes it safer from surveillance than proprietary software (like Windows). Learn more about free software at fsf.org . Most GNU/Linux operating systems come with GnuPG installed on them, so you don't have to download it. Before configuring GnuPG though, you'll need the IceDove desktop email program installed on your computer. Most GNU/Linux distributions have IceDove installed already, though it may be under the alternate name "Thunderbird." Email programs are another way to access the same email accounts you can access in a browser (like Gmail), but provide extra features. If you already have an email program, you can skip to Step 1.b . Step 1.a Set up your email program with your email account Open your email program and follow the wizard (step-by-step walkthrough) that sets it up with your email account. Look for the letters SSL, TLS, or STARTTLS to the right of the servers when you're setting up your account. If you don't see them, you will still be able to use encryption, but this means that the people running your email system are running behind the industry standard in protecting your security and privacy. We recommend that you send them a friendly email asking them to enable SSL, TLS, or STARTTLS for your email server. They will know what you're talking about, so it's worth making the request even if you aren't an expert on these security systems. Troubleshooting The wizard doesn't launch You can launch the wizard yourself, but the menu option for doing so is named differently in each email program. The button to launch it will be in the program's main menu, under "New" or something similar, titled something like "Add account" or "New/Existing email account." The wizard can't find my account or isn't downloading my mail Before searching the Web, we recommend you start by asking other people who use your email system, to figure out the correct settings. Don't see a solution to your problem? Please let us know on the feedback page . Step 1.b Install the Enigmail plugin for your email program In your email program's menu, select Add-ons (it may be in the Tools section). Make sure Extensions is selected on the left. Do you see Enigmail? Make sure it's the latest version. If so, skip this step. If not, search "Enigmail" with the search bar in the upper right. You can take it from here. Restart your email program when you're done. There are major security flaws in versions of GnuPG prior to 2.2.8, and Enigmail prior to 2.0.7. Make sure you have GnuPG 2.2.8 and Enigmail 2.0.7, or later versions. Troubleshooting I can't find the menu. In many new email programs, the main menu is represented by an image of three stacked horizontal bars. My email looks weird Enigmail doesn't tend to play nice with HTML, which is used to format emails, so it may disable your HTML formatting automatically. To send an HTML-formatted email without encryption or a signature, hold down the Shift key when you select compose. You can then write an email as if Enigmail wasn't there. Don't see a solution to your problem? Please let us know on the feedback page . #2 Make your keys To use the GnuPG system, you'll need a public key and a private key (known together as a keypair). Each is a long string of randomly generated numbers and letters that are unique to you. Your public and private keys are linked together by a special mathematical function. Your public key isn't like a physical key, because it's stored in the open in an online directory called a keyserver. People download it and use it, along with GnuPG, to encrypt emails they send to you. You can think of the keyserver as a phonebook; people who want to send you encrypted email can look up your public key. Your private key is more like a physical key, because you keep it to yourself (on your computer). You use GnuPG and your private key together to descramble encrypted emails other people send to you. You should never share your private key with anyone, under any circumstances. In addition to encryption and decryption, you can also use these keys to sign messages and check the authenticity of other people's signatures. We'll discuss this more in the next section. Step 2.a Make a keypair The Enigmail Setup wizard may start automatically. If it doesn't, select Enigmail → Setup Wizard from your email program's menu. You don't need to read the text in the window that pops up unless you'd like to, but it's good to read the text on the later screens of the wizard. Click Next with the default options selected, except in these instances, which are listed in the order they appear: On the screen titled "Encryption," select "Encrypt all of my messages by default, because privacy is critical to me." On the screen titled "Signing," select "Don't sign my messages by default." On the screen titled "Key Selection," select "I want to create a new key pair for signing and encrypting my email." On the screen titled "Create Key," pick a strong password! You can do it manually, or you can use the Diceware method. Doing it manually is faster but not as secure. Using Diceware takes longer and requires dice, but creates a password that is much harder for attackers to figure out. To use it, read the section "Make a secure passphrase with Diceware" in this article by Micah Lee. If you'd like to pick a password manually, come up with something you can remember which is at least twelve characters long, and includes at least one lower case and upper case letter and at least one number or punctuation symbol. Never pick a password you've used elsewhere. Don't use any recognizable patterns, such as birthdays, telephone numbers, pets' names, song lyrics, quotes from books, and so on. The program will take a little while to finish the next step, the "Key Creation" screen. While you wait, do something else with your comp...