Edward Snowden is a polarizing public figure, but regardless of how you feel about the man or what he did, the knowledge that the federal government had basically declared open season on all communications between citizens, and had begun gathering and storing all personal emails, phone call records, text messages, etc. was a sudden revelation. Furthermore, it was revealed that the U.S. government either had--or was asking for--a backdoor into every major Internet and technology provider, including Google, Microsoft, Yahoo, and Apple. The most recent public fight between Apple and the FBI over the government wanting a backdoor into breaking into an iPhone has sparked an intense debate over security versus the nanny state, and prompted the Facebook-owned WhatsApp to deploy end-to-end encryption of all messages on their service.

Paranoia aside, it's important to know that privacy violations can occur, as well as the theft of intellectual property and research. With that in mind, it is just as important to know how to implement and use encrypted email. Unfortunately, such a task often seems most outside the wheelhouse of Windows users (Linux people can always drop into a command line and use the powerful tools provided there).

Getting Around the Software

The first thing you need to do is install Gpg4win. This is a Windows implementation of several GPG tools. GPG itself is a Gnu licensed version of the Open PGP standard, which is an open version of PGP--a data encryption and decryption program that is the gold standard for email.

With the alphabet soup out of the way (and Gpg4win installed), create your public and private keys using the Kleopatra app that was installed:

File => New Certificate

Choose the option to create a personal Open PGP pair key. Type in your name and your email, then continue. It will reflect your information back to you, then you can create your key.

The key creation will ask for a passphrase, so be sure to use an actual passphrase you can remember, but not a password that you use for every Internet account you create. You will also be prompted for an expiration if you should choose to add one.

Once that is created, you will have the option to export your keys locally. For the sake of getting around the program a little more, just finish the key creation and ignore this for now.

Kleopatra will show you your certificate in the open window. If you right click on it, you'll see several options, including "export certificates," "export secret keys," and "export certificates to server." Choosing the first option will allow you to download your public key, which is what you will need others to have in order to decrypt your emails. The second option will allow you to download your private key, which you should do, and store in a safe place--perhaps on a USB drive in a safe. Be sure to check the box for ASCII armor. The last option will upload your public key to an Open PGP compliant server. This will make it easier for people to send encrypted emails to you, as they should be able to pull your public key from the server instead of you sending it to them.

Microsoft Outlook

Gpg4win comes with a GpgOL Outlook plugin, but unfortunately, as of this writing, it does not seem to work with Outlook 2016. Instead, get the latest Outlook Privacy Plugin, and use that. Installation is straightforward, and when done, you'll have an "Add-ins" ribbon on your Outlook, and an Open PGP section on your email messages.

Receiving Email

Receiving email is easy. If someone sends you an encrypted email (and correctly uses your public key), when that message comes in, and you double-click on it, you'll be prompted for the passphrase you used when you created your key. Once authenticated, it will decrypt the message.

Sending Email

In order to send email, you will need the recipient's public key. You can get this two ways: from the person his or herself, or from a server. In the case of the latter, click "Lookup server certificates" in Kleopatra, enter the person's email address, and search for it. If it finds the person's certificate, you can click on it and hit "import." With the former, you'll need the person to send you their public key (or some people post it online). Save this data to disk, and then click "Import certificates," choosing the one you just saved.

With the certificate installed, you can create a new email message, then before sending, click on the "Encrypt" toggle on the Open PGP section. When you go to send the message, it'll encrypt it first. If you do not have the person's certificate installed, it'll prompt you with a window from which to select recipients whose keys you do have.

Fingerprint verification

Sometimes you need to verify that the key you have installed is the actual key from the person you wish to send a message. A lot of people us the key fingerprint for this. In Kleopatra, if you right click on a certificate and choose "Certificate Details," you'll see an entry for Key-ID and Fingerprint. Some people use either one as a short identifier for themselves whether in email signatures or Twitter descriptions. You simply match the supplied one up with the one that Kleopatra is showing you, and if it matches, you have the correct pairing. This isn't to say that you can be sure the other person is authentically the other person though, but it is an added layer of protection.

A good resource in email self-defense can be found at the Free Software Foundation's web site. It'll go through GPG installation and encrypted email sending for Linux, Windows, and Mac. For Windows, it walks you through using the Thunderbird mail client with the Enigmail plugin, which is another reason why this blog post deals with Outlook.