Powered by GitBook

Mail Encryption with PGP

Web: Mailvelope

If you use the browser to read and send emails you can also use PGP. But hold on a second and think about what that means.

A browser is a piece of software that downloads arbitrary software from the web and executes it.

That doesn't sound like a good environment to place your private key in. You can not be sure if the website contains javascript that sends away your private key or signs things in your name. Even if you trust the website owner, somebody could hack the website or modify it with a man-in-the-middle-attack.

Long story short: I don't recommend loading your private key into a web application, even if it claims that it will keep it locally.

But there's a good option for you: Mailvelope. It's a browser extension for Chrome and Mozilla enabling you to use PGP encryption. The javascript of loaded websites can not access things that are stored in browser extensions.

Installation

  • Install the browser plugin.
  • Export your key (including the private key) to file.
  • Open Mailvelope in your Browser, select "Import Keys" and then upload your keyfile.

  • Be sure to delete your key file (containing the private key) that is probably now lying around on your desktop.
  • Mailvelope is preconfigured to work with Yahoo, GMX, Google Mail and Live Mail. Check "Watch List" to add more sites if needed.

Extra Security

A malicious website might open dialogs/windows that look like Mailvelope, tricking you into providing sensible data. To avoid this you can define a so called security token under "Security".

This token appears in all dialogs/windows that are genuinely from Mailvelope.

Encryption

When composing a message a Mailvelope icon will appear. Click it to open Mailvelope's Compose Mail window.
Type your message and click the lock on the right to encrypt it. You have to select the keys you want your message encrypted for. "Transfer" will put the encrypted message into the input field of your webmailer and you're good to go.

Mailvelope does not encrypt attachments and subject lines!

Decryption

When you open the encrypted mail Mailvelope indicates that it can decrypt the message. Simply click on it (maybe you have to provide your private key password) and it will appear in clear text.

Possible Alternative

Google is working a similar Browser Addon for Chrome: http://googleonlinesecurity.blogspot.nl/2014/06/making-end-to-end-encryption-easier-to.html