Now I understand why almost no one encrypts their mail

Email encryption is a difficult and painful procedure. Recently, I myself realized how much. A friend of mine, very advanced in the field of information security, sent me her PGP public key and asked me to switch to encryption. No, she’s not from the NSA or the CIA, she’s just an ordinary person who cares about her privacy. I had never sent encrypted letters before, but I thought, “Why not?” For many years I wanted to learn this, but there was no one to exchange encrypted letters with.

I started by installing GnuPG on my Linux machine.

GnuPG is similar to PGP in that it uses public and private keys for encryption and decryption, but it comes open source and comes with many Linux distributions. Another open source version of PGP is OpenPGP.

GnuPG for Windows called Gpg4win can be downloaded from official site. I chose a general method for encrypting and decrypting messages, which is not tied to any email provider, because I did not want to limit myself to the possibility of encryption with only one provider. In addition, the only way to make sure that even the mail provider does not have access to your letters is to encrypt them yourself. The Most Complete GnuPG Guide I Found on the How-To Geek website.

I imported my friend’s public key using this command:

gpg --import her_public_key_file.key

In this team her_public_key_file.key replaced by the actual public key file. Then I checked that her key was imported successfully:

gpg --list-keys

A message like this appeared:

pub 2048R/FFE7947D 2019-10-11 [expires: 2021-10-10]
uid her_email@her_email_provider.com
sub 2048R/AB48FEC2 2019-10-11

This means that GnuPG recognizes its public key as valid and saves it for future use.

Then signed her public key:

gpg --sign-key her_email_address@email_provider.com

Signing the public key tells GnuPG that you trust this key, that is, it really came from this person. Each public key must be signed before messages from the owner of this public key can be decrypted. In my opinion, this step does not make any sense. Why would you import a key if you do not think it came from the right person?

Then I tried to generate my keys:

gpg --output ~/temp.key --armor --export My Name 

Well, after such a command, an error message popped up that the end of a new line was found. I thought that this could be due to spaces in my name and between the name and email address, so I tried various formats. After about an hour and many unsuccessful attempts, some of which looked like successful, but were not, I finally found the right command:

gpg --gen-key

The above command gives you a number of questions. At first I chose option “1”, then I chose the option of 2048-bit key length. Set an unlimited key validity period. I did not indicate the surname in the name field, but spaces are also supported there: you can specify both the name and surname. Then entered his email address. The comment field is left blank. And finally, he introduced a long passphrase. A passphrase is simply a synonym for a password. I wrote it down where it won’t get lost. In fact, I put it in a file encrypted using Truecrypt. A passphrase will be needed later in order to encrypt messages in case of reinstalling GnuPG on the hard disk and re-importing the keys. And do not forget to backup the keys themselves!

After creating the keys, we check the result:

gpg --list-keys

This command produces something like this:

pub 2048R/FFE7947D 2019-10-11 [expires: 2021-10-10]
uid her_email@her_email_provider.com
sub 2048R/AB48FEC2 2019-10-11


pub 2048R/3A785D3F 2020-02-22
uid My Name
sub 2048R/A7B384FE 2020-02-22

I ran the key generation twice because I was not sure if this result means there is a pair of public / private keys or only one key. Somehow, I eventually realized that I had created two key pairs, so I deleted the second pair.

Then I tried to export my public key to a file. The public key must be sent to everyone to whom you send the encrypted letter so that it can decrypt it. I’m not sure which command I used, but it produced a text file that starts with -----BEGIN PGP PUBLIC KEY BLOCK----- Version: GnuPG v1. I sent this letter to my friend, and she answered me with an encrypted message.

I tried to decrypt the file message.asc with her letter:

gpg --decrypt message.asc > plain.txt

But GnuPG issued an error message that it could not find the secret key:

gpg: encrypted with RSA key, ID XXXXXXXX
gpg: decryption failed: secret key not available

But I saw my secret key. I could even export it. I knew he was! What can I say, sometimes programmers write really terrible error messages. At this point, I had already begun to experience some irritation.

I did not know what I did wrong. The only thing I could assume was that somehow I couldn’t create the keys correctly. Either that, or I exported the wrong public key. So I decided to start all over again. I deleted my key pair, generated a new key pair and exported my public key to a file using this command:

gpg --output ~/my_public_gpg_key.key --armor --export My Name my-email@my-email-povider.com

Then he sent a friend a new public key. Parameter --armor tells GnuPG to create a public key file in text form. File Name – my_public_gpg_key.key.

She again encrypted her message and sent it to me. When I tried to decrypt it, I again saw the same error message:

gpg: encrypted with RSA key, ID XXXXXXXX
gpg: decryption failed: secret key not available

This time, I noticed that the key identifier matches my old public key, not the new one. I decided that she was wrong, and asked her to try again with a new key. Then, to make sure that I was not mistaken, I decided to check that the key that I used was really my new key. The new key that I sent was not even one of my public keys! It was her public key, which began with -----BEGIN PGP PUBLIC KEY BLOCK----- Version: GnuPG v1! Somehow I exported her key with the addition of Version: GnuPG v1! I know this, because I still had a file with her key, which she sent me, and it starts with -----BEGIN PGP PUBLIC KEY BLOCK-----. Not there Version: GnuPG v1! And her public key matches the one I sent her.

I re-exported my public key using the same command above. This time I checked that it was really my key before sending it to her by e-mail. From Internet GnuPG reference materials, I found out that a message about the lack of a secret key may appear if people use different versions of GnuPG. I mentioned this to her when I sent a new key by email.

A few weeks later I received a response letter. By this time, I had already decided that she had surrendered. Over the following weeks, I had some problems with the computer, which made it necessary to reformat the hard drive. So I had to reinstall GnuPG, re-import my keys and re-import its public key. Fortunately, I made backups! Then I answered her last letter with another letter that I encrypted with this command:

gpg --encrypt --sign --armor -r her-email@her-email-provider.com --passphrase my-pass-phrase my-msg.txt

Of course, this is not my real password, I replaced it with my-pass-phraseand unencrypted message on my-msg.txt. A ciphertext was generated, and its file was called my-msg.tx.gpg. I could not find any information on how to decrypt my own ciphertext myself, so I had to send it to her, not knowing if I had encrypted it correctly. I only knew that he seemed to be the right size. After a couple of weeks, I received from her a new encrypted letter on a different topic. Only then did the confidence appear that I had finally reached the point where we can successfully communicate via encrypted email. The whole process from start to finish took more than a month! I’m still trying to automate the GnuPG commands to use them without thinking too much about what I’m doing.

From this experience, I realized that encrypted email, although an interesting exercise, is not very practical. Unless you are the Edward Snowden monitored by the NSA, you are unlikely to be able to justify the effort to create and use encrypted mail. And if you are not Edward Snowden with important secrets, it is unlikely that anyone will want to spend energy on encrypting correspondence with you.

Encrypting and decrypting email, as I have with GnuPG, is just too tedious. Since I have already spent too much effort on this, I will continue to use it to communicate with my online friend. But I would not recommend that an ordinary person use GnuPG to encrypt email, if this can be avoided. I understand that there are simpler solutions on the market from specific mail providers, such as Protonmail, but most people will not want to change the provider to use them. We all need an easier way to send and receive encrypted mail without changing the mail provider. GnuPG is not a solution. If you know a simpler way to encrypt mail, please consider leaving a comment.

Similar Posts

Leave a Reply

Your email address will not be published. Required fields are marked *