Heya, I found how you can digitally sign and encrypt emails! (It even gives them a cool icon for others to see!), and I havenāt seen anything about it before so I thought Iād share how I did it!
Do you also want to send encrypted emails and sign them? Just follow these few steps!
But beforehand, letās define some terms :
-
Signed email : Email with a valid numerical signature. Anyone can read it and know it has not been modified since it was sent.
-
Encrypted email : Email encrypted with the recipientās public key. They can decrypt it with their private key
-
S/MIME certificate : A
.p12file containing your private key (So keep it for yourself and donāt send it to anyone!!) and your public key.
Okay, now itās time toā¦
Start the setup (Obtain an S/MIME certificate)
- Youāll need to ask to an authority for a certificate. Personally I use Actalis because they give free certificates for multiple email addresses, valid for a year (you need to redo the setup every year). If you donāt want to use Actalis, more info is avilable here.
- Donāt forget to put the website in english if you donāt understand italian.
- Go on the page to request an S/MIME certificate, create an account and follow the setup. The verification email can take a little while (~2min)
- When the setup ends, youāll have a valid certificate in your dashboard (It can take a few minutes to appear if you just verified it) that you can download, and a password that Actalis emailed you to enable your certificate.
Install the certificate
- Download the .p12 file, then open it, type your password, and leave the default options to install the certificate on your device (Android or PC, on Android pick āFor VPN and appsā). Donāt delete your old one, so you can still decrypt old messages sent on the expired certificate
- Use an S/MIME compatible email client. On PC, there is Thunderbird, on Android, FairEmail.
- In your email client settings, importer the S/MIME certificate pofor signing AND encrypting your messages. It changes depending on your client, so here it is for Thunderbird :
- In the top-right menu, go to
Account settings,End-to-end encryption, underS/MIMEclick onManage S/MIME certificates,Importand pick your.p12file. Then, pickSelect a certificate, and pick yours from the tab āYour certificatesā.
- In the top-right menu, go to
An image is worth a thousand words (Sorry for the french)
Donāt forget to check the box to sign and/or encrypt every message just below, if you want!
Communicate with someone
Once this is done, here is how you can communicateā¦
- ā¦While signing your messages :
Itās easy, just click on āSignā before sending. Usually, email clients show a small medal next to your name to show the email is signed.
- ā¦While encrypting your messages :
For that, youāll need your recipientās public key. They needs to send you a signed message (not encrypted, since you donāt have each otherās key at this point) where you can get their public key from their signature, and add it to your email client, which will allow you to encrypt messages you send to them. Then, send them a signed email (you can encrypt it) so they can get your public key and add it to their client, and then youāll be able to exchange encrypted emails!
Iām not an expert and probably made a few mistakes, if you spot any please tell me in the comments and Iāll try to fix the guide!
https://www.latacora.com/blog/2019/07/16/the-pgp-problem/ is a good summary about the issue
Good counter discussion about PGP security
https://www.reddit.com/r/cryptography/comments/10cfslk/exactly_how_strong_is_pgp/
I would argue that latacora could be an attempt to push users into the systems that provide 3rd party service, which by definition of 3rd party service is not secure: WhasApp, Signal.
Only true P2P can be safe. PGP provides ability to send encrypted message using any means necessary: FTP, HTTP, anonymous services, USB sticks, anything.
