Playlist
  • Mac user?

    Tips and tools to help you protect your data and communications.

    This playlist is designed to walk Mac users through a set of tips and tools that they can use to protect their online communications and help prevent snoopers from spying.

  • An Introduction to Threat Modeling

    There is no single solution for keeping yourself safe online. Digital security isn’t about which tools you use; rather, it’s about understanding the threats you face and how you can counter those threats. To become more secure, you must determine what you need to protect, and whom you need to protect it from. Threats can change depending on where you’re located, what you’re doing, and whom you’re working with. Therefore, in order to determine what solutions will be best for you, you should conduct a threat modeling assessment.

    When Conducting an Assessment, There are Five Main Questions you Should Ask Yourself:

    1. What do you want to protect?
    2. Who do you want to protect it from?
    3. How likely is it that you will need to protect it?
    4. How bad are the consequences if you fail?
    5. How much trouble are you willing to go through in order to try to prevent those?

    When we talk about the first question, we often refer to assets, or the things that you are trying to protect. An asset is something you value and want to protect. When we are talking about digital security, the assets in question are usually information. For example, your emails, contact lists, instant messages, and files are all assets. Your devices are also assets.

    Write down a list of data that you keep, where it’s kept, who has access to it, and what stops others from accessing it.

    In order to answer the second question, “Who do you want to protect it from,” it’s important to understand who might want to target you or your information, or who is your adversary. An adversary is any person or entity that poses a threat against an asset or assets. Examples of potential adversaries are your boss, your government, or a hacker on a public network.

    Make a list of who might want to get ahold of your data or communications. It might be an individual, a government agency, or a corporation.

    A threat is something bad that can happen to an asset. There are numerous ways that an adversary can threaten your data. For example, an adversary can read your private communications as they pass through the network, or they can delete or corrupt your data. An adversary could also disable your access to your own data.

    The motives of adversaries differ widely, as do their attacks. A government trying to prevent the spread of a video showing police violence may be content to simply delete or reduce the availability of that video, whereas a political opponent may wish to gain access to secret content and publish it without you knowing.

    Write down what your adversary might want to do with your private data.

    The capability of your attacker is also an important thing to think about. For example, your mobile phone provider has access to all of your phone records and therefore has the capability to use that data against you. A hacker on an open Wi-Fi network can access your unencrypted communications. Your government might have stronger capabilities.

    A final thing to consider is risk. Risk is the likelihood that a particular threat against a particular asset will actually occur, and goes hand-in-hand with capability. While your mobile phone provider has the capability to access all of your data, the risk of them posting your private data online to harm your reputation is low.

    It is important to distinguish between threats and risks. While a threat is a bad thing that can happen, risk is the likelihood that the threat will occur. For instance, there is a threat that your building might collapse, but the risk of this happening is far greater in San Francisco (where earthquakes are common) than in Stockholm (where they are not).

    Conducting a risk analysis is both a personal and a subjective process; not everyone has the same priorities or views threats in the same way. Many people find certain threats unacceptable no matter what the risk, because the mere presence of the threat at any likelihood is not worth the cost. In other cases, people disregard high risks because they don't view the threat as a problem.

    In a military context, for example, it might be preferable for an asset to be destroyed than for it to fall into enemy hands. Conversely, in many civilian contexts, it's more important for an asset such as email service to be available than confidential.

    Now, Let’s Practice Threat Modeling

    If you want to keep your house and possessions safe, here are a few questions you might ask:

    • Should I lock my door?
    • What kind of lock or locks should I invest in?
    • Do I need a more advanced security system?
    • What are the assets in this scenario?
      • The privacy of my home
      • The items inside my home
    • What is the threat?
      • Someone could break in.
    • What is the actual risk of someone breaking in? Is it likely?

    Once you have asked yourself these questions, you are in a position to assess what measures to take. If your possessions are valuable, but the risk of a break-in is low, then you probably won’t want to invest too much money in a lock. On the other hand, if the risk is high, you’ll want to get the best locks on the market, and perhaps even add a security system.

    Last updated: 
    2015-01-12
  • Communicating with Others

    Telecommunication networks and the Internet have made communicating with people easier than ever, but have also made surveillance more prevalent than it has ever been in human history. Without taking extra steps to protect your privacy, every phone call, text message, email, instant message, voice over IP (VoIP) call, video chat, and social media message may be vulnerable to eavesdroppers.

    Often the safest way to communicate with others is in person, without computers or phones being involved at all. Because this isn’t always possible, the next best thing is to use end-to-end encryption while communicating over a network if you need to protect the content of your communications.

    How Does End-to-End Encryption Work?

    When two people want to communicate securely (for example, Akiko and Boris) they must each generate crypto keys. Before Akiko sends a message to Boris she encrypts it to Boris's key so that only Boris can decrypt it. Then she sends the already-encrypted message across the Internet. If anyone is eavesdropping on Akiko and Boris—even if they have access to the service that Akiko is using to send this message (such as her email account)—they will only see the encrypted data and will be unable read the message. When Boris receives it, he must use his key to decrypt it into a readable message.

    End-to-end encryption involves some effort, but it's the only way that users can verify the security of their communications without having to trust the platform that they're both using. Some services, such as Skype, have claimed to offer end-to-end encryption when it appears that they actually don't. For end-to-end encryption to be secure, users must be able to verify that the crypto key they're encrypting messages to belongs to the people they believe they do. If communications software doesn't have this ability built-in, then any encryption that it might be using can be intercepted by the service provider itself, for instance if a government compels it to.

    You can read Freedom of the Press Foundation's whitepaper, Encryption Works for detailed instructions on using end-to-end encryption to protect instant messages and email. Be sure to check out the following SSD modules as well:

    Voice Calls

    When you make a call from a landline or a mobile phone, your call is not end-to-end encrypted. If you're using a mobile phone, your call may be (weakly) encrypted between your handset and the cell phone towers. However as your conversation travels through the phone network, it's vulnerable to interception by your phone company and, by extension, any governments or organizations that have power over your phone company. The easiest way to ensure you have end-to-end encryption on voice conversations is to use VoIP instead.

    Beware! Most popular VoIP providers, such as Skype and Google Hangouts, offer transport encryption so that eavesdroppers cannot listen in, but the providers themselves are still potentially able to listen in. Depending on your threat model, this may or may not be a problem.

    Some services that offer end-to-end encrypted VoIP calls include:

    In order to have end-to-end encrypted VoIP conversations, both parties must be using the same (or compatible) software.

    Text Messages

    Standard text (SMS) messages do not offer end-to-end encryption. If you want to send encrypted messages on your phone, consider using encrypted instant messaging software instead of text messages.

    Some end-to-end encrypted instant messaging services use their own protocol. So, for instance, users of Signal on Android and iOS can chat securely with others who use those programs. ChatSecure is a mobile app that encrypts conversations with OTR on any network that uses XMPP, which means you can choose from a range of independent instant messaging services.

    Instant Messages

    Off-the-Record (OTR) is an end-to-end encryption protocol for real-time text conversations that can be used on top of a variety of services.

    Some tools that incorporate OTR with instant messaging include:

    Email

    Most email providers give you a way of accessing your email using a web browser, such as Firefox or Chrome. Of these providers, most of them provide support for HTTPS, or transport-layer encryption. You can tell that your email provider supports HTTPS if you log in to your webmail and the URL at the top of your browser begins with the letters HTTPS instead of HTTP (for example: https://mail.google.com).

    If your email provider supports HTTPS, but does not do so by default, try replacing HTTP with HTTPS in the URL and refresh the page. If you’d like to make sure that you are always using HTTPS on sites where it is available, download the HTTPS Everywhere browser add-on for Firefox or Chrome.

    Some webmail providers that use HTTPS by default include:

    • Gmail
    • Riseup
    • Yahoo

    Some webmail providers that give you the option of choosing to use HTTPS by default by selecting it in your settings. The most popular service that still does this is Hotmail.

    What does transport-layer encryption do and why might you need it? HTTPS, also referred to as SSL or TLS, encrypts your communications so that it cannot be read by other people on your network. This can include the other people using the same Wi-Fi in an airport or at a café, the other people at your office or school, the administrators at your ISP, malicious hackers, governments, or law enforcement officials. Communications sent over your web browser, including the web pages that you visit and the content of your emails, blog posts, and messages, using HTTP rather than HTTPS are trivial for an attacker to intercept and read.

    HTTPS is the most basic level of encryption for your web browsing that we recommend for everybody. It is as basic as putting on your seat belt when you drive.

    But there are some things that HTTPS does not do. When you send email using HTTPS, your email provider still gets an unencrypted copy of your communication. Governments and law enforcement may be able to access this data with a warrant. In the United States, most email providers have a policy that says they will tell you when you have received a government request for your user data as long as they are legally allowed to do so, but these policies are strictly voluntary, and in many cases providers are legally prevented from informing their users of requests for data. Some email providers, such as Google, Yahoo, and Microsoft, publish transparency reports, detailing the number of government requests for user data they receive, which countries make the requests, and how often the company has complied by turning over data.

    If your threat model includes a government or law enforcement, or you have some other reason for wanting to make sure that your email provider is not able to turn over the contents of your email communications to a third party, you may want to consider using end-to-end encryption for your email communications.

    PGP (or Pretty Good Privacy) is the standard for end-to-end encryption of your email. Used correctly, it offers very strong protections for your communications. For detailed instructions on how to install and use PGP encryption for your email, see:

    What End-To-End Encryption Does Not Do

    End-to-end encryption only protects the content of your communication, not the fact of the communication itself. It does not protect your metadata—which is everything else, including the subject line of your email, or who you are communicating with and when.

    Metadata can provide extremely revealing information about you even when the content of your communication remains secret.

    Metadata about your phone calls can give away some very intimate and sensitive information. For example:

    • They know you rang a phone sex service at 2:24 am and spoke for 18 minutes, but they don't know what you talked about.
    • They know you called the suicide prevention hotline from the Golden Gate Bridge, but the topic of the call remains a secret.
    • They know you spoke with an HIV testing service, then your doctor, then your health insurance company in the same hour, but they don't know what was discussed.
    • They know you received a call from the local NRA office while it was having a campaign against gun legislation, and then called your senators and congressional representatives immediately after, but the content of those calls remains safe from government intrusion.
    • They know you called a gynecologist, spoke for a half hour, and then called the local Planned Parenthood's number later that day, but nobody knows what you spoke about.

    If you are calling from a cell phone, information about your location is metadata. In 2009, Green Party politician Malte Spitz sued Deutsche Telekom to force them to hand over six months of Spitz’s phone data, which he made available to a German newspaper. The resulting visualization showed a detailed history of Spitz’s movements.

    Protecting your metadata will require you to use other tools, such as Tor, at the same time as end-to-end encryption.

    For an example of how Tor and HTTPS work together to protect the contents of your communications and your metadata from a variety of potential attackers, you may wish to take a look at this explanation.

    Last updated: 
    2015-11-19
  • Key Verification

    When encryption is used properly, your communications or information should only be readable by you and the person or people you’re communicating with. End-to-end encryption protects your data from surveillance by third parties, but if you’re unsure about the identity of the person you’re talking to, its usefulness is limited. That’s where key verification comes in. By verifying public keys, you and the person with whom you’re communicating add another layer of protection to your conversation by confirming each other’s identities, allowing you to be that much more certain that you’re talking to the right person.

    Key verification is a common feature of protocols that use end-to-end encryption, such as PGP and OTR. To verify keys without the risk of interference, it's advisable to use a secondary method of communicating other than the one you’re going to be encrypting; this is called out-of-band verification. For example, if you are verifying your OTR fingerprints, you might email your fingerprints to one another. In that example, email would be the secondary communications channel.

    Verifying Keys Out-of-band

    There are several ways to do this. If it can be arranged safely and is convenient, it is ideal to verify keys face-to-face. This is often done at key-signing parties or amongst colleagues.

    If you cannot meet face-to-face, you can contact your correspondent through a means of communication other than the one for which you’re trying to verify keys. For example, if you’re trying to verify PGP keys with someone, you could use the telephone or an OTR chat to do so.

    Regardless of the program that you use, you will always be able to locate both your key and the key of your communication partner.

    Although the method of locating your key varies by program, the method of verifying keys remains approximately the same. You can either read your key’s fingerprint aloud (if you are face-to-face or using the telephone) or you can copy and paste it into a communications program, but whichever you choose, it is imperative that you check every single letter and numeral.

    Tip: Try verifying keys with one of your friends. To learn how to verify keys in a specific program, visit that program’s how-to guide.

    Last updated: 
    2015-02-10
  • How to: Use OTR for Mac

    Adium is a free and open source instant messaging client for OS X that allows you to chat with individuals across multiple chat protocols, including Google Hangouts, Yahoo! Messenger, Facebook chat, Windows Live Messenger, AIM, ICQ, and XMPP.

    OTR (Off-the-record) is a protocol that allows people to have confidential conversations using the messaging tools they’re already familiar with. This should not be confused with Google's “Off the record,” which merely disables chat logging, and does not have encryption or verification capabilities. For Mac users, OTR comes built-in with the Adium client.

    OTR employs end-to-end encryption. This means that you can use it to have conversations over services like Google Hangouts or Facebook without those companies ever having access to the contents of the conversations.  However, the fact that you are having a conversation is visible to the provider.

    Why Should I Use Adium + OTR?

    When you have a chat conversation using Google Hangouts or Facebook chat on the Google or Facebook websites, that chat is encrypted using HTTPS, which means the content of your chat is protected from hackers and other third parties while it’s in transit. It is not, however, protected from Google or Facebook, which have the keys to your conversations and can hand them over to authorities or use them for marketing purposes.

    After you have installed Adium, you can sign in to it using multiple accounts at the same time. For example, you could use Google Hangouts, Facebook, and XMPP simultaneously. Adium also allows you to chat using these tools without OTR. Since OTR only works if both people are using it, this means that even if the other person does not have it installed, you can still chat with them using Adium.

    Adium also allows you to do out-of-band verification to make sure that you’re talking to the person you think you’re talking to and you are not being subject to a man-in-the-middle attack. For every conversation, there is an option that will show you the key fingerprints it has for you and the person with whom you are chatting. A "key fingerprint" is a string of characters like "342e 2309 bd20 0912 ff10 6c63 2192 1928,” that’s used to verify a longer public key. Exchange your fingerprints through another communications channel, such as Twitter DM or email, to make sure that no one is interfering with your conversation. If the keys don't match, you can't be sure you're talking to the right person. In practice, people often use multiple keys, or lose and have to recreate new keys, so don't be surprised if you have to re-check your keys with your friends occasionally.

    Limitations: When Should I Not Use Adium + OTR?

    Technologists have a term to describe when a program or technology might be vulnerable to external attack: they say it has a large “attack surface.” Adium has a large attack surface. It is a complex program, which has not been written with security as a top priority. It almost certainly has bugs, some of which might be used by governments or even big companies to break into computers that are using it. Using Adium to encrypt your conversations is a great defense against the kind of untargeted dragnet surveillance that is used to spy on everyone's Internet conversations, but if you think you will be personally targeted by a well-resourced attacker (like a nation-state), you should consider stronger precautions, such as PGP-encrypted email.

    Installing Adium + OTR On Your Mac

    Step 1: Install the program

    First, go to https://adium.im/ in your browser. Choose “Download Adium 1.5.9.” The file will download as a .dmg, or disk image, and will probably be saved to your “downloads” folder.

    Double-click on the file; that will open up a window that looks like this:

    Move the Adium icon into the “Applications” folder to install the program. Once the program is installed, look for it in your Applications folder and double-click to open it.

    Step 2: Set up your account(s)

    First, you will need to decide what chat tools or protocols you want to use with Adium. The setup process is similar, but not identical, for each type of tool. You will need to know your account name for each tool or protocol, as well as your password for each account.

    To set up an account, go to the Adium menu at the top of your screen and click “Adium” and then “Preferences.” This will open a window with another menu at the top. Select “Accounts,” then click the “+” sign at the bottom of the window. You will see a menu that looks like this:

    Select the program that you wish to sign in to. From here, you will be prompted either to enter your username and password, or to use Adium’s authorization tool to sign in to your account. Follow Adium’s instructions carefully.

    How to Initiate an OTR Chat

    Once you have signed in to one or more of your accounts, you can start using OTR.

    Remember: In order to have a conversation using OTR, both people need to be using a chat program that supports OTR.

    Step 1: Initiate an OTR Chat

    First, identify someone who is using OTR, and initiate a conversation with them in Adium by double-clicking on their name. Once you have opened the chat window, you will see a small, open lock in the upper left-hand corner of the chat window. Click on the lock and select “Initiate Encrypted OTR Chat.”

    Step 2: Verify Your Connection

    Once you have initiated the chat and the other person has accepted the invitation, you will see the lock icon close; this is how you know that your chat is now encrypted (congratulations!) – But wait, there’s still another step!

    At this time, you have initiated an unverified, encrypted chat. This means that while your communications are encrypted, you have not yet determined and verified the identity of the person you are chatting with. Unless you are in the same room and can see each other’s screens, it is important that you verify each other’s identities. For more information, read the module on Key Verification.

    To verify another user’s identity using Adium, click again on the lock, and select “Verify.” You will be shown a window that displays both your key and the key of the other user. Some versions of Adium only support manual fingerprint verification. This means that, using some method, you and the person with whom you’re chatting will need to check to make sure that the keys that you are being shown by Adium match precisely.

    The easiest way to do this is to read them aloud to one another in person, but that’s not always possible. There are different ways to accomplish this with varying degrees of trustworthiness. For example, you can read your keys aloud to one another on the phone if you recognize each other’s voices or send them using another verified method of communication such as PGP. Some people publicize their key on their website, Twitter account, or business card.

    The most important thing is that you verify that every single letter and digit matches perfectly.

    Step 3: Disable Logging

    Now that you have initiated an encrypted chat and verified your chat partner’s identity, there’s one more thing you need to do. Unfortunately, Adium logs your OTR-encrypted chats by default, saving them to your hard drive. This means that, despite the fact that they’re encrypted, they are being saved in plain text on your hard drive.

    To disable logging, click “Adium” in the menu at the top of your screen, then “Preferences.” In the new window, select “General” and then disable “Log messages” and “Log OTR-secured chats.” Remember, though, that you do not have control over the person with whom you are chatting—she could be logging or taking screenshots of your conversation, even if you yourself have disabled logging.

    Your settings should now look like this:

    Also, when Adium displays notifications of new messages, the contents of those messages may be logged by the OS X Notification Center. This means that while Adium leaves no trace of your communications on your own computer or your correspondent's, either your or their computer's version of OS X may preserve a record. To prevent this, you may want to disable notifications.

    To do this, select "Events" in the Preferences window, and look for any entries that say "Display a notification." For each entry, expand it by clicking the gray triangle, and then click the newly-exposed line that say "Display a notification," then click the minus icon ("-") at the lower left to remove that line." If you are worried about records left on your computer, you should also turn on full-disk encryption, which will help protect this data from being obtained by a third party without your password.

    Last updated: 
    2015-08-21
  • How to: Use PGP for Mac OS X

    To use PGP to exchange secure emails you have to bring together three programs: GnuPG, Mozilla Thunderbird and Enigmail. GnuPG is the program that actually encrypts and decrypts the content of your mail, Mozilla Thunderbird is an email client that allows you to read and write emails without using a browser, and Enigmail is an add-on to Mozilla Thunderbird that ties it all together.

    What this guide teaches is how to use PGP with Mozilla Thunderbird, an email client program that performs a similar function to Outlook. You may have your own favorite email software program (or use a web mail service like Gmail or Outlook.com). This guide won't tell you how to use PGP with these programs. You can choose either to install Thunderbird and experiment with PGP with a new email client, or you can investigate other solutions to use PGP with your customary software. We have still not found a satisfactory solution for these other programs.

    Using PGP doesn't completely encrypt your email so that the sender and receiver information is encrypted. Encrypting the sender and receiver information would break email. What using Mozilla Thunderbird with the Enigmail add-on gives you is an easy way to encrypt the content of your email.

    You will first download all the software needed, install it, and then end with configuration and how to use the result.

    Pretty Good Privacy (PGP) is a way to protect your email communications from being read by anyone except their intended recipients. It can protect against companies, governments, or criminals spying on your Internet connection, and, to a lesser extent, it can save your email from being read if the computer on which they are stored is stolen or broken into.

    It can also be used to prove that an email came from a particular person, instead of being a fake message sent by another sender (it is otherwise very easy for email to be fabricated). Both of these are important defenses if you're being targeted for surveillance or misinformation.

    To use PGP, you will need to install some extra software that will work with your current email program. You will also need to create a private key, which you will keep private. The private key is what you will use to decrypt emails sent to you, and to digitally sign emails that you send to show they truly came from you. Finally, you'll learn how to distribute your public key—a small chunk of information that others will need to know before they can send you encrypted mail, and that they can use to verify emails you send.

    Getting and Installing GnuPG

    You can get GnuPG (also known as GPG) on Mac OS X by downloading the small installer from the GnuPG download page

    Click on GnuPG for OS X next to “Simple installer for GnuPG modern” which will download the GPG installer.

    You’ll get redirected to the SourceForge download website.

    Getting Mozilla Thunderbird

    Go to the Mozilla Thunderbird website

    Click on the green button labeled “Free Download.” The Mozilla Thunderbird website will have detected your preferred language. If you want to use Thunderbird in another language click on the “Systems & Languages” link and make your selection from there.

    Installing GnuPG

    Click the Download icon in the Dock and then click the GnuPG-2.11-002.dmg file.

    A window will open, indicating your progress.

    A window will open, giving you an overview of the Installation file and some other files. Click the “Install.pkgicon.

    Next, a window will open starting the guided installation. Click the “Continue” button.

    GnuPG is installed as a system package and requires your username and password to install. Enter your password and click “Install Software.”

    You will see a window that will say “The installation was successful.” Click the “Close” button.

    Installing Mozilla Thunderbird

    Click the Download icon in the Dock and then click the Thunderbird 45.2.0.dmg file.

    A window will open indicating your progress.

    A window will open with the Thunderbird icon and a link to your Applications folder. Drag Thunderbird to the Applications folder.

    A window with a progress bar will open, when it is done, it will close.

    Make sure to eject the mounted DMG files.

    Preparation for Enigmail installation

    When Mozilla Thunderbird launches for the first time, Mac OS X will ask you if you are sure you want to open it. Mozilla Thunderbird was downloaded from mozilla.org and should be safe, click the “Open” button.

    Mozilla Thunderbird can integrate with the Mac OS X address book, we leave this choice to you.

    When Mozilla Thunderbird launches for the first time, you will see this small confirmation window asking about some default settings. We recommend clicking the “Set as Default” button.

    When Mozilla Thunderbird launches for the first time, you will be asked whether you would like a new email address. Click the “Skip this and use my existing email” button. Now you will configure Mozilla Thunderbird to be able to receive and send email. If you are used to only reading and sending email through gmail.com, outlook.com, or yahoo.com, Mozilla Thunderbird will be a new experience, but it isn't that different overall.

    Adding a mail account to Mozilla Thunderbird

    A new window will open:

    Enter your name, your email address, and the password to your email account. Mozilla doesn't have access to your password or your email account. Click the “Continue” button.

    In many cases Mozilla Thunderbird will automatically detect the necessary settings.

    In some cases Mozilla Thunderbird doesn't have complete information and you'll need to enter it yourself. Here is an example of the instructions Google provides for Gmail:

    • Incoming Mail (IMAP) Server - Requires SSL
      • imap.gmail.com
      • Port: 993
      • Requires SSL: Yes
    • Outgoing Mail (SMTP) Server - Requires TLS
      • smtp.gmail.com
      • Port: 465 or 587
      • Requires SSL: Yes
      • Requires authentication: Yes
      • Use same settings as incoming mail server
    •  Full Name or Display Name: [your name or pseudonym]  
    • Account Name or User Name: your full Gmail address (username@gmail.com). Google Apps users, please enter username@your_domain.com
    • Email address: your full Gmail address (username@gmail.com) Google Apps users, please enter username@your_domain.com
    • Password: your Gmail password

    If you use two-factor authentication with Google (and depending on your threat model you probably should!) you cannot use your standard Gmail password with Thunderbird. Instead, you will need to create a new application-specific password for Thunderbird to access your Gmail account. See Google's own guide for doing this.

    When all the information is entered correctly, click the “Done” button.

    Mozilla Thunderbird will start downloading copies of your email to your computer. Try sending a test email to your friends.

    Installing Enigmail

    Enigmail is installed in a different way from Mozilla Thunderbird and GnuPG. As mentioned before, Enigmail is an Add-on for Mozilla Thunderbird. Click the “Menu button,” also called the Hamburger button and select “Add Ons.”

    You'll be taken to an Add-ons Manager tab. Enter "Enigmail" into the Add-on search field to look for Enigmail on the Mozilla Add-on site.

    Enigmail will be the first option. Click the "Install" button.

    After the Enigmail add-on is installed Mozilla Thunderbird will ask to restart the browser to activate Enigmail. Click the “Restart Now” button and Mozilla Thunderbird will restart.

    When Mozilla Thunderbird restarts an additional window will open up that will start the process of setting up the Enigmail add-on. Keep the “Start setup now” button selected and click the “Continue” button.

    We believe Enigmail’s “standard configuration” option to be a good choice. Click the “Continue” button.

    Now you will start creating your private key and public key.

    Creating a Public Key and Private Key

    Unless you have already configured more than one email account, Enigmail will choose the email account you've already configured. The first thing you'll need to do is come up with a strong passphrase for your private key.

    Click the "Continue" button.

    Your key will expire at a certain time; when that happens, other people will stop using it entirely for new emails to you, though you might not get any warning or explanation about why. So, you may want to mark your calendar and pay attention to this issue a month or so before the expiration date.

    It's possible to extend the lifetime of an existing key by giving it a new, later expiration date, or it's possible to replace it with a new key by creating a fresh one from scratch. Both processes might require contacting people who email you and making sure that they get the updated key; current software isn't very good at automating this. So make a reminder for yourself; if you don't think you'll be able to manage it, you can consider setting the key so that it never expires, though in that case other people might try to use it when contacting you far in the future even if you no longer have the private key or no longer use PGP.

    Enigmail will generate the key and when it is complete, a small window will open asking you to generate a revocation certificate. This revocation certificate is important to have as it allows you to make the private key and public key invalid. It is important to note that merely deleting the private key does not invalidate the public key and may lead others to sending you encrypted mail that you can't decrypt. Click the “Generate Certificate” button.

    First you will be asked to provide the passphrase you used when you created the PGP key. Click the “OK” button.

    A window will open to provide you a place to save the revocation certificate. While you can save the file to your computer we recommend saving the file to a USB drive that you are using for nothing else and storing the drive in a safe space. We also recommend removing the revocation certificate from the computer with the keys, just to avoid unintentional revocation. Even better, save this file on an encrypted disk. Choose the location where you are saving this file and click the “Save” button.

    Now Enigmail will give you further information about saving the revocation certificate file again. Click the “OK” button.

    Finally, you are done with generating the private key and public key. Click the “Done” button.

    Optional configuration steps

    Display Fingerprints and Key Validity

    The next steps are completely optional but they can be helpful when using OpenPGP and Enigmail. Briefly, the Key ID is a small part of the fingerprint. When it comes to verifying that a public key belongs to a particular person the fingerprint is the best way. Changing the default display makes it easier to read the fingerprints of the certificates you know about. Click the configuration button, then the Enigmail option, then Key Management.

    A window will open showing two columns: Name and Key ID.

    On the far right there is a small button. Click that button to configure the columns. Unclick the Key ID option and click the Fingerprint option and the Key Validity option.

    Now there will be three columns: Name, Key Validity, and Fingerprint.

    Finding Other People Who Are Using PGP

    Getting a Public Key by Email

    You might get a public key sent to you as an email attachment. Click on the "Import Key" button.

    A small window will open asking you to confirm importing the PGP key. Click the "Yes" button.

    A new window will open with the results of the import. Click the “OK” button.

    If you reload the original email you’ll see that the bar over the email has changed.

    If you open up the Enigmail key management window again, you can check the result. Your PGP key is in bold because you have both the private key and the public key. The public key you just imported is not bold because it doesn't contain the private key.

    Getting a Public Key as a File

    It's possible that you get a public key by downloading it from a website or someone might have sent it through chat software. In a case like this, we will assume you downloaded the file to the Downloads folder.

    Open the Enigmail Key Manager.

    Click on the “File” menu. Select “Import Keys from File.”

    Select the public key, it might have very different file name endings such as .asc, .pgp, or .gpg. Click the “Open” button.

    A small window will open asking you to confirm importing the PGP key. Click the “Yes” button.

    A new window will open with the results of the import. Click the “OK” button.

    Getting a Public Key From a URL

    It's possible to get a public key by downloading it directly from a URL

    Open the Enigmail Key Manager and click on the “Edit” menu. Select “Import Keys from URL.”

    Enter the URL. The URL can have several forms. Most often it is likely a domain name ending in a file.

    Once you have the right URL, click the “OK” button.

    A small window will open asking you to confirm importing the PGP key. Click the "Yes" button.

    A new window will open with the results of the import. Click the "OK" button.

    If you look at https://www.eff.org/about/staff you will notice a “PGP Key” link under the staff pictures. Danny O'Brien's PGP key, for example, can be found at: https://www.eff.org/files/pubkeydanny.txt.

    Getting a public key from a key server

    Keyservers can be a very useful way of getting public key. Try looking for a public key.

    From the Key Management interface click the “Keyserver” menu and select “Search for Keys.”

    A small window will pop up with a search field. You can search by a complete email address, a partial email address, or a name. In this case, you will search for keys containing “samir@samirnassar.com”. Click the “OK” button.

    A larger window will pop up with many options. If you scroll down you'll notice some keys are italicized and grayed out. These are keys that have either been revoked or expired on their own.

    We have several PGP keys for Samir Nassar and we don’t yet know which one to choose. One key is in grey italics which means that it has been revoked. Because we don’t know which one we want yet, we will import them all. Select the keys by clicking the box on the left then press the “OK” button.

    A small notification window will pop up letting you know if you succeeded. Click the “OK” button.

    The Enigmail Key Manager will now show you the added keys:

    Note that of the three imported keys, one is expired, one is revoked, and one is currently a valid key.

    Letting others know you are using PGP

    Now that you have PGP, you want to let others know that you are using it so they can also send you encrypted messages using PGP.

    Using PGP doesn't completely encrypt your email so that the sender and received information is encrypted. Encrypting the sender and receiver information would break email. Using Thunderbird with the Enigmail add-on gives you an easy way to encrypt and decrypt the content of your email.

    Let's look at three different ways you can let people know you are using PGP.

    Let people know you are using PGP with an email

    You can easily email your public key to another person by sending them a copy as an attachment.

    Click the "Write" button in Mozilla Thunderbird.

    Fill in an address and a subject, perhaps something my “my public key,” click the “Attach My Public Key” button. If you have already imported a PGP key for the person you are sending the PGP key to, the Lock icon in the Enigmail bar will be highlighted. As an additional option, you can also click the Pencil icon to sign the email, giving the recipient a way to verify the authenticity of the email later.

    A window will pop open asking you if you forgot to add an attachment. This is a bug in the interaction between Enigmail and Mozilla Thunderbird, but don’t worry, your public key will be attached. Click the “No, Send Now” button.

    Let people know you are using PGP on your website

    In addition to letting people know via email, you can post your public key on your website. The easiest way is to upload the file and link to it. This guide won't go into how to do those things, but you should know how to export the key as a file to use in the future.

    Click the configuration button, then the Enigmail option, then Key Management.

    Highlight the key in bold, then right-click to bring up the menu and select Export keys to file.

    A small window will pop up with three buttons. Click the “Export Public Keys Only” button.

    Now a window will open so you can save the file. In order to make it easier to find in the future please save the file to the Documents folder. Now you can use this file as you wish.

    Make sure you don't click the “Export Secret Keys” button because exporting the secret key could allow others to impersonate you if they are able to guess your password.

    Uploading to a keyserver

    Keyservers make it easier to search for and download public keys of others. Most modern keyservers are synchronizing, meaning that a public key uploaded to one server will eventually reach all servers.

    Although uploading your public key to a keyserver might be a convenient way of letting people know that you have a public PGP certificate, you should know that due to the nature of how keyservers work there is no way to delete public keys once they are uploaded.

    Before uploading your public key to a keyserver, it is good to take a moment to consider whether you want the whole world to know that you have a public certificate without the ability to remove this information at a later time.

    If you choose to upload your public key to keyservers, you will go back to the Enigmail Key Management window.

    Right-click your PGP key and select the Upload Public Keys to Keyserver option.

    Sending PGP Encrypted Mail

    Now you will send your first encrypted email to a recipient.

    In the main Mozilla Thunderbird window click the “Write” button. A new window will open.

    Write your message, and enter a recipient. For this test, select a recipient whose public key you already have. Enigmail will detect this and automatically encrypt the email.

    The subject line won't be encrypted, so choose something innocuous, like "hello."

    The body of the email was encrypted and transformed. For example the text above will be transformed into something like this:

    Receiving PGP Encrypted Mail

    Let's go through what happens when you receive encrypted email.

    Notice that Mozilla Thunderbird is letting you know you have new mail. Click on the message.

    A small window opens asking you for the password to the PGP key. Remember: Don't enter your email password. Click the "OK" button.

    Now the message will show up decrypted.

    Revoking the PGP Key

    Revoking Your PGP Key Through the Enigmail Interface

    The PGP keys generated by Enigmail automatically expire after five years. So if you lose all your files, you can hope that people will know to ask you for another key once the key has expired.

    You might have a good reason to disable the PGP key before it expires. Perhaps you want to generate a new, stronger PGP key. The easiest way to revoke your own PGP key in Enigmail is through the Enigmail Key Manager.

    Right click on your PGP key, it's in bold, and select the "Revoke Key" option.

    A window will pop up letting you know what happens and asking for your confirmation. Click the “Revoke Key” button.

    The password window opens, enter your password for the PGP key and click to "OK" button.

    Now a new window will open up letting you know you succeeded. Click the “OK” button.

    When you go back to the Enigmail Key Management window you'll notice a change to your PGP key. It is now grayed out and italicized.

    Revoking a PGP Key with a Revocation Certificate

    Like we mentioned before, you might have a good reason to disable the PGP key before it expires. Similarly, others might have good reasons to revoke an existing key. In the previous section you might have noticed that Enigmail generates and imports a revocation certificate internally when you use the Enigmail Key Manager to revoke a key.

    You might get sent revocation certificates from friends as a notice that they want to revoke their key. Since you already have a revocation certificate, you will use the one you generated earlier to revoke your own key.

    Start with the Enigmail Key Manager and click the “File” menu and select “Import Keys from File.”

    A window will open up so you can select the revocation certificate. Click on the file, and click the “Open” button.

    You'll get a notification that the certificate was imported successfully and that a key was revoked. Click the “OK” button.

    When you go back to the Enigmail Key Management window you'll notice a change to your PGP key. It is now grayed out and italicized.

    Now that you have all the proper tools, try sending your own PGP-encrypted email.

    Last updated: 
    2016-08-12
  • How to: Use KeePassX

    KeePassX is a password safe—a program you can use to store all your passwords for various websites and services. A password safe is a great tool because it allows you to use different difficult-to-guess passwords for all your services, without needing to remember them. Instead, you only need to remember one master password that allows you to decrypt a database of all your passwords. Password safes are convenient and allow you to organize all of your passwords in one location.

    It should be noted that using a password safe creates a single point of failure and establishes an obvious target for bad actors or adversaries. Research has suggested that many commonly used passwords safes have vulnerabilities, so use caution when determining whether or not this is the right tool for you.

    How KeePassX works

    KeePassX works with files called password databases, which are exactly what they sound like—files that store a database of all your passwords. These databases are encrypted when they’re stored on your computer’s hard disk, so if your computer is off and someone steals it they won’t be able to read your passwords.

    Password databases can be encrypted via three methods: using a master password, using a keyfile, or both. Let’s look at the pros and cons of each.

    Using a Master Password

    A master password acts like a key—in order to open the password database, you need the correct master password. Without it, nobody can see what’s inside the password database. There are a few things to keep in mind when using a master password to secure your password database.

    • This password will decrypt all of your passwords, so it needs to be strong! That means it shouldn’t be something easy to guess, and it should also be long—the longer the better! Also, the longer it is, the less you need to worry about having special characters or capitals or numbers. A password that is only made up of six random words (in all lower case, with spaces in between) can be harder to break than a 12-character password made up of upper and lower case letters, numbers, and symbols.
    • You need to be able to remember this password! Since this one password will allow access to all your other passwords, you need to be able to make sure you can remember it without writing it down. This is another reason to use something like Diceware—you can use regular words that are easy to remember, instead of trying to remember unnatural combinations of symbols and capital letters.

    Using a Keyfile

    Alternatively, you can use a keyfile to encrypt your password database. A keyfile acts the same way a password would—every time you want to decrypt your password database you will need to provide that keyfile to KeePassX. A keyfile should be stored on a USB drive or some other portable media, and only inserted into your computer when you want to open your password database. The benefit of this is that even if somebody gets access to your computer’s hard disk (and thus your password database) they still won’t be able to decrypt it without the keyfile stored in the external media. (Additionally, a keyfile can be much harder for an adversary to guess than a normal password.) The downside is that any time you want to access your password database, you’ll need to have that external media handy (and if you lose it or it gets damaged, then you won’t be able to open your password database).

    Using a keyfile instead of a password is the closest thing to having an actual physical key to open your password database—all you need to do is insert your USB drive, select the keyfile, and presto! If you do choose to use a keyfile instead of a master password, though, make sure your USB drive is stored somewhere safe—anyone who finds it will be able to open your password database.

    Using Both

    The most secure method for encrypting your password database is to use both a master password and a keyfile. This way, your ability to decrypt your password database depends on what you know (your master password) and what you have (your keyfile)—and any malicious entity who wants to get access to your passwords will need both. (With that said, keep in mind your threat model—for most home users who just want to store their passwords, a strong master password should be sufficient. But if you’re worried about protecting against state-level actors with access to huge computational resources, then the more security the better.)

    Now that you understand how KeePassX works, let’s get started with actually using it!

    Getting Started with KeePassX

    Once you’ve installed KeePassX, go ahead and launch it. Once it’s started, select “New Database” from the File menu. A dialog will pop up which will ask you to enter a master password and/or use a keyfile. Select the appropriate checkbox(es) based on your choice. Note that if you want to see the password you’re typing in (instead of obscuring it with dots) you can click the button with the “eye” to the right. Also note that you can use any existing file as a keyfile—an image of your cat for example, could be used as a keyfile. You’ll just need to make sure the file you choose never gets modified, because if its contents are changed then it will no longer work for decrypting your password database. Also be aware that sometimes opening a file in another program can be enough to modify it; the best practice is to not open the file except to unlock KeePassX. (It is safe to move or rename the keyfile, though.)

    Once you’ve successfully initialized your password database, you should save it by choosing “Save Database” from the File menu. (Note that if you want, you can move the password database file later to wherever you like on your hard disk, or move it to other computers—you’ll still be able to open it using KeePassX and the password/keyfile you specified before.)

    Organizing Passwords

    KeePassX allows you to organize passwords into “Groups,” which are basically just folders. You can create, delete, or edit Groups or Subgroups by going to the “Groups” menu in the menubar, or by right-clicking on a Group in the left-hand pane of the KeePassX window. Grouping passwords doesn’t affect any of the functionality of KeePassX—it’s just a handy organizational tool.

    Storing/generating/editing Passwords

    To create a new password or store a password you already have, right-click on the Group in which you want to store the password, and choose “Add New Entry” (you can also choose “Entries > Add New Entry” from the menubar). For basic password usage, do the following:

    • Enter a descriptive title you can use to recognize this password entry in the “Title” field.
    • Enter the username associated with this password entry in the “Username” field. (This can be blank if there is no username.)
    • Enter your password in the “Password” field. If you’re creating a new password (i.e. if you’re signing up for a new website and you want to create a new, unique, random password) click the “Gen” button to the right. This will pop up a password generator dialog which you can use to generate a random password. There are several options in this dialog, including what sorts of characters to include and how long to make the password.
      • Note that if you generate a random password, it’s not necessary that you remember (or even know!) what that password is! KeePassX stores it for you, and any time you need it you’ll be able to copy/paste it into the appropriate program. This is the whole point of a password safe—you can use different long random passwords for each website/service, without even knowing what the passwords are!
      • Because of this, you should make the password as long as the service will allow and use as many different types of characters as possible.
      • Once you’re satisfied with the options, click “Generate” in the lower right to generate the password, and then click “OK.” The generated random password will automatically be entered in the “Password” and “Repeat” fields for you. (If you’re not generating a random password, then you’ll need to enter your chosen password again in the “Repeat” field.)
    • Finally, click OK. Your password is now stored in your password database. To make sure the changes are saved, be sure to save the edited password database by going to “File > Save Database.” (Alternatively, if you made a mistake, you can close and then re-open the database file and all changes will be lost.)

    If you ever need to change/edit the stored password, you can just choose the Group it’s in and then double-click on its title in the right-hand pane, and the “New Entry” dialog will pop up again.

    Normal Use

    In order to use an entry in your password database, simply right-click on the entry and choose “Copy Username to Clipboard” or “Copy Password to Clipboard,” and then go to the window/website where you want to enter your username/password, and simply paste in the appropriate field. (Instead of right-clicking on the entry, you can also double-click on the username or password of the entry you want, and the username or password will be automatically copied to your clipboard.)

    Advanced Use

    One of the most useful features of KeePassX is that it can automatically type in usernames and passwords for you into other programs when you press a special combination of keys on your keyboard. Note that although this feature is only available under Linux, other password safes like KeePass (on which KeePassX was based) support this feature on other operating systems, and it works similarly.

    To enable this feature, do the following.

    1. Choose your global hotkey. Choose “Settings” from the “Extras” menu, and then choose “Advanced” in the pane on the left. Click inside the “Global Auto-Type Shortcut” field, and then press the shortcut-key combination you wish to use. (For example, press and hold Ctrl, Alt, and Shift, and then hit “p.” You can use any key combination you like, but you’ll want to make sure that it doesn’t conflict with hotkeys other applications use, so try to stay away from things like Ctrl+X or Alt+F4.) Once you’re satisfied, click “OK.”

    2. Setup auto-type for a specific password. Make sure that you have the window open where you’ll want to enter the password. Then go to KeePassX, find the entry for which you want to enable auto-type, and double-click on the entry’s title to open up the “New Entry” dialog.

    3. Click the “Tools” button in the bottom left, and select “Auto-Type: Select target window.” In the dialog that pops up, expand the drop-down box and choose the title of the window in which you want the username and password to be entered. Click OK, and then click OK again.

    Test it out! Now in order to autotype your username and password, go to the window/website where you want KeePassX to autotype your username/password for you. Make sure your cursor is in the text box for your username, and then hit the combination of keys you chose above for the global hotkey. As long as KeePassX is open (even if it’s minimized or not focused) your username and password should automatically be entered.

    Note that depending on how the website/window is set up, this feature may not work 100% correctly right off the bat. (It might enter the username but not the password, for example.) You can troubleshoot and customize this feature, though—for more information we recommend looking at the KeePass documentation here. (Although there are some differences between KeePass and KeePassX, that page should be enough to guide you in the right direction.)

    It is recommended that you use a key combination that is difficult to hit accidentally. You don't want to accidentally paste your bank account password into a Facebook post!

    Other Features

    You can search your database by typing something in the search box (the text box in the toolbar of the main KeePassX window) and hitting enter.

    You can also sort your entries by clicking on the column header in the main window.

    You can also “lock” KeePassX by choosing “File > Lock Workspace,” so that you can leave KeePassX open, but have it ask for your master password (and/or keyfile) before you can access your password database again. You can also have KeePassX automatically lock itself after a certain period of inactivity. This can prevent someone from accessing your passwords if you step away from your computer. To enable this feature, choose “Extras > Settings” from the menu and click on the security options. Then check the box that says “Lock database after inactivity of {number} seconds.”

    KeePassX can also store more than just usernames and passwords. For example, you can create entries to store important things like account numbers, or product keys, or serial numbers, or anything else. There’s no requirement that the data you put in the “Password” field actually has to be a password. It can be anything you want—just input what you want to store in the “Password” field instead of an actual password (and leave the “Username” field blank if there’s no username) and KeePassX will safely and securely remember it for you.

    KeePassX is easy to use, robust software, and we recommend exploring the program to learn all of the useful things it can do.

    Last updated: 
    2015-11-23
JavaScript license information