Message Security
Message security is the practice of encrypting messages on your device so that they can be read only by the intended recipient. Although Network Security and Device Security are important, this kind of message encryption is necessary in many situations:
- Confidentiality: Message encryption is the only way to ensure that only the indented recipients are reading your messages.
- Authenticity: Message encryption is the only way to ensure the identity of the people you are communicating with.
Practicing message encryption, however, can be a challenge:
- You must own a device: The idea with message encryption is that you don’t trust another party to encrypt your communication for you. Therefore, all the encryption takes place on your machine, which means you need to own your own device.
- Steep learning curve: In order to use encryption software correctly, you will need to spend a significant amount of time learning important encryption concepts like public keys, private keys, keyrings, etc.
- Limited correspondents: With message encryption, you can only communicate securely with other people using the same software.
Obviously, these guarantees of security don’t apply if your device has been compromised.
About Message Encryption
What these help pages call “message encryption” is technically called “public-key cryptography”. Here is how it works:
- Private key: Everyone has their own private key. As the name implies, this key must be kept private. You use this private key in order to read the encrypted messages sent to you.
- Public key: Everyone also has a public key. This key is often distributed far and wide. When someone wants to send you a secure message, they use your public key to encrypt it. Only the person with the corresponding private key will be able to decrypt it.
Tips for Learning Message Encryption
Although it provides the highest level of security, public-key encryption is still an adventure to use. To make your journey less scary, we suggest you keep these things in mind:
- Be in it for the long haul: using public-key encryption takes a commitment to learning a lot of new skills and jargon. The widespread adoption of public-key encryption is a long way off, so it may seem like a lot of work for not much benefit. However, we need early adopters who can help build a critical mass of public-key encryption users.
- Develop encryption buddies: although most your traffic might not be encrypted, if you find someone else who uses public-key encryption try to make a practice of only communicating securely with that person.
- Look for advocates: people who use public-key encryption usually love to evangelize about it and help others to use it to. Find someone like this who can answer your questions and help you along.
Limitations of Message Encryption
Although you can hide the contents of email with public-key encryption, it does not hide who you are sending mail to and receiving mail from. This means that even with public key encryption there is a lot of personal information which is not secure.
Why? Imagine that someone knew nothing of the content of your mail correspondence, but they knew who you sent mail to and received mail from and they knew how often and what the subject line was. This information can provide a picture of your associations, habits, contacts, interests and activities.
The only way to keep your list of associations private is to to use a service provider which will establish a secure connection with other service providers. See our directory of radical servers for a list of such providers.
Use Message Encryption
Encrypted Email
- What is encrypted email?
- How do I use encrypted email?
- Can I send and receive encrypted email using riseup’s webmail?
- What are some limitations of encrypted communications?
- How can I verify a key owner’s identity?
- How can I sign a key and why would I want to?
- Do you have any other tips about encrypted email?
- How do I setup OpenPGP encrypted email on my computer?
OpenPGP Best Practices
- How to use this guide.
- Use free software, and keep it updated.
-
Selecting a keyserver and configuring your machine to refresh your keyring.
- Use the sks keyserver pool, instead of one specific server, with secure connections.
- Ensure that all keys are refreshed through the keyserver you have selected.
- Refresh your keys slowly and one at a time.
- Do not blindly trust keys from keyservers.
- Don’t rely on the Key ID.
- Check key fingerprints before importing.
-
Key configuration.
- Use a strong primary key.
- Use an expiration date less than two years.
- Set a calendar event to remind you about your expiration date
- Generate a revocation certificate.
- Only use your primary key for certification (and possibly signing). Have a separate subkey for encryption.
- Have a separate subkey for signing
- Keep your primary key entirely offline
-
OpenPGP key checks.
- Make sure your key is OpenPGPv4
- primary keys should be RSA, ideally 3072 bits.
- self-signatures should not use MD5 exclusively
- self-signatures should not use SHA1
- stated digest algorithm preferences must include at least one member of the SHA-2 family at a higher priority than both MD5 and SHA1
- primary keys should have a reasonable expiration date (no more than 2 years in the future)
- Putting it all together.
- Additional suggestions.