hpr-knowledge-base/hpr_transcripts/hpr1481.txt

Episode: 1481
Title: HPR1481: Encryption and Gmail
Source: https://hub.hackerpublicradio.org/ccdn.php?filename=/eps/hpr1481/hpr1481.mp3
Transcribed: 2025-10-18 03:53:35

---

Until next time, Pagan.
Hello, this is Ahuka and welcome to Hacker Public Radio and another in our ongoing series
on security and privacy.
And what I want to do this time is pick up from what we did last time.
Last time we took a look at how to do encryption with email in Thunderbird using an add-on called
Enigmail.
What I want to do this time is take on the task of showing how we can also use encryption
with web-based mail.
And for this one I'm going to select Gmail because I have to have a Gmail account so that
makes it easy.
I think that there are probably similar ways to do this with Yahoo or with Outlook.com or
what have you.
I'm going to use a particular example that I happen to be familiar with.
Now people use web-based mail a lot.
Gmail is certainly one of the more popular ones.
The thing that you have to keep in mind is that this is all about encrypting the message
with your keys that you control before it leaves the computer.
Steve Gibson calls this pre-internet encryption or PIE.
Now last time we mentioned LavaBit, LaDar Levison and all of that.
And the flaw in what they did was that they had keys that the mail provider controlled.
And these keys could be and were demanded by the government.
So if you use your own GPG keys that you control, no provider, in this case Google, is
even capable of giving anything to the government other than a blob of random nonsense.
Now that I'm not going to get into metadata, that's another discussion and Lord knows
we will probably get to that one too at some point.
But what I want to do here is talk about an extension that you can install.
It's available for both Chrome and Firefox.
And I'm going to do it with Chrome because that's what I use to access my Gmail account.
And the extension is called MailVillope, M-A-I-L-V-E-L-O-P-E.
So it's mail and envelope kind of mashed together.
And as a Chrome extension, basically you just do what you do with any other Chrome extension.
You go to the Chrome store, you do a search for MailVillope and you install it.
Now once you have MailVillope installed, you need to give it your keys.
We talked about creating keys over a couple of different episodes, how to do it with
a command line, how to do it with a GUI client.
Then last time we talked about using your keys with Enigmail in Thunderbird.
Now one of the things about Enigmail that was really nice was that Enigmail knew where
to look and would just go grab your keys.
MailVillope is not quite as user friendly in this respect.
But it's going to give us a chance to learn something that we're going to need to know.
And that's all about exporting keys.
So when you have MailVillope installed, you then in the extensions window in Google Chrome,
you will see that there's something there that says options.
It's a link that you click and that opens up the options window for MailVillope.
And when you take a look at that, you're going to see you've got a number of things you
can do and one of them sits down a couple on the left.
You're going to see something that says import keys.
Now you can import your keys or other people's keys depending on what you have available
to you.
But the thing is that it has to be pure ASCII text files.
Now chances are when GPG created all of this on your hard drive, it was not pure ASCII.
It was probably a binary file.
So what you need to do is you need to do an export.
You can do this in several ways.
You could do it at the command line, for instance.
And there's two different commands, one for the private key and one for the public key.
So for the private key, the command would be GPGspace-export-secret-key-space-a-space-space-a-space.
And then your username.
This would be your username, in this case I'm not a Linux box.
So it would be my Linux username, the name of my home directory, in other words.
Now this will display your key as ASCII text in the terminal window.
You can paste it in the mail the loop and away you go.
Now to get your public key, the public key is the one that's used by other people to
encrypt messages to you.
So the command slightly different, GPGspace-Armer, ARMOR, space-export-space, and then the
email address.
Remember that when you created your GPG key that the email address was a part of that
and it's linked to your email address.
So that's going to get your public key exported.
And again, this will show up in the window and you can copy and paste what have you.
Now if you've already set up Thunderbird, we can make this even a little bit simpler.
Because you can export them both at once.
In Thunderbird, go to that OpenPGP menu that we talked about last time and this time
select key management.
And click on your own key to select it and then go to the file menu and select export
keys to file.
You'll then be asked if you wish to include the secret key.
Say yes and you'll be asked to approve a file name and a location for the exported file.
Now this will be a dot ASC file.
In other words, ASCII text.
And then in MailVolope on the import screen, you can click the import from file, find
that file.
So put it in your home directory somewhere where you know how to find it.
And if all goes well, you're going to see two green lines.
The first one says success, public key was imported blah, blah, blah and the second one
to be success private key was imported blah, blah, blah.
And you know in each case saying that's been added to your key ring.
And then you can take a look at your key ring in MailVolope and you should see your name
and the ID of your key and you'll actually see two keys, two keys in the icon on the left
because that's going to indicate that it got both the public and the private.
Now if you then later on import the public key of some other people, people that you might
want to correspond with, when you look, you would see their name and their key identifier,
but you'd only see a single key on the left because you obviously would not have their
private key.
Now I said it was worth learning this import export business with keys because it's really
the best way to move your keys to other computers.
Now I've seen stuff that says, oh just copy your .gpg directory and if you're going to
another Linux machine, that'll probably work, but what if you're a cross-platform person?
What if you're like our friend night-wise who makes a whole big fetish out of being cross-platform?
And let me just face a lot of people, there are times they want to use Linux, other times
I have to use Windows when I'm at work, some people may have a Macintosh around that they
want to use.
So understanding how you can export your key files and then in any other computer you just
use the import like we just did with MailVolo and that's going to be a good way to get your
keys moved around.
Now that you've imported this, let's say you wanted to send a message in Gmail, if the
only key you have is your own you have to send something to yourself, you can actually
do that.
But what you're going to see now because of MailVolope is that when you click the compose and in
Gmail, I'm going to assume you all know how this works.
When you click the compose button, a window opens up in the lower right and it's got a black
bar across the top and you start typing your message.
What you're going to see now is something has changed and what has changed is that there
is an additional icon that is on that window and the icon is an edit icon and it's got the
yellow pencil on top of a sheet of paper.
And if you click that, another window opens for you to create your encrypted message.
So you just type your message in that window.
So it's going to say at the very top Chrome extension and a bunch of blah, blah, blah,
yes, because the extension is MailVolope that you installed that's taking over this process.
And then you compose your mail and now what?
If you simply click the transfer button, you get to pop up warning you, you're trying
to send unencrypted data, right?
So just because you've composed it in this window, you haven't finished the process yet.
But if you take a look, there's an icon of a padlock, ah, the lock icon.
So you click that and what happens.
Now another window is going to open, remember that when you send encrypted mail, you encrypt
it using the public key of the recipient.
Now right now you may only have your own public key in there because we just imported it
a moment ago.
But at some point you're going to start accumulating public keys of other people.
And so what you need to do is select the recipient for whom you have a public key.
Now I think I mentioned last time, I'm setting up something with Tony Beaness from the Sunday
Morning Linux review that I think the two of us are going to do a little program talking
about how you do all of the obtaining keys of other people and things like that.
So you know, that should be fun.
We're going to get there.
It's like everything else you got to take it one step at a time.
So anyway, at this point, you know, you click that maybe the only name you see up there
is your own.
So highlight that and click the add button.
And when you do that, everything gets encrypted.
Then when you click the transfer, what's going to get transferred is an encrypted message.
And so in your Gmail window, your compose window now, it's just going to say begin PGP message
and then all sorts of gobbledygook and then at the end, it's going to say end PGP message.
So you have a completely encrypted message, but so far not a thing has left your computer.
And that's the important part.
So if you now click the send button, your message will be sent, but Google will have no idea
what it says and neither will anyone else if they do not have the private key of the recipient.
Ideally, they wouldn't.
Now, suppose you receive a message that has been encrypted and that means that you have a correspondent
out there who has your public key and they use that to encrypt a message to send to you.
Well, when that comes in, mail the loop is going to notice, oh, wait a minute, this is encrypted.
Isn't it?
I'm supposed to do something.
So it'll throw an overlay on top of the message with the icon of an envelope and lock.
Your cursor will turn into a key and if you click on the icon, you will be asked to provide your passphrase.
And assuming you can do this successfully, the message will decrypt.
Let's hope you know your passphrase.
Now, the last thing, digital signing.
And I'd have to tell you at this point, now I'm recording this now in towards the end of February of 2014,
but I'm recording it ahead of time and it's going to go out later on this year.
At the time I'm recording this, mail the loop does not support digital signing,
but it's clear that they're working on it and I hope it will be added soon.
Obviously, they put the priority on ensuring that you could securely encrypt messages
and that's not really a terribly bad priority to have when you think about it.
So with that, this is Huka signing off for Hacker Public Radio
and reminding everyone, please support FreeSoftware.
Bye.
You have been listening to Hacker Public Radio, or is Hacker Public Radio does all right?
We are a community podcast network that releases shows every weekday Monday through Friday.
Today's show, like all our shows, was contributed by a HBR listener like yourself.
If you ever consider recording a podcast, then visit our website to find out how easy it really is.
Hacker Public Radio was founded by the digital dog pound and the infonomicum computer club.
HBR is funded by the binary revolution at binref.com.
All binref projects are proudly sponsored by Lina Pages.
From shared hosting to custom private clouds, go to LinaPages.com for all your hosting needs.
Unless otherwise stasis, today's show is released under a creative commons,
attribution, share a life, free dose of life suits.