, , , , , , , , , , , , , , ,

Here’s a problem in need of a practical solution: I’ve recently been assigned an account by an organisation that uses a very untrustworthy firm to host its emails, and I’m insisting (or at least strongly encouraging) that nothing sensitive is uploaded to the servers without being properly encrypted.

Normally email encryption is handled by some part of a client application, or a PGP/OpenPGP extension like Enigmail (for Thunderbird). The problem I’m addressing here is that most people have at least one email/webmail account that isn’t compatible with email clients, and there’s no obvious way of using PGP/OpenPGP without that.

Overview of the Solution
The solution I attempted to find here was:
1. Compose message on local machine
2. Encrypt the message with recipient’s public key
3. Copy and paste the encrypted email in the browser.
4. Send email to recipient

The recipient should then get the encrypted email, and with a bit of luck the encryption can be reversed with his/her private key. If we are the recipient, we simply do the reverse: copy and paste the encrypted email into a text editor and decrypt the message offline.

The Command Line Method
While this method won’t appeal to the average person at first, it’s what we’re stuck with in the absence of a simple GUI application. The good news is it’s pretty quick once we’ve done it a couple of times.
This method assumes that the user has created key pairs for each email/webmail account, and has the public key of the recipient. These can be created/added using a key management application such as Seahorse or Kleopatra.

The following command will list the public and private keys stored on the local system:
$gpg --list-keys

To prepare an email, I opened a standard text editor and typed a message, saving it as TestMessage.txt:

Dear Recipient

Can I request a meeting for Thursday afternoon?


The content of TestMessage.txt (the message) can be encrypted with a single command:
$gpg --armor -e [file name]

In this case:
$gpg --armour -e TestMessage.txt


GPG will then prompt the user for the recipient(s) email address and check whether a public key is available for that address. The ‘–armor‘ option produces ASCII ciphertext, as opposed to a pure encrypted file.
Having encrypted the message, GPG will create a file called [filename].asc that will contain the ciphertext. The content of that file should appear something like:


This block of ciphertext can now be pasted into a webmail message and sent to the recipient. Job done.

Decrypting the Message
A recipient receiving the message simply does the reverse. Here, the ciphertext is copied from the browser into a text editor, and saved locally as [filename].asc. I’ve tested this by deleting the plaintext file I created earlier and using the following command to decrypt the ciphertext in TestMessage.txt.asc:
$gpg -d TestMessage.txt.asc

If we’re the recipient and we have the relevant private key, GPG will then prompt for the password before displaying the plaintext in the command line:


So there we have it. Problem solved. All that remains is to develop the software to make the solution more accessible.