Anonymous Email Encryption: Theory and Practice Guide

By Owen PatelCryptography Tutorial

Anonymous Guide: Theory and Practice of Email Encryption

There’s an interesting concept called the secrecy of correspondence. However, it’s only well-known in very narrow circles of privacy enthusiasts. Governments and intelligence agencies seem to have never heard of it, and some businesses love to poke their curious noses into your inbox—hoping to learn your preferences and send you even more useless ads. Today, let’s talk about how to protect your email from unwanted attention.

About This Guide

Articles in this series are published for free and available to everyone. We believe everyone has the right to basic knowledge about protecting their data.

If you find these materials basic—great! But you’ll do a good deed by sharing them with friends, acquaintances, and relatives who are less tech-savvy.

Protecting Your Email

There are plenty of websites and services that solemnly promise to protect your privacy from any intrusion. But often, these are just words. For example, ProtonMail, a secure email service, has been repeatedly accused of cooperating with law enforcement and leaking user information (first in 2018, and again more recently). The company always finds excuses, but as the saying goes, where there’s smoke, there’s fire. So, you need to take care of your own privacy and anonymity—don’t rely on others. What do you need for that? Let’s break it down.

As always, this article will cover the necessary theory, and then I’ll talk about some applications, what they’re for, and how to use them. Ready?

(Not So) Boring Theory

Even a small child knows that Windows, in terms of securely storing personal data, is like a sieve. If you can’t get rid of it (otherwise, how would we play our favorite games?), you need to configure it properly to stop it from sending data where it shouldn’t. Proper Windows setup is a separate topic, but for now, let’s focus on something else.

Once you have a secure OS that doesn’t report your every move, you need to think about communicating with the outside world. The oldest and most common way, after carrier pigeons, is email. It’s hard to do without it: it would be nice if all those bots sent registration confirmations to a banned messenger, but they still prefer email, as if we’re in the Stone Age.

Understand this: if the email server doesn’t belong to you personally, isn’t sitting on your shelf next to grandma’s galoshes and grandpa’s pills, and isn’t running open-source software, there’s no guarantee your correspondence isn’t being read by a government agent or filtered by a keyword-searching bot. And you can’t verify the company’s claims of honesty and transparency.

Even if the email service encrypts your data in the browser, the encryption algorithm is still loaded from the server. How can you check its integrity every time you send an email? The conclusion: no matter who owns the email service, you can’t fully trust it with your messages. That means the responsibility for encrypting your emails is yours.

INFO: Any app that handles your data or protects it must have open source code. This is the minimum requirement to protect against backdoors and undocumented features. All apps and plugins mentioned here are open source.

You can send and receive email through a web interface, but then you miss out on using trusted third-party open-source plugins for privacy. That’s why we recommend using an email client.

I suggest installing Thunderbird. First, no government agent can pronounce it right the first time, and second, it’s community-supported and allows extensions. For encrypting correspondence, use the Enigmail plugin, which is actively developed and regularly updated.

You’ll also need special apps for encryption: GnuPG for *nix or Pgp4Win for Windows. Then, you’ll need to create a key pair (private and public key) and always sign your emails with a digital signature so the recipient knows the message is really from you. Sounds complicated? It’s actually easier than it seems.

INFO: Even with encryption, the mail server will know where you connected from, the time, your actions (deleting, creating, forwarding emails), and the recipient’s address. But only the recipient can read the message content. Also, the subject line is not encrypted by default, so choose your subject carefully.

Installing and Setting Up the Tools

Installing Thunderbird is easy—rumor has it even a chimpanzee from the Ryazan Zoo managed it once. Next, install Pgp4Win, and make sure to check all the necessary components during installation!

  • First, install Pgp4Win
  • Don’t forget to select all components during installation

After that, launch Thunderbird and set up access to your email account (there’s plenty of documentation online). Next, install the Enigmail plugin.

  • Install Enigmail

Once that’s done, create a key pair (public and private key) and a revocation certificate. The certificate is needed if you ever lose your private key and need to revoke the public key uploaded to the server.

To create a key pair, go to “Enigmail → Key Manager.” Then select “New Key Pair” in the “Create” menu. In the window that opens, you’ll see settings for the key pair, a field for your passphrase, and encryption algorithm options under “Advanced.” The program offers two cryptographic algorithms: ECC and RSA.

  • RSA (named after its creators Rivest, Shamir, and Adleman) is an asymmetric cryptographic algorithm based on the difficulty of factoring large integers. It’s old but reliable and widely used in many applications and secure protocols.
  • ECC (Elliptic Curve Cryptography) is a newer, more advanced asymmetric algorithm based on elliptic curves over finite fields. For the same level of security, RSA needs 4096-bit keys, while ECC only needs 256–384 bits. ECC with a 521-bit key is as strong as RSA with a 15,360-bit key!

So, ECC encryption is faster and uses less power—great for mobile devices. On the other hand, RSA is time-tested and may have a slight edge against future quantum computers.

Password Matters!

No matter how strong your crypto algorithms are, you need a good password. If your password is weak, your encrypted emails can be easily cracked, no matter how advanced the encryption.

  • Your password should be at least 12–15 characters long.
  • It shouldn’t be a dictionary word, and should include numbers, uppercase and lowercase letters, an introduction, a conclusion, a dramatic plot, and a bibliography at the end.

The rule: the easier a password is for you to remember, the easier it is for an attacker to guess. So, you might want to bang your head on the keyboard a few times and memorize the resulting random string. Just never create or change passwords after a wild party—you’ll understand why if you break this rule once.

After creating your key pair, the program will offer to create a revocation certificate. I recommend doing this, just in case.

If someone wants to encrypt emails to you, they’ll need your public key. You can share it any way you like—if it’s intercepted, it can’t be used to decrypt your messages. Still, I recommend uploading your public key to a key server, where anyone can find it by searching your email address. To upload your key, go to “Key Management” and select “Upload Public Keys to Key Server.”

Practical Email Encryption

Let’s see how asymmetric encryption works in practice. We’ll create and send ourselves an encrypted message and see how it looks with and without the Enigmail plugin—as if we intercepted someone else’s message. With everything set up, just create an email as usual, but don’t forget to click “Encrypt” and “Sign.”

The received message will be decrypted and its signature verified by Enigmail. If you intercept the message without the secret key, you’ll just see ciphertext—impossible to read.

Mailvelope Plugin

If you don’t want to install an email client but still want to protect your correspondence, try the Mailvelope browser extension. It’s open source, works with all modern browsers, and doesn’t require extra apps. If you have Pgp4Win installed, you can choose between GnuPG and OpenPGP.js (PGP encryption in JavaScript).

To use Mailvelope, generate a key pair and upload your public key to a key server (there’s a checkbox for this in the settings). You can also import/export key pairs, encrypt attachments and files, and add digital signatures. When you write an email in your webmail interface, a new button will appear to launch Mailvelope. Click it, write your message, and click “Encrypt.” The encrypted message will be inserted into your email. If the extension is active, messages are decrypted and signatures verified automatically—just enter your password.

Email Encryption on Android

If you have an Android smartphone, check out OpenKeychain for encrypting messages on your phone. For an email client, use K-9 Mail—a popular open-source app. Key pair generation works the same as on desktop.

Conclusion

Now you know how to securely transmit confidential information over an untrusted network—the internet—where anyone from your ISP to the mail server admin can intercept and read your emails. With asymmetric cryptography, you can safely send, for example, decryption keys for encrypted containers you’ve uploaded somewhere, or any other private data.

Leave a Reply