I’m proud to report that I am now able to send encrypted emails. Woo!
It was not quite as simple as I thought it would be.
I went back to the step-by-step guide at Email Self-Defense. I can follow a tutorial, I thought. How hard can it be?
As I wrote about before, I had already set up Thunderbird and cleaned up my Gmail account so that I could reasonably use it. I have even started to open my email in Thunderbird instead of in a browser window. Progress!
So now I’m ready to install the plugin and create some keys and get rolling.
But first: I realized that my Gmail account was pretty insecure to start with. I have recently changed my password (I think mainly due to not being able to remember it on a new device), and so now I decided to set up two-step authentication as well.
Two-step authentication means that you will basically need to enter two passwords when accessing your account from a new machine. The first is the regular password you set up on your account. The second is generally a code sent by text message to your phone. I had never set up this feature because I live in an area where cell service is not a given in all locations. For example, I don’t have cell service in my office. I do, however, now have reliable cell service in my house.
But when I go back to work in the new year, I will have to go through the two-step authentication to access my Gmail there. Luckily, Google gives you the option to save a few static codes, each of which can be used once to access your account. I saved those to a flash drive that I can bring with me.
While I was at it, I did this with my Facebook account as well.
Phew. Much more secure.
But, oh no, now Thunderbird can’t access my Gmail account. Now I have to create an app password for Thunderbird that acts in place of the two-step authentication. Okay, I got that, no big deal.
Here’s where I made my first misstep: When you create the app password, Google tells you that you will not need to keep this password anywhere, you only need it the one time, never fear. So after I entered the password, I closed the window and forgot about it.
Except, when Thunderbird asked me if I wanted to remember the password with a password manager, I said no.
I’ve tried to make it clear from the beginning of this journey that I really know almost nothing about security and encryption and all that, and that I am documenting my experience so that others who know almost nothing can get encrypted as well. Here’s where that lack of knowledge shows itself.
There is such a thing as a password manager. A password manager is a separate software program that keeps track of your passwords. You create a strong password for the app, and then you have access to all your passwords for all the various websites and accounts you need to log into on a regular basis. Instead of having to remember 13 different strong passwords (or, much worse, using one password for all of your accounts), you only have to remember the one to get you into the password manager. Most of these apps also have the ability to generate random strong passwords for you to secure each of your individual accounts.
So when Thunderbird asked me about saving the password in a password manager, this is what I thought it meant. I don’t currently use a password manager, so I said no.
Whoops. Really, Thunderbird wanted to know if Thunderbird should remember the password. I should have said yes. If you’re following along at home, say YES to remembering the password in Thunderbird.
Now I had my two-step authentication all cleared up (I thought), I started following the steps to set up Enigmail in Thunderbird. The steps in the Email Self-Defense tutorial are pretty straight-forward and easy to follow.
Except I had to keep generating new app passwords for Thunderbird, which was really annoying.
And then I got to the end of the tutorial and tried to send an encrypted test email to the bot, and it failed.
It took me about two hours at night, after the children were in bed, to get this far. At this point, I threw my hands in the air and gave up.
“Don’t give up!” James said.
Fine, I won’t give up, but I’m not looking at this any more tonight.
Well, it was more like a week before I got back to it. My brother was in the town for the holidays, and I asked him to help me troubleshoot. We found that I had chosen to send to “only trusted keys” instead of “all available.” We changed that, and everything magically worked.
Okay, fine, it’s not magic. But it worked! Billy and I sent a couple of test emails back and forth. He showed me the gibberish of the unencrypted message on his phone. Cool.
But, here’s the rub: You can only send encrypted messages to someone who is also enabled to send and receive encrypted messages. Well, I guess you could send them to everyone, but only people who have set up encryption will be able to read them.
Which means, at this point, that I can talk to my brother and a bot named Edward.
There is an option in Thunderbird, when you send an email, to attach your public key. Billy said this is how people will know that you can send and receive encrypted emails. Possibly this is also a way to raise awareness about encryption as an option.
But, hooray! Encrypted!