I just installed OpenPGP. I have a few questions that I hope someone can answer. If I send an encrypted email using OpenPGP, will the e-mail still be encrypted while it is travelling through the Internet, especially if the recipient does not have OpenPGP installed? When I created the passphrase/key via OpenPGP, the key containing the passphrase for the e-mail address is uploaded to a user-defined public server. Aside from other OpenPGP users, does anyone else have access to the key?
![Outlook Outlook](/uploads/1/2/5/6/125614452/169431676.png)
GnuPG is a complete and free implementation of the OpenPGP standard as defined. And an Outlook plugin to send and receive standard PGP/MIME mails. Now, of course, your recipients have to go through the same procedure, or use other compatible PGP software. Symantec still makes PGP, although it works on the Mac only with Microsoft Outlook.
And if so, can it be misused in any way? I just installed OpenPGP. I have a few questions that I hope someone can answer. If I send an encrypted email using OpenPGP, will the e-mail still be encrypted while it is travelling through the Internet, especially if the recipient does not have OpenPGP installed? When I created the passphrase/key via OpenPGP, the key containing the passphrase for the e-mail address is uploaded to a user-defined public server. Aside from other OpenPGP users, does anyone else have access to the key?
And if so, can it be misused in any way? I just installed OpenPGP. I have a few questions that I hope someone can answer. If I send an encrypted email using OpenPGP, will the e-mail still be encrypted while it is travelling through the Internet, especially if the recipient does not have OpenPGP installed? When I created the passphrase/key via OpenPGP, the key containing the passphrase for the e-mail address is uploaded to a user-defined public server.
Aside from other OpenPGP users, does anyone else have access to the key? And if so, can it be misused in any way? Click to expand.Re: #2 - EVERYONE has access to the key. That's the point. PGP is based on a public/private key pair system. It only works when people have your public key - with it they can a) encrypt a message so that only you (with your private key) can decrypt it, and b) verify that a message 'signed' by you (with your private key) is really from you. (Assuming they have reason to trust your public key is actually yours.) So this answers #1 - an encrypted message sent via Mail will remain encrypted endpoint to endpoint, and can only be decrypted by someone with the proper private key.
The practical upshot of this is that both parties need to have some form of PGP installed (assuming the various flavors are interoperable) and they need to have exchanged public keys at some point for the system to really work. To some extent, I'm kind of surprised that, especially with the recent emphasis on security and surveillance, some form of this isn't being built into major email clients directly, at least as an opt-in approach. That is, imagine this being built directly into OS X/iOS Mail applications. You could generate a public/private keypair, likely through a process tied to your Apple ID, which would then allow anyone to look up your public key (signed by Apple) by your registered email address(es) and ensure end-to-end encryption automatically. Hopefully, you would also be able to upload public keys to contacts without Apple IDs, and then whenever you compose a Mail message, encryption would automatically kick in if the contact(s) on the email have associated public keys, with the message automatically signed with your private key. That is, imagine this being built directly into OS X/iOS Mail applications.
![Openpgp for outlook on mac mac Openpgp for outlook on mac mac](http://1.bp.blogspot.com/-yRkd7ZAkmiU/UfETfaPDvoI/AAAAAAAABOs/3H5R7N2zJaw/s1600/OpenPGP+Support+in+Outlook+2007-2010-2013+%255B13%255D.png)
You could generate a public/private keypair, likely through a process tied to your Apple ID, which would then allow anyone to look up your public key (signed by Apple) by your registered email address(es) and ensure end-to-end encryption automatically. Hopefully, you would also be able to upload public keys to contacts without Apple IDs, and then whenever you compose a Mail message, encryption would automatically kick in if the contact(s) on the email have associated public keys, with the message automatically signed with your private key.
Click to expand.I just don't see why it isn't a stock part of the 'standard' mail apps like OS X/iOS Mail, Outlook, etc. with the current scrutiny of privacy and security, you'd think big companies like Apple, Microsoft, and Google would at least announce the features would be forthcoming in an effort to placate users. Apple, for example, could fairly easily incorporate something like this into their Mail clients, possibly even as part of the the whole iCloud sign-up process, making it easy to setup up a keypair and uploading to/reading from the public key servers. That type of easy access from the mainline computer and smartphone operating systems would lead to the critical mass of adopters needed to make encryption and digitally signing so commonplace that it becomes the default way of exchanging data.
Something I've frankly been advocating for roughly 20 years, but I've honestly stopped using PGP/GPG in the last decade or so because my contacts, as a whole, don't use it, so it's just extra overhead for no benefit. (And so we get back to the 'critical mass' point.). I just don't see why it isn't a stock part of the 'standard' mail apps like OS X/iOS Mail, Outlook, etc. with the current scrutiny of privacy and security, you'd think big companies like Apple, Microsoft, and Google would at least announce the features would be forthcoming in an effort to placate users. Apple, for example, could fairly easily incorporate something like this into their Mail clients, possibly even as part of the the whole iCloud sign-up process, making it easy to setup up a keypair and uploading to/reading from the public key servers.
That type of easy access from the mainline computer and smartphone operating systems would lead to the critical mass of adopters needed to make encryption and digitally signing so commonplace that it becomes the default way of exchanging data. Something I've frankly been advocating for roughly 20 years, but I've honestly stopped using PGP/GPG in the last decade or so because my contacts, as a whole, don't use it, so it's just extra overhead for no benefit. (And so we get back to the 'critical mass' point.). Maybe, maybe not. It's possible that many serious criminal types don't use e-mail, regardless of encryption. They might be using something like a secure connection-based method like a chat room, rather than a connectionless method like e-mail. There's always the chance of the time-honored dead drop.
E-mail is much less reliable than many other online communication methods, and you really don't know how the message is going to get routed. E-mail also has a pretty high profile as an online communications method, so the various servers on this planet are probably heavily monitored by all sorts of folks. Because of its evolution, e-mail is inherently insecure. Sure, things like OpenPGP, S/MIME are attempts to minimize that insecurity, but as a connectionless communication method, you really don't know if the message made it until you get a response, and you don't really know if the intended recipient is really the person with their eyes to the screen.
Click to expand.Supporting something and making it the default are two very different things. Technically, Apple Mail 'supports' PGP/GPG because it will send the encrypted messages you can generate from external programs. If Apple, again as an example, wants to follow up on its recent privacy and security pushes, they could add creating (or linking to existing) keypairs, certificates, whatever technology they wanted to use as part of the device setup process, just like putting a passcode lock on an iOS device - a step that is recommended and the default, but can be bypassed if you choose otherwise. (And, of course, with iCloud, once you've set that up on one device, all of the devices linked to the same iCloud account would be likewise set up.) That is, making it opt-out instead of opt-in would likely increase the user base of secure communications, which in turn increases the usability of the security mechanism.
For this I'm limiting any solution to ones that don't require the person receiving the email to have something special setup (like having generated their own digital cert). ZixCorp makes a product, but it only works for Windows. LeapFile also has a web based portal that would work, but it'd be better if it could integrate right in with outlook, or at least have a client for Mac.
Symantec PGP looked like it could be nice from their website, but if it doesn't work with Exchange then that wouldn't be an option.