Licking The Envelope (An easy guide on how to use PGP ENCRYPTED E-MAIL)

–A collaborative tutorial by freedom feens Link Porterfield, Adam Witthauer and Michael W. Dean. Tech checked and improved by Randall Perry and Randy Jasky. This is PART ONE in an ongoing series on the Freedom Feens Blog on easy computer security for honest people who just don’t like gubmint idiots hired off an ad on a pizza box reading their love letters and chats about the weather.

Many people would rather spend hours a day complaining on the Internet about how the government is constantly deleting our rights (like PRIVACY) than spend an hour or two learning to actually PROTECT their privacy. Learn to keep your e-mail PRIVATE while doing so is still legal:

The so-called “Patriot Act” has shredded the US Bill of Rights. The US Government is building a giant data center in Utah to spy on every electronic communication every American makes all day, every day. (We call it, and the ideology behind it, “The Central Scrutinizer.”) Cops are demanding e-mails and text messages be kept longer and longer, “just in case.” Police in Michigan and California are even doing traffic stops and copying the contents of people’s handheld internet devices and phones WITHOUT A WARRANT. If state and federal mucking around with your Internets isn’t enough, The United Nations is trying to take over the Internet, right NOW, and doesn’t want you to know they’re doing it.

All of this has caused some who don’t normally question the Central Scrutinizer’s legitimacy to reflect on the privacy and security of their own emails. Most freedom feens like us are already likely to question why it takes little more than a subpoena, or sometimes just a friendly (or not so friendly) phone call to an email service provider, for law enforcement (at any level) to obtain all of your email. After all, it is potentially the digital equivalent of making off with all the letters and parcels you’ve received in your lifetime, and such action would at least require an all too readily issued warrant from a judge for any paper mail seized from your house to be admissible in court proceedings.

The good news is you can do something easy RIGHT NOW to make sure that the Central Scrutinizer winds up with nothing but gibberish when it snacks on your email.

You don’t have to be a “criminal” (i.e. “actual violent bad guy”) to need to hide your tracks. It’s getting to the point where completely moral, normal things seem suspect to the Central Scrutinizer. LEARN TO USE PGP, AND USE IT! DO IT NOW!

Today we’re going to teach you how to “lick the envelope” on your email. You may not think of it as such, but your email is like a postcard. OpenPGP encrypted email seals your message in an “envelope” to keep the contents shielded from prying eyes. OpenPGP is not some lightweight airmail envelope. It is one of those Tyvek envelopes that resists being opened even at knife point, if you cased a Tyvek envelope in diamond-hard steel.

While sending a “digital postcard” may initially seem just as innocuous as sending a regular postcard, there are some special considerations in the digital world. After all, your postman could likely care less about the mundane stuff you would be willing to put on a postcard. But in the digital world, you don’t have to worry about just a few “probably too busy and don’t care” postmen handling your postcard. Your “digital postcard” contains data that can be effortlessly collected and stored indefinitely, and easily mined by search algorithms for certain key words. This is not paranoia, this is something Gmail and Facebook already do with targeted marketing. They already mine data from your emails and profile to determine what ads you would be most interested in. Ever send an e-mail by Gmail and talk to your friend about fishing, then get ads for fishing gear on the next site you view from a Google search? That’s how they do it. Ever send a private message to a friend on Facebook about some band, then get ads on Facebook trying to sell you tickets to that band’s next tour? That’s how they do it. Facebook isn’t even a mere postcard, it’s more like standing in the town square with a bullhorn talking to a friend across a crowd of people.

“But isn’t email encryption just for hackers and conspiracy freaks?” “What if I have nothing to hide?” There’s a military term that has come into the mainstream since the beginning of the global war on terror: PATTERN OF LIFE ANALYSIS. The easiest way to describe pattern of life analysis would be to ask and answer the questions “What is normal day-to-day behavior for this person or group of people? Are they behaving normally today?” If email encryption is left just to hackers and conspiracy freaks, then email encryption practically becomes a crime in itself, if not probable cause for suspicion. If you wait until you “have something to hide” to begin using email encryption, you have just established that your pattern of life does not include email encryption, and therefore beginning the use of email encryption would establish a change in pattern of life…which warrants a closer look.

Occasionally someone will also make the claim that “It doesn’t matter, the government has supercomputers that can crack any encryption.” Most computer scientists, mathematicians, and cryptographers will claim that OpenPGP is, for all practical purposes, unfeasibly computationally difficult to crack; they will also generally tell you by how many orders of magnitude. But let’s humor the worrier here: What if the government does have a cluster of supercomputers that could crack a OpenPGP message, with current levels of encryption, in say 1 hour? If there are only a handful of encrypted messages out there, their super-cluster could (and probably would for aforementioned purposes) catalog all OpenPGP messages they could find. But if a lot of people are using OpenPGP to talk about things like their cats and the weather, the problem becomes much more computationally unfeasible…a needle on a clean tiled floor has now become a needle in a warehouse of haystacks. That is why it’s important to make OpenPGP a “normal thing.” The good news is that once you have set up OpenPGP, using it for encryption is as simple as sending a message. While OpenPGP is a powerful tool that runs on a variety of computing platforms and email clients, we will be using Thunderbird with Enigmail on Windows for this lesson, though it will work equally well on Linux or Mac. (Note, on Linux, you can usually skip the step about adding GPG4Win, because most Linux installations come with PGP installed by default.)

Don’t wait “until things get bad” to get up and running with this. That’s like saying “I’ll get a gun when the poop hits the fan.” When the poop hits the fan, you won’t be ABLE to get a gun, let alone learn to use it. And with electronic surveillance, things already ARE bad, and getting worse every day. Get used to using this stuff now, and use it even if you’re just talking about fishing (which is actually becoming more and more regulated every day anyway, and once something is heavily regulated, the activity itself approaches being illegal, Mr. “I have nothing to hide.”) The more people using encryption, for everything, the less attention individuals using it will attract. And learn to use it combined with a good VPN (we recommend Boleh VPN), for added security and untraceability.

“But what about Hushmail?” Hushmail is web-based encrypted e-mail. It’s easier to set up than PGP, but it has security flaws. Hushmail is kindergarten encryption. And moreover, the owners will comply with law enforcement requests to turn stuff over. Why have your encryption handled badly by someone else when you can do it yourself and have total control of it? It’s my opinion that the same can be said of some “grandma-ware” encryption being sold as Apps for the iPhone. Partly because that encryption program isn’t open source, which means that pro-freedom white-hat hackers can’t look inside of it for backdoors. (PGP is open source and has been fully vetted and proven as backdoor-free for over two decades.) Also because an iPhone, by design, is NOT a secure computing environment. It’s a closed system, no one can see how it works, you can’t use non-Apple approved software on it, (without jailbreaking it, and once you do that, you’ve broken the law AND it’s not really an iPhone anymore) and Apple is MORE than happy to hand over all sorts of stuff about you to any law enforcement person who asks. Richard Stallman, co-inventor of GNU/Linux, said “Steve Jobs made jail cool.” He meant that Apple is a closed “jail” that tries to lock you into their services only. But that could also be re-envisioned by some as meaning “Apple doesn’t care if using their products puts you in jail.”

VERY IMPORTANT TIP!!!!!!: Using BAD encryption is WORSE than using NO encryption, because it only gives you an illusion of security. The way the world is headed, that’s like going into a war zone with a “magic” protection amulet instead of bullet-resistant body armor. Screw web-based encryption. Do it all on your end. No one should have your private keys and passwords but you.

So let’s do it, and do it RIGHT:


You will need to download and install Mozilla Thunderbird to get started.

Run the Thunderbird installer file, run through and if you don’t know the answer to the question, the default will be fine. The real “meat and potatoes” is when you open Thunderbird for the first time.

Default settings are OK here too. One nice feature Windows users will appreciate is now you will have a default email client; in other words no more harassment from MS Outlook when you accidentally click an email link!

Assuming you already have an email account that you want to use with Thunderbird, just click “Skip this…”

I’m going to include one with my actual Gmail address, since the wizard does some nice things when it identifies your email domain:

Enter the address for your existing email account, as well as its password. Thunderbird will use this to log into your email. You may want to un-check the “Remember password” block, unless you feel comfortable saving your password on your computer. Then just click Continue.

Thunderbird is fairly smart in knowing what mail settings you need for Gmail, Hotmail, and other common web mail providers. Unless you know what you’re doing, or unless you’re using an email provider that Thunderbird doesn’t automatically provide settings for, you’re best off just hitting “Done.”

At this point your email account is all set up, and you can read or write emails from Thunderbird! Your email account is on the tree on the far left pane. After you first set it up it will take a while to sync up everything and download your email, so grab a beer or other suitable beverage.

Note: If you want to have two different e-mail addresses, one for normal mail and one for encrypted only (like Michael Dean does), or if for some other reason you do NOT want Thunderbird to be your default e-mail program and can’t change it from within Thunderbird (sometimes it grays out the option to uncheck that), the Windows tutorial on how to set the default e-mail program is HERE.

One last thing you’ll want to do is set Thunderbird up so you can see the menu bar. With version 17.0 the menu is hidden by default, but it’s much easier to get around in Enigmail with the menu bar. To turn on the menu bar, just right-click in the menu area and select “menu bar,” or to get the menu bar to display one time only hit the “Alt” key next to the spacebar.

Next download and install GPG4Win. There are several downloads available. While any of the four should work, I suggest the current (not beta) light version. The light version contains everything we need. It does lack the instruction manual, but that is available for both online reading and as a standalone download on the Documentation section of the GPG4Win site. Don’t panic when you reach the screen marked Define trustable root certificates. Just check the box and click next. (See following screenshot.)

Open the Add-ons Manger in Thunderbird (Tools/Add-ons) and search for Enigmail. Install it.

From here just type in “enigmail”. That’s what you want. It’s the first result that comes up. Now click “Install.”

Click the handy “Restart now” link to start Thunderbird with the Enigmail add-on.


Start by opening Thunderbird and opening OpenPGP/Setup Wizard leave the first choice set to Yes and click Next.

You can leave the next setting at Yes, since signing your emails won’t pose problems for any recipients.

Up next you will set whether to encrypt all of your emails by default. Since you are likely just getting started with OpenPGP, most of your email recipients are unlikely to have public keys yet. Leave that selection at the default of No. (Be sure to send this blog post to as many people as possible. Not only is more people using PGP more useful to YOU, it’s more useful to all good people of the WORLD.)

“Yes” here will make things easier if you let the Setup Wizard change some of Thunderbird’s default settings. If you want to know what settings are being changed, click Details.

Once you have everyone you regularly email using PGP, you can adjust your Message Composition Defaults to Encrypt messages by default:  Edit/Account Settings/OpenPGP Security

then click “Encrypt messages by default, and hit “OK.” (No screenshot needed.)

There is an unlikely chance that the Next button may now trigger a message that the Wizard cannot find the GnuPG executable. Skip to the next step if you did not encounter the warning pictured in the screenshot below. Otherwise browse for the GPG program on your computer at C:\Program Files\GNU\GnuPG\pub\gpg.exe

Now generate a key pair.

Pick a good password during this step. It shouldn’t be easy for someone to guess, or a machine to crack, but it is important that you don’t forget it either. There is a wealth of information online covering passphrase selection and we haven’t time to cover it all here, so I recommend this quick read on picking good passphrases.

Unlike with most other memory-intensive computing operations, while your key “cooks”, it will go FASTER not SLOWER if you do something else, like surf the web. Computers are an interesting mix of science and voodoo…..

It’s a good idea to generate and save a revocation certificate now, too. You will use that let the world know your key should not be used in the event it is lost, stolen, has had the password compromised, etc.

With the Setup Wizard finished you now need to add at least one public key to your key ring. There are a few different ways to do this. All will start in the OpenPGP/Key Management window where you just made your new key pair. I suggest one of the first three methods to keep things simple for now.

There are several ways to manage your keys from various screens, but all key management functions are available from the key manager. This is found under the OpenPGP menu.

With the key management menu open, make sure to click “Display all keys by default” so all of your keys show up automatically.

If you already have a saved public key file choose File/Import Keys From File.

You can copy a public key in plain text format then use Edit/Import Keys From Clipboard. (Include the


and the version info at the beginning, then the key block (random numbers), all the way through the

at the end.)


If you were sent an email with an attached public key, right click the message and pick OpenPGP/Sender’s Key/Import Public Key

You can also search for keys online with Keyserver/Search For Keys (use a Key ID in hexadecimal, for example: 0xABCDEF12)

Assign trust to the key you just imported. You will want to do this because deliberate (or inadvertent) impersonation is trivial to accomplish, and Enigmail won’t let you encrypt to an untrusted key. This can be done quickly by enabling OpenPGP/Preferences/Sending/Always Trust People’s Keys, but it will leave you able to readily encrypt email to a forged key. (You will need to Display Expert Settings to see that option.) A more deliberate use of key trust mechanisms will better protect you from impostors. I recommend confirming the key fingerprint with the key’s owner via another channel like the telephone, or an alternate email account, a text message, or encrypted Instant Message. Then you can sign the key which will make it trusted. (OpenPGP/Key Management: right-click the key & select Sign Key) When you sign the key you are essentially vouching for its authenticity. You will be presented with the choice of creating a local or an exportable signature. This setting just defines whether anyone else may rely on your signature to assign key trust on their keyring. (Suppose Michael Dean and I have already exchanged and verified keys, and I want to send Neema some OpenPGP email. When I import Neema’s key, I can view signatures and see that it has been signed by Michael’s key, and know that the key is authentic. Personally viewing Michael’s signature on Neema’s key isn’t required for the key to be trusted. OpenPGP will already be aware of it.)


You can manually encrypt individual messages by selecting OpenPGP/Encrypt Message (or clicking the picture of a key in the bottom corner of the message). The OpenPGP/Sign Message option (or the picture of the pen in the bottom corner of the message) will sign your message, so the recipient knows it is authentic. You can attach your public key public key so the recipient can easily encrypt his reply or verify your signature. (OpenPGP/Attach My Public Key) Alternatively you can generate per-recipient rules (OpenPGP/Edit Per-Recipient Rules) to always sign, encrypt, or both. You will need to Display Expert Settings in the OpenPGP Preferences to get the Edit Per-Recipient Rules to appear on the OpenPGP menu.

NOTE: PGP encrypts the body of the e-mail, and any attachments, but it does NOT encrypt the subject line. So we recommend you use vague subject lines. We like “Yo”, “What up?” and “Hey man.” lol.


If you copy and paste your key into an HTML or text document, then upload to the web, it may malform, and scroll, looking like this:

That will probably not work. What you want it to do is look like a block, like this:

You can do that in any HTML editor by adding the HTML tag <pre> before the block and </pre> after the block. Those tags should not show up in the browser. You can even do that without a HTML editor, in Notepad. When you save, just use the drop-down menu in Notepad to change the file type from “Text” to “All files”, and change the extension from “.txt” to “.htm” (without the quote marks.) Then upload to your web server and give people the link.

You can also just post it into a WordPress page, as I did at the very end of this post to show what they look like in WordPress. That should format fine, unless you use a template with wide margins, then the key block may scroll. As long it doesn’t add extra line breaks, it will be a useable key.

NOTE: Do not keep your passphrase unencrypted on any computer. Memorize it.

Please also see our related article, How to Do Encrypted, Off-The-Record Instant Messenger With Pidgin.

Further reading:

GPG4Win instruction manual

GNU Privacy Guard How To at Ubuntu

PGP article at Wikipedia

Gnu Privacy Guard article at Wikipedia

Pro-Liberty Information About PGP & Encryption


PGP Attack FAQ

Diceware random strong passphrase generation technique

GRC’s Interactive Brute Force Password “Search Space” Calculator

ADVANCED INTO ON CHANGING THE PASSPHRASE REQUIREMENTS: By default, Thunderbird will ask you to type in your passphrase for EVERY encrypted e-mail you read. You can change this. In Thunderbird, go to Tools/Add-ons/Enigmail/Options/ and change the option. 600 minutes didn’t work. But 120 minutes did seem to work for me (On Linux. It may not work on Windows, see below if it doesn’t). You still have to type your passphrase once in a while in less than 120 minutes, but you won’t have to type it EVERY time for every e-mail. Keep in mind though that the longer you have to go without typing it, the less secure your e-mail will be. But that is mostly only an issue if you walk away from your computer and other people have access to it and could just sit down and read what’s on the screen. Also keep in mind that if someone manages to put a keylogger on your computer, they can get your passphrase.

If you want to TOTALLY eliminate having to type your passphrase more than once per session (remembering that it makes you less secure if anyone has physical access to your computer), you can adjust the timeouts in GPG agent. You should be able to re-run the GPG4Win installer and select only the GPA component to add it to your system. You can then adjust your GPG Agent settings by running GPA from your Start menu. This mailing list message has some brief, but useful information on that setting.


Link Porterfield is a networking and systems consultant with QPG. His current PGP key can be found at that same link.

Adam Witthauer is a graduate student at Iowa State University. His current PGP key can be found at

Randall Perry started writing code in 1986 and started his first tech company in 1995. He’s held adjunct Professor positions at several colleges and universities.

Michael W. Dean is a tech writer and filmmaker and does the Freedom Feens Podcast with Neema Vedadi. If you don’t know Michael, his public key is none of yo’ damn business! (While the nature of public key cryptography is such that a public key can safely be made available to anyone, Michael just likes to be left alone.)


List of RADIO STATIONS that syndicate the Freedom Feens.

Read Lysander Spooner’s “No Treason.”

Freedom Feens Buttons are now ALWAYS on Sale – 10 for price of 5.

Freedom Feens NameCoin (we REALLY like NameCoin!):

Freedom Feens BitCoin:

Freedom Feens LiteCoin:

Or donate cash to the Feens:

Bookmark the permalink. Follow any comments here with the RSS feed for this post.
Post a comment or leave a trackback: Trackback URL.

27 Responses to Licking The Envelope (An easy guide on how to use PGP ENCRYPTED E-MAIL)

  1. Rico

    Nice tutorial! Question: Any email provider you would recommend? I know you said Google and Hushman where bad options, but which company would be good? Paid or free I don’t care it’s important stuff.

    • admin

      I’d say any good Host, I used webhost. It doesn’t matter as long as your PGP is solid.

      Use the HostGator link on the Feens site. They have free e-mail with web hosting, like 160 bucks a year.

      • Rico

        Thanks man! Worms

  2. JHaynes

    I just read this from a Snowden interview and it seemed relevant to the topic here.

    Question: Is encrypting my email any good at defeating the NSA survelielance(sik)? Id my data protected by standard encryption?


    Encryption works. Properly implemented strong crypto systems are one of the few things that you can rely on. Unfortunately, endpoint security is so terrifically weak that NSA can frequently find ways around it.

    Damned if you do, damned if you don’t.

  3. JHaynes

    An after thought and follow up on the glitch between PGP and e-mail clients.I spoke with a contact of mine about PGP. He suggested, since there is known problem in PGP where the body of the e-mail(s) can become unencrypted due to a glitch between PGP and the e-mail server, that a .text file be used to contain the message and that that .text file be attached and encrypted. He has always sent messages this way and has never encountered the problem of the glitch. Good idea.

  4. jed

    Yeah, bad place to put this, but a web search for “Thunderbird Enigmail content type wrong” or similar yields a big google-pile of links for pages with those terms, but no useful data. Anyways, a friend of mine using Thunderbird/Enigmail sent me encrypted mail, with a wrong (AFAIK) content-type header.
    Content-Type: text/plain; charset=ISO-8859-1
    instead of
    Content-Type: multipart/encrypted; protocol=”application/pgp-encrypted”;

    Can’t find anything useful using Mozilla’s bugzilla either. Anyways, my MUA (Sylpheed) just shows me the ASCII-Armored block, and doesn’t know to invoke GPG. I’ve not had this problem with encrypted mail from other sources.

    If this trips anyone’s memory trigger, a tip would be appreciated.

  5. JHaynes

    As a heads up.

    I’ve followed this guide and another. I had many emails go out encrypted, but some, though I chose total encryption, came out on the other end as NOT being encrypted within the body of the email. Attachments were encrypted. The text of the emails were not encrypted.

    I used my gmail for the set up in Thunderbird. When I later went in to see why my emails were not encrypted I found this in the release notes for OpenPGP

    “* Encrypted E-Mails occuring un-encrypted on the email server: It
    can happen that parts of encrypted emails are copied to your email
    server (IMAP or MAPI) in un-encrypted/decrypted form when creating
    or viewing them. Affected is the content of the email view
    window, thus usually the so-called email body. Attachments are
    not affected. Switching off the Outlook preview will lower the
    probability of this to happen, but not eliminate the issue.
    A solution is being worked on.”

    I am working on a solution to this for myself by searching for a more secure and different email client part from Gmail.

    I have revoked the previous public/private key that I used.

    • MWD

      Good to know.

      Let us know what you find.

      What about using a non-Gmail address? I don’t like using gMail for secure mail anyway, since it means Google has your data, and they will turn it over when asked. Even if it’s encrypted, I don’t like that about them.


      • JHaynes

        I used a different email client this time around. I’ve tested this set up and so far the emails are staying encrypted. Waiting for responses to my test emails (from outside sources) to kindly confirm the same.

  6. simbin

    This is a really good guide that helped me a lot! I always wanted to setup PGP and now I have, thanks to the Feens. When you have the time, will you please make a guide on how to setup PGP with Pidgin? Thanks and keep on fighting the good fight, worms!

    • MWD


      The Pidgin guide is on my list of things to do.


  7. Jeff

    I got as far as searching for Enigmail, but it is not available for Thunderbird 10.0.11 :-(

  8. Mark

    As a non-computer savvy guy, thank you for this tutorial. I was never particularly interested in technology, and stopped trying to keep up years ago. (I still remember a bit of DOS stuff.. Right before I killed the last dinosaur..)

    With my liberty awakening, I find I have to get more into computers again, beyond the ’email dirty jokes to my friends’ level. Wow, imagine my surprise to find more to the internet than 14 year olds putting obnoxious posts on YouTube from mommy’s basement!

    Thank you, Michael and company, for dragging this techno-caveman along with the rest of the human race.

    • MWD

      Awesome. Lemme know when you get this working, and if you have any issues with it.


  9. JHaynes

    Disregard my last query here. I believe I am good to go now. I just needed to re-read the last part of the how-to several times. I guess I’m not as deft as I thought I was. o_0

    My public key to be added and verified by others within the Freedom Feens libpar. Feel free to contact me in regards to anarchy/liberty related anything and torrenting.

    Version: GnuPG v2.0.17 (MingW32)


  10. pierreghz

    Oops, my brain inverted -c and -e, -c is for symmetric encryption, -e is for encrypting a message with a private key, so it’s -c that uses CAST5 by default. My mistake, sorry.

  11. pierreghz

    Nice post, I wondered if you guys used PGP, now I know.

    Unlike with most other memory-intensive computing operations, while your key “cooks”, it will go FASTER not SLOWER if you do something else, like surf the web. Computers are an interesting mix of science and voodoo…..

    This is because of the required entropy and it should be noted that random I/O should be performed to ensure that the key is as random as possible (bashing your head on your keyboard won’t help that much, opening a big file will). Generating GPG keypairs isn’t that computationally intensive, AFAIK, it just requires quite a lot of entropy to ensure it’s random.

    Signing your email with
    KeyID: ********
    is always a good idea, too, it saves others time to do gpg --recv-keys [ID] rather than searching on a server (although modern Mail User Agents like mutt & Thunderbird are rather automatized and can find public keys rather easily).

    About the revocation certificate: it should be kept extremely safe (well, as safe as your private key), for instance, you could encrypt it using gpg itself with the -e command line option, it uses CAST5 by default so it’s rather strong.

    Printing encrypted material isn’t a really good idea but it’s still better than having a file sitting unencrypted in your laptop, just waiting to be stolen.

Leave a Reply

Your email address will not be published. Required fields are marked *