Secure Email and PGP Basics

Secure Email and PGP Basics[edit | edit source]

Protecting email communication through encryption, verification, and informed practices.

Overview[edit | edit source]

Email remains a key communication tool for activists, organizers, and researchers — but it is not secure by default. Standard email protocols expose content, metadata, and sender identity to intermediaries and surveillance systems. Tools like PGP (Pretty Good Privacy) can help secure email by encrypting messages and verifying authenticity.

However, it's critical to understand that **no system is completely invulnerable**. While encryption makes interception difficult, metadata remains visible, provider logs can be subpoenaed, and PGP can be misused or misunderstood.

What is PGP?[edit | edit source]

• PGP (or GPG) is a form of public key encryption.
• Each user generates a public key (shared with others) and a private key (kept secret).
• Messages are encrypted using the recipient’s public key and can only be decrypted with their private key.
• Messages can also be signed to prove authenticity and integrity.

Secure Email Providers[edit | edit source]

• ProtonMail:

 * Based in Switzerland, supports built-in end-to-end encryption
 * Can also integrate with PGP for advanced users

• Tutanota:

 * Based in Germany, uses its own open encryption standard
 * Encrypted calendar and contact management included

• Mailbox.org / Posteo:

 * Strong privacy policies, full-featured webmail, optional PGP

Tools to Use PGP[edit | edit source]

• Thunderbird + OpenPGP (native)
• GPG4Win (Windows) / GPG Suite (macOS)
• Mailvelope (browser extension for Gmail/Yahoo/etc)

Use Cases in Activism[edit | edit source]

• Sharing sensitive documents or legal strategies
• Verifying that emails come from trusted sources
• Accepting encrypted submissions or whistleblower tips
• Coordinating between regions where surveillance is high

Disclaimers and Risks[edit | edit source]

• **PGP only encrypts message content, not subject lines or metadata**
• **Email providers may log login times, IP addresses, and device data**
• **Legal pressure can compel providers to hand over user data**
• **Private keys can be stolen if devices are compromised**
• **PGP has a steep learning curve — small mistakes can break security**

It is important to recognize that while encryption strengthens security, it does not guarantee privacy. Learn what each tool does and doesn't protect, and layer your digital hygiene accordingly.

Safer Practices[edit | edit source]

• Store your private key encrypted and offline where possible
• Use strong, unique passphrases and two-factor authentication
• Share public keys through trusted or verified channels
• Use disposable accounts or aliases when appropriate
• Don’t use email for live-time, high-risk communication — use secure messaging instead

Limitations[edit | edit source]

• Email content can still be copied, forwarded, or screenshotted
• Encrypted attachments may still reveal sensitive file metadata
• Key management (revocation, rotation) can be complicated

Related Topics[edit | edit source]

• Encrypted Messaging Apps
• Operational Security Basics
• Metadata Removal from Files and Images

Resources and Further Reading[edit | edit source]

• https://emailselfdefense.fsf.org – PGP beginner’s guide by FSF
• https://proton.me – Secure email provider with encryption
• https://ssd.eff.org – EFF Surveillance Self-Defense: Email
• https://keys.openpgp.org – Search and verify public keys

Legal Disclaimer[edit | edit source]

This page is for educational use only. Encryption improves communication security, but cannot eliminate all risks. Use these tools responsibly, stay updated on threats, and pair digital security with strong community practices.