There are 2 common ways to encrypt your mails:
- open-PGP, asymmetric, hier RFC4880, open source tools
- S/MIME, asymmetric, hierarchic key management (CA), X.509, available in most commercial mail products
Since Snowden, it is often said that the central key management properties (CA) for S/MIME based encryption could very possibly be undercut by NSA or others (to sign or send mails in your name). And it is uncertain if commercial S/MIME based products do not have backdoors.
So, if you decide to go with PGP, you need to know an easy way of sharing and trusting the needed keys:
Facts about PGP:
- messages are encrypted by using a one-time symmetric session key
- session key is exchanged thru asymmetric encryption
- use 2048 bit key (safe till ~2019) or 4096 bit key
- possibility to add expiration to keys (also after creation)
- a (changable passphrase) protects your key usage
- every participant gets a public (share it) and a private key (never give it to anyone, store it at home, safe)
- revocation is possible by self issuing a revocation certificate
- fingerprint: is a 40 character hex number that identifies you (crypto hash of your personal informations and the key-ID)
- your public key needs to be certified, this can be done by any PGP participant (WoT, Web of Trust)
- after certification, you can publish your public key
share keys:
- on a keyserver (SKS based): http://pgp.mit.edu/; http://sks-keyservers.net
- as email footer
- on your website
trust keys:
- function of your PGP software
get keys of others:
- search: http://sks-keyservers.net, http://www.rubin.ch/pgp/searchkey.html
- send mail with subject "get name@server.com" to pgp-public-keys@keys.pgp.net
sources: c't 22 7.10.2013 and lifehacker and web!
