In the summer of 2013, the U.S. woke up one morning to learn that NSA subcontractor Edward Snowden had dumped some of the federal government’s biggest secrets on the front pages of newspapers worldwide. As we would later learn, Snowden’s revelations became headlines because he was able to reach out to journalists using encrypted communications under the now-infamous nom de guerre “Citizenfour.”
For many folks, these cloak-and-dagger-style stories are the norm for talking about encryption. Taking the proper steps to secure your emails can seem intimidating, but it’s really not so tough. For your consideration, here’s more information on the free-to-use cryptographic tool PGP, and how you can get this software up and running.
But first, some basics:
In 1991, programmer Phil Zimmermann created the cryptography software PGP, or Pretty Good Privacy. Preceding the dot-com boom, the early ’90s tech world was obsessed with crypto-computing, presciently fearful of corporate and government intrusion in the emerging digital age. In a since-updated manifesto, Zimmermann laid out the case for using PGP by invoking the Bill of Rights, invasive government legislation, COINTELPRO and a bunch more historical precedent. The Justice Department would go on to investigate Zimmermann before dropping its case in 1996.
Zimmermann’s cryptography work has made him a celebrated figure in the tech industry (he’s an Internet Hall of Fame inductee), and his expertise has kept him relevant; Silent Circle, the encrypted communications company he co-founded in 2012, has raised $80 million since it launched.
Back to PGP.
The encryption technology itself works like this: There are two keys — one public, one private — required to encrypt and decrypt a secure message sent using the system. If you want to send your friend Mary a secure communication (provided you’ve downloaded the necessary tools, which we’ll get to in a minute), you download Mary’s public key and use that to send her the coded message. Mary’s public key has a corresponding private key (which only Mary should have), which she can use to decode the message.
But how do you verify Mary is really Mary? Couldn’t someone just claim his public key is really Mary’s, and that she really does need you to wire $5,000 to Nigeria? This is where cryptography’s “web of trust” idea comes into play.
The “web of trust” means that if I know Mary’s public key is really Mary’s public key, I can “sign” her key, which is an effective endorsement that she is, in fact, Mary. The “web of trust” holds that the more people authenticate one another’s keys and submit that signature to a key server (like the one at MIT), the more confident you can be that Mary is Mary.
First, the original PGP technology was bought by Symantec and is pretty much out of date, so now people have replaced it with a free software called the GNU Privacy Guard (GPG or GnuPG).
Second, there are a whole bunch of different ways to download and use encryption that have varying degrees of complexity and usefulness. For example, encryption on Mozilla’s Thunderbird mail client is the easiest to configure and probably your best bet. The EFF has a great Windows Thunderbird/GPG installation guide and one for Mac OS X as well.
If you don’t want to go the Thunderbird route …
Keybase.io is another straightforward service that authenticates your identity through other logins (Github, Twitter, Reddit, etc.), but you’ll have to sign up for the waiting list to join the program’s alpha launch. There’s also a Google Chrome extension for folks who prefer to go that route.
Mac users: The best guide/tutorial I’ve found is this one, from a guy on the Internet named Jerzy Gangi. It’s pretty straightforward. Thanks Jerzy!
Windows users: This archived post on Reddit has simple instructions, and it doesn’t take that long to finish.
This article originally appeared on Recode.net.