Friday, June 12, 2015

Email encryption on Windows Phone 8.1

I found this app Open PGP für Windows Phone to use so that I can encrypt and decrypt emails on the device.

This post is about how to start with only the app and assuming the reader has no pre-existing keys.

PGP (OpenPGP) is a common and powerful encryption standard. Ir can provide end to end encryption of messages.

PGP uses key pairs. Each key pair consists of a public key and a private key.
The public key can be shared with the world.
The private key is the ultimate proof of who signed and/or encrypted data, so it should never, ever be shared with anyone else. Anyone with your private key can appear to be you (signing as you) and can decrypt any data that is encrypted using either your public or private key.

How way PGP encryption works in a nutshell:
Scenario: Bob sends an email to John, but he wants it encrypted so that only John can read it.
  1. Bob retrieves John's public key (someone could send it to him or he could find it on a public key server.)
  2. Bob has John's public PGP key in his PGP key ring.
  3. Bob creates an email and uses a PGP tool to encrypt the message using John's public key.
    1. The encryption process turns the message into encrypted text.
  4. The email is sent to John.
  5. John's PGP tool decrypts the message using John's private key.
    1. The decryption process turns the encrypted text back into the message.

In the OpenPGP app, you first need your own key pair.
Go to the "Settings" page to create a key pair. Fill in the form and create the key.


*NOTES*
  1. This app only allows you to have one key pair identity installed.
  2. You can have multiple keys with the same name and email address, so if you already have a key elsewhere, you can generate another one and it will not invalidate the old key.
  3. Each key is unique and the identity created will be visible to the world, so use values that reflect what you want to share.

Creating a key may take a couple of minutes depending on the processor speed of your device.
Once the key is created, you will have an identity and a fingerprint associated with the key. The app only allows one key pair. Once you've got the key pair in the app, you're ready to send encrypted messages.

Sending messages:
1. Create contacts to send recipients to.
In order for a recipient to decrypt a message, the message has to be encrypted to the recipient's public key. This app has no ability to search for keys on a keyserver, so you will need the recipient to send you their public key in the .asc format. Once you have a public key in your email or onedrive, you can open the public key and the OpenPGP app will automatically import the contact. The contact will show up on the Contacts page.

Once a contact exists it is possible to send an encrypted email.

2. Send a message

  1. On the encrypt page, add one or more contacts using the "+" button.
  2. Then add the text of the message.
  3. Then tap the "encrypt" button at the bottom.

 The "Message Encrypted" page will appear with the encrypted data displayed.
Click "Send" to share the data in .asc format.

Once you've chosen an email profile, a new email will appear with an attachment called "message.txt.asc." This is your encrypted data.

You can send that email to any address you like, but the encrypted data will only be decryptable by the contact that you chose on the OpenPGP "encrypt" page.


By default, in Settings - General you'll notice that "Always encrypt for me" is checked. This ensures that you can open the encryption using your key. If this were not checked and your key was not chosen as a contact for the message, you would not be able to decrypt the message.


Settings - Actions
Certain tools may prefer the encrypted data be sent as text instead of as an attachment or may prefer a different encrypted data file extension like .pgp or .gpg.

Take a look at the Settings > Actions screen in order to adjust these options.

UPDATE: 1/20/2016
After emailing the developer and trying everything, I could never get my primary private key imported into the phone. Without this, I'd need a separate contact with the phone key. So this ended up being a failure for me. On the other hand, the developer was responsive, but not really helpful in any meaningful sense.