Incognify Email Services User Manual - End-to-End Encryption

Your Incognify Email Account utilizes SSL encryption that automatically protects your email data during transport. You can enhance the protection of your email by enabling End-to-End encryption so that the actual contents of your message are encrypted as well. This is helpful as there have been cases where a server has been compromised, thereby defeating SSL encryption and exposing all incoming and outgoing emails to the compromiser. End-to-End encryption prevents this.

Your Incognify Email Account supports the two most popular End-to-End encryption protocols: PGP (via GnuPG) and S/MIME. We highly suggest using End-to-End encryption whenever possible.

To enable End-to-End Encryption on your Incognify account follow these steps:

  • 1 - Login to your Incognify email account.
  • 2 - If this is your first time logging in click the 'Set As Default' link.
  • 3 - Click Tools icon. It looks like a gear and is located on the top menu bar.
  • 4 - Select 'Preferences >' then 'Mail'.

PGP Encryption

Setup PGP on Your Incognify Webmail Account

Make sure 'Enable PGP functionality' is checked.

If you plan on using PGP whenever possible you should check the box to Attach your PGP Public Keys to messages. This will enable anyone who wishes to communicate with you via PGP. In order for you to reply, and have your message protected, they will also need to provide you with their Public Key. This is trypically done through a return email message. Public Keys are safe to exchange through email, as the Public Key alone cannot decrypt a message. Both the Public Key and Private Key are needed in order to decrypt. Once you have exchanged Public Keys you will be able to utilize End-to-End encryption.

If you would like PGP messages to be automatically verified check the box. This is recommended.

If you would like to check that the PGP Keys of your intended recipient are valid check this box. This is recommended.


PGP Public Keyring

When you receive a Public Key from an associate, click the 'Import Public Key' button. Doing so will open a popup window where you can either paste the Public Key or upload it from your computer. Only those people who's Public Key appears in your Keyring can you exchange End-to-End encrypted messages with.


How To Generate Your Own PGP Public and Private Keys

Your PGP key is what enables you to encrypt your email messages. Follow these steps to generate your own PGP Key Pair.

This information is newly updated to take advantage of a fantastic browser plugin that greatly simplifies the creation of PGP keys.

  • 1 - Install Mailvelope. Browser extensions are available for both Firefox and Chrome. Installation is automatic and takes just a few seconds.
  • 2 - Once installed click the Mailvelope icon (a lock) on your browser's toolbar (when you hover your mouse over the lock the tooltip will show "Mailvelope").
  • 3 - Click 'Options' then 'Generate Key'.
  • 4 - Enter your name (or any name) and your Incognify email address. Click 'Advanced' and make sure the key size is set to 4096 and the box is checked so the key never expires.
  • 5 - Enter a strong but easy to remember password. You may want to consider using a Password Manager to securely store your passwords.
  • 6 - Check the box to upload your new key to the Mailvelope Public Keyserver and click the 'Generate' button.
  • 7 - Once the key is finished generating click 'Display Keys' and click on the key you just created from the list that appears.
  • 8 - Click 'Export', click 'Public' and 'Save'. This will save a copy of your newly generated Public Key to a file on your computer.
  • 9 - Now click 'Export', click 'Private' and 'Save'. This will save a copy of your newly generated Private Key to a file on your computer. You will want to securely delete this file once you have confirmed operation of your PGP encryption.

It may take from a few seconds to a minute or two to generate your key. Look for the highlighted message at the bottom of the page telling you that key generation has completed.

Now let's add your newly created PGP key to Incognify.

  • 1 - Login to your Incognify email account and click the Tool icon (gear) > Preferences > Mail.
  • 2 - Tick the box to Enable PGP Functionality and click Save.
  • 3 - Tick the boxes to automatically attach your Public key, automatically Verify messages, and to check for Valid Recipients.
  • 4 - Under 'PGP Public Keyring' click the 'Import Public Key' button and navigate to your saved file from step #8 above.
  • 5 - Click 'Import'. Your name and your Incognify email address will appear under the 'PGP Public Keyring' heading.
  • 6 - Under 'Your PGP Public/Private Keys' click 'Import Key' and navigate to the Private Key file you saved in step #9 above. Click 'Import'. Your key is now installed and ready to use.
  • 7 - When you are done click 'Save'.

Check your Incognify email. You will receive a message asking you to Verify your PGP keys. The password you used to secure your PGP Key will be requested. Enter the password and click the link that appears to verify your key.


A Second Method of Generating Your PGP Public/Private Keys - for those who do not wish to install a browser extension

  • 1 - To begin Login to your Incognify email account and click the Tool icon (gear) > Preferences > Mail. Then tick the box to enable PGP functionality and click Save.
  • 2 - The fields presented are pretty self-explanatory. Do not change the email address. The passphrase is required as is the second entry for verificatioin. As with all passwords, you should make this password as long and as complicated as you possibly can without increasing the liklihood of forgetting it.
  • 3 - Leave the 'No Expiration' box checked.
  • 4 - Generate your PGP Key pair here: https://pgpkeygen.com/.
  • 5 - Once the key is generated download both your Public and Private keys to your computer.
  • 6 - In Incognify, under 'PGP Public Keyring' click the 'Import Public Key' button and navigate to your saved Public Key file from the step above.
  • 7 - Click 'Import'. Your name and your Incognify email address will appear under the 'PGP Public Keyring' heading.
  • 8 - Next, under 'Your PGP Public/Private Keys' click 'Import' and select the Private Key file you downloaded. Once imported your key is now installed and ready to use.
  • 9 - When you are done click 'Save'.

Important - Some users may be presented with a 'Generate Keys' option from within their Incognify dashboard. The process to create a PGP Key is processor intensive and can take several minutes to complete. At times it may even cause the server to hang, forcing you to logout and log back in. For this reason we highly recommend that you create your PGP key externally then simply import your key by using one of the methods outlined above.

If you followed the Mailvelope browser extension instructions above your key will have been automatically submitted to the Mailvelope Keyserver. Otherwise you can manually submit your key to a Public Keyserver if you wish to do so. Submitting your Public Key is entirely optional, but may help if someone receives an encrypted message from you and does not have your key.

Note that the 'Send Key to Public Keyserver' button in Incognify is currently disabled, however you can still copy and paste your Public Key into a Public Key Server if you wish to do so. Two of the most popular Public Key Servers are the MIT PGP Public Key Server and the SKS OpenPGP Key server. Once added to a Key Server it may take several days for a Public Key to propagate across the Internet and be usable. Additional information about Public Key Servers can be found here.

When you are done click 'Save'.


S/MIME Encryption

S/MIME

S/MIME operates very similar to PGP encryption above.

Although not easy or beginner friendly, it is possible that you can generate your own S/MIME Certificate by following one of many online tutorials, such as the one available at howtoforge.com. Be aware though that some DIY tutorials are actually designed to draw you into paying an annual fee at a service with hiked-up rates. Additionally it is becoming more common for applications not to recognize "self-signed" certificates; that is a certificate that was not issued by one of the top "official" certificate issuers.

The good news is that currently you can get a truly free S/MIME Personal Certificate from Comodo and simply import it into your Incognify Email account. Right now this is the easiest and fastest way to begin using S/MIME encrypted email communications.

Once you have your certificate you need to import it into Incognify. To do this click the 'Import Personal Certificate' button and click 'Save'.


Sending Encrypted Email

The following instructions assume you have followed the steps above for setting up your Public Key. This is necessary before you can send encrypted email.

PGP & S/MIME

Initial Setup

Click the Tools (gear) icon and choose 'Preferences' then 'Mail'.

Find 'Compose' and click 'Composition'.

Choose your preferred message format, either text or HTML. The choose your Default Encryption Method for Sending Messages. We recommend PGP Sign/Encrypt Message.

Send an Email

To send encrypted email you must first have the Public Key of the recipient. This Key can be obtained either by querying a Public Key Server or by having the intended recipient send you their key, usually by email. The second option is preferable as the first option, querying a Public Key Server, often fails. It is entirely safe to send a Public Key by email. These keys, by their very nature and name, are meant to be divulged to the public.

Once you have the recipient's Public Key, you will need to add that key to the contact in you Incognify account. You need only do this once for each contact.

To add the recipient's Public Key, from within your Incognify account, click on 'Address Book' then choose 'New Contact'.

Here you can enter whatever information you want about your new contact. When you are finished entering the desired identifying information, click the 'Other' tab. It is within this tab that you can enter the contact's PGP Public Key or S/MIME Public Certificate. Enter the Key or Certificate and click 'Add'.

You will likely want to send an encrypted test email to be certain things are working as they should. To do this:

Click 'Webmail' at the top of the page to return to the main window.

Click 'New Message' and enter the recipient's email address you just entered the Key or Certificate for. Autocomplete should popup allowing you to complete the entry of the email address quickly.

Look to the right hand side of the new email window and you should see a drop down titled 'Encryption'. The current state is probably 'None'. Change this to 'PGP Encrypt Message'. Now just enter some text into the body of the message and click 'Send'.

When the recipient receives your message, they will be prompted to enter their own Password for their Private Key. Once they have done so, the message will be decrypted and the contents will be viewable.


Using Encryption with Thunderbird

Incognify provides you with a powerful and easy to use Webmail based interface for all of your email needs. But Incognify can also optionally be configured to work with your standard email client, including the ability to send and receive encrypted email.

Enigmail

To use encryption with Thunderbird you will need to add the Enigmail extension. To do so, from within Thunderbird, click 'Tools' then choose 'Add Ons'. In the search box type 'Enigmail' and install.

Enigmail will need to restart Thunderbird. Once restarted you will see a new Enigmail link at the top of the page.

Click 'Enigmail' and choose 'Key Management'.

Click 'Generate' and choose 'New Key Pair'.

Click on 'Account/User ID' to select the account you wish to generate a Key for.

Choose whether to require a Passphrase to unlock the Public Key and click the 'Generate Key' button.

The Key will be generated. Once the Key has been created you will be given the option to generate a Revocation Certificate. The is needed in case you ever need to revoke this key for any reason. It is highly recommended that you create this certificate. Once you have created the certificate you will be asked for a location to save it. Choose your hard drive, thumb drive, etc. It is important to keep this file safe and not to lose it.

When done you will be returned to the Enigmail Key Management window, and you will see the new Key that you just created.

Now click 'Tools' then 'Account Settings' and find the account you just enabled PGP encryption on and click 'OpenPGP Security' for that account.

Click 'Select Key' and a list of all available Keys will be displayed. Select the Key that matches this account and click 'Select Key'.

Select the options you wish to enable, such as Encrypt Messages by Default and Sign Messages by Default.

When you are finished click 'OK'.

To share this Public Key with others, click 'Enigmail' then click 'Key Management'.

Right-click the Key you wish to share and choose 'Copy Public Keys to Clipboard'.

Paste the Public Key into an email message and send to the desired recipient. Once received the other party will choose to either 'Import Public Keys' and 'Add Public Keys' depending upon the software they are using, where they will be able to copy and paste your Public Key.

Once Public Keys have been exchanged by both parties you will be capable of sending End-to-End encrypted email.

To send an encrypted email from within Thunderbird just compose the mail as usual. Before you click Send find the Enigmail menu at the top of the composer page. Click the Lock icon to turn on (if it is not already on) Encryption then click the 'Attach My Public Key'. This ensures the recipient will have your Public Key and be able to decrypt your message.

Additional information regarding sending and receiving encrypted email is available from Mozilla.

Using Encryption with Outlook

Gpg4win

There is a free version of PGP available for users of Windows and in particular Microsoft Outlook. You simply download and install the Gpg4win core and add your PGP keys into Outlook, much as with Thunderbird above.

To download Gpg4win visit this https://www.gpg4win.org/download.html

For detailed installation and usage instructions see https://www.gpg4win.org/doc/en/gpg4win-compendium.html


Mobile Phone Encrypted Email

K9 APG for Android

There is a free version of PGP available for users running the Android OS and is suitable for Android-base phones. It will allow you to send and receive PGP End-to-End encrypted email. Make sure to install APG first and then install K9 for full functionality. APG is the core code that OpenKeychain is based upon.

For installation instructions and more information see https://securityinabox.org/en/guide/k9/android/


PGP Apps for iPhone

ProtonMail is an email encryption app for iPhone users built around the PGP encryption protocol. As of this writing it has high user review ratings and was even reviewed by The Wall Street Journal according to the publishers.

Another app for iPhone users is KryptoMail. It appears to be a reliable PGP encryption app, but comes with a steep price. At the time or this writing it is $49.99.

Still another PGP encryption app for iPhone users is iPGMail which allows you to send and receive OpenPGP encrypted emails. For the price concious it's far more reasonable $1.99 shouldn't be much of an issue.


Keep in mind that because of app control limitations on Apple devices that you may experience some delay in new email notifications. This is through design by Apple for security reasons and is beyond any developers control without causing security issues. You can find out more on the kryptomail FAQ page.



Disclaimer - Incognify is not associated with or endorsed in any way by any of the companies whose links are posted above. Should you use any of these products or services we will receive no commission. Information presented here is for informational purposes only. We do not endorse or recommend any particular product or service. We recommend you conduct your own research into what product or service is right for you.