Understanding Encryption


The topic of encrypting is wide and deep, so I’ll narrow this discussion to the basics of what you need to understand about E-Mail encryption and I’ll be as concise as possible.  This also begins a series of articles on encryption I’ll be writing over the next week or two explaining everything you need for end-to-end encryption for everything in your digital life from files on your mobile device to phone calls to everything on your PC.  All software in my series will be free and open source.

Encryption and Decryption

When you send an encrypted message to someone else, you must have that person’s public key.  This is an encryption key that they publish on public key servers for anyone and everyone to have access to.  These public keys can only encrypt messages.  They cannot decrypt messages.  If you encrypt a message with a friend’s public key, there is NO WAY you can decrypt it, not even with the public key you just used to encrypt it.

Why?  Because the public key was created with a complex mathematical formula that actually created TWO keys that work together.    Anything encrypted with ONE key can ONLY be decrypted with its pair key.  When you use your friend’s public key to encrypt a message before sending it to them, ONLY your friend can decrypt that message and they must do it with their private key.

Conversely, when someone sends YOU an encrypted message, they MUST encrypt it with YOUR public key.  ALL encrypted messages YOU receive MUST have been encrypted with YOUR public key.

YOU create a public/private key pair with a key generator.  There are many apps that can generate key pairs.  OpenPGP is a popular standard for keys.  That simply means that software designed to encrypt or decrypt has been written for standardized encrypting algorithms.  OpenPGP is a very popular algorithm.

When your friend sends you an encrypted message, encrypted with YOUR public key, only YOU can decrypt that message and ONLY with your private key that was created along with your public key.

Your public key is meant to be shared.  That’s how people encrypt messages intended for you.  Your private key is exactly that:  Private.  You MUST protect is and never, EVER give anyone access to it.  This means do NOT store it on a cloud drive.  Do NOT EVER e-mail it to anyone, not even yourself, because as soon as you hit “send”, it’s now passing through the internet, unencrypted.  If you ever make the mistake of e-mailing your private key or storing it on a cloud drive, you should consider that key compromised.  You’ll have to revoke the key and create a new pair.  It’s now well known that the NSA intercepts all e-mail traffic.  If you EVER e-mail your private key, there’s a nearly 100% chance that the government now has your private key and has the ability to decrypt any and all content encrypted for you with your public key.

Digitally Signing content.

A neat side effect of having public/private key pairs is that you can reverse how you use them.  For example, instead of encrypting a message with people’s public keys, you could encrypt a message with your PRIVATE key.  Under normal circumstances, you’d NEVER do this because 100% of the population has access to your PUBLIC key and ANYTHING encrypted with your PRIVATE key can be decrypted with your PUBLIC key.

So, why would you do this?

Simple, if you want to PROVE that a document was actually created or sent by YOU.  Encrypting data with your PRIVATE key (instead of your public key) is called “Digitally signing” the content.  Even though, mathematically, it’s the same thing as encrypting, in practice, that encryption is useless for secrets because the decryption key (your public key) is well known.  But, just like data encrypted with your public key can only be decrypted with your private key, data encrypted with your private key can ONLY be decrypted with your public key.

So, if you ever want to prove you’re the sender of an e-mail message, you will digitally sign it before sending it (or encrypt it with your private key).  The receiver can get your public key from any number of public key rings and decrypt your message, proving that it had to have been encrypted (or “signed”) with ONLY your private key.

Let me reinforce that “encrypting” with your private key is NOT considered “encrypting” since anyone can decrypt it.  It’s considered “digitally signing”.

Got it?  Good!  Now, go encrypt all the things!

See these images?


You’ll find actual working versions of them at the top and bottom of this article. Please click the appropriate buttons in it to let your friends know about this article.

Check back later for updates too!

Next, be sure to read the next article in this encryption series: