Why I PGP Sign All My Emails

January 21st, 2010 | Posted in Encryption, Misc Assorted General Stuff, Opinion, Security | 2 Comments

I’ve been making it a point to PGP sign all of my emails for several years now and I still get the occasional question asking why I bother.  The answer is simple really, I’m using it as a form of identity theft protection.

You see about five or six years ago I and people I know suddenly started getting spam that had my email address in the From line.  I had known for a long time that it was actually a trivial matter to spoof the from line in an email but this is when it really hit home.  Just by faking the origin of the email somebody could, if they wanted to, send literally anything they wanted to my friends & family and there wouldn’t be any real way for me to convince anyone that I didn’t send it.

Granted, family members are most likely to believe me if I tell them I didn’t send that nasty email with my address in it’s header but most people don’t tend to be as forgiving if they’re not family.

I had been using PGP occasionally to encrypt private messages but I hadn’t used it much otherwise.  This is when I instituted a policy of always signing emails that I send.  That way, if there’s ever a question of “did you send such-and-such?”, I can ask them “Does it have a valid PGP signature created with my personal key?”.  If the answer is no then I didn’t send it.

After deciding on this I let everyone know that if there was ever a question about the validity of an email appearing to be from me, all they have to do is look for and check the signature.

It insures that nobody can send something claiming to be me because they can’t duplicate my signature without my private key and the passphrase.

And no, you can’t just copy the signature block from one email and past it in another.  It doesn’t work that way.  Any PGP signature is totally unique to message it appears in.

[tags]pgp, encryption, digital signature, identity protection[/tags]

If you enjoyed this post, make sure you subscribe to my RSS feed!
Link to this post:
Just copy this code and paste it on your site where you want the link to appear:

2 Responses to “Why I PGP Sign All My Emails”

  1. What client and server are you using for this? If this is something that can be done in any old webmail client I’ll be starting myself, but if it requires a pop3 client it will have to wait until I get a sendmail server set up.

    Thanks for the convincing. :-)

  2. Since all of my email is pop3, I use GnuPG with Thunderbird and the Enigmail plugin.  However *if* I were to use Webmail I would use GnuPG and GPGShell’s “current window | clearsign” function.  (or the PGPtray “Current window | Sign” function)