Back to Guides

The basics of encryption

In this guide, you'll learn the basics of encryption as well as how to encrypt and decrypt messages.

The key to encryption

A key, when talking about encryption, is an extremely long string of random characters. Keys are used to encrypt (or lock) and decrypt (or unlock) information to keep it safe.

As an example, a message with sensitive information needs to be sent securely from one person to another. The sender will encrypt the message with one key, and the receiver will decrypt it with another.

Symmetric and asymmetric keys

Let's introduce two types of encryption: symmetric and asymmetric.

A symmetric key uses the same string for both encryption and decryption which means that both the sender and receiver need the same key. This type of encryption is not very safe because sharing the one key in a secure and secretive manner is very difficult to do.

With asymmetric encryption, the key is split in half to create a key pair consisting of a private key and a public key. A message is then encrypted with the public key, but it can only be decrypted with the corresponding private key.

If you are on the receiving end, you would first create an asymmetric key for yourself. You would then give out the public key to anyone you'd like to receive a message from, but you would keep the matching private key entirely to yourself.

Proving your identity

Asymmetric encryption comes with the added benefit of being able to prove that the two parties involved in communication are both who they claim to be.

If Sarah wants to send a message to John, she would use John's public key to first encrypt the message before sending it to him. John would then use his private key to decrypt the message.

In this manner, Sarah can be sure that only John can read the message. Likewise, John knows that the message was intended for him.

In addition, Sarah can go a step further and sign the message with her private key. John can then use Sarah's public key to ensure that the message was sent by her, as only the combination of Sarah's true public and private keys would give a valid result.

Both parties can be sure that Sarah is Sarah and that John is John. Mission accomplished!

Create your own asymmetric key

Now we'll walk you through the steps to create your own asymmetric key. To do so, you will be using GnuPG, a free software program that allows users to encrypt and sign data, and even to manage keys.

Install GnuPG

Follow the instructions below on how to install GnuPG on your operating system.

Linux – Open a terminal window and run the following command.

sudo apt-get install gnupg2

Windows – Download latest version of GnuPG from the GNU Privacy Guard for Windows website and install it.

OS/X – Open a terminal window and run the following command. (If the command doesn't work, you probably need to first install Homebrew.)

brew install gpg2

Create a public-private key pair

Now you will create your asymmetric key pair.

For all operating systems mentioned above, run the following command in the terminal.

gpg2 --gen-key

On some versions of GnuPG, you will first need to answer a few questions:

  • What kind of key you want? Choose RSA and RSA (default).
  • What keysize you want? Choose 2048. (If you have a need for extreme security, you can choose 4096.)
  • For how long should the key be valid? Choose 0 = key does not expire.

For all operating systems mentioned, continue by answering some general information like your name and email address. If you are creating a key to be used when sending email, then it makes sense to use the information that corresponds with that email account.

After you've supplied this information, you will need to enter a password to protect where your private key is stored on your computer.

The program will then spend up to one minute generating a random key for you, but usually it will take only a few seconds.

Share your public key

In order to allow people to send encrypted information to you, you need to first share your public key with them. To do this, you need to export the key as a file.

Run the following command in your terminal. Replace the email address with the one you entered when you created the key. Replace "sarah" with your own choice of filename.

gpg2 --armor --export sarah@mullvad.net > sarah.asc

A file will be created on your computer and placed in the folder that you are currently located in within the terminal.

If you open the file in a text editor, this is what you will see:

-----BEGIN PGP PUBLIC KEY BLOCK-----
Version: GnuPG v2
mQENBFjPvdIBCACpWkWtev2RZnrYfm6vP9C/dt9cMvlwn2Wk2b45FKSOo5y14WOR
kH6L36h7dNnwvWsSupPMLcuAS6LrUcR3w5staihu0EPDWkEnwuxF0Ljk6UTMjlme
MD+s2wCBN6P9w1R0emWkAFjFD+9MeCAJzRPZP0xuXkroKOPboAvCNx3BYAkHHzBJ
.
.
.
OGmJsDSCsSfgp/QtkDK3qKuMLFSO8MwYs4cI7ArTsDU6pNyEjoZmDdYhNZwYdGdh
2l6op4q2FIle1hXMMHohNckgIAjO3pExKbsa
=C4dt
-----END PGP PUBLIC KEY BLOCK-----

You can now send this file to your contacts.

Import someone else's public key

After someone sends you their public key, you can import it to your computer by running the following command in the terminal. Be sure to replace "john.asc" with the name of the file you received.

gpg2 --import john.asc

View your list of keys

To see a list of contacts whose public keys you have imported, as well as any keys that you have created for yourself, run the following command.

gpg2 -k

To see a list of your own private keys, run the following command.

gpg2 -K

Using a public key's fingerprints

You will want to make sure that the public keys you have belong to the people you think they do. Checking the validity of your public keys can be tricky. The easiest way is to import the key in question and then verify it by talking to its owner face-to-face or by phone.

Of course, reading aloud the many lines of random characters that a key is composed of would take a lot of time and leave room for making errors. Instead, you can verify the fingerprint which is a much shorter representation of a public key.

To see a list of fingerprints for all public keys that you have imported, run the following command.

gpg2 --fingerprint

Encrypt a message and send it

Create a text file with your preferred text editor and save it. Back in the terminal, navigate to where you saved the file. Run the following command, replacing "john@mullvad.net" with that of your recipient and "message.txt" with the name of the file you created.

gpg2 --armor --encrypt --recipient john@mullvad.net message.txt

The message is now saved in a new file called message.txt.asc, encrypted, and addressed to your recipient using his or her public key.

All you have to do now is attach the file to an email addressed to the recipient.

Decrypt a message from a friend

Once you have received an encrypted message, save it to your computer. In the terminal, navigate to where you saved the file.

Run the following command, replacing "message.txt.asc" with the name of the encrypted file you received and "message.txt" with a filename ending in .txt that you want the decrypted file to be called.

gpg2 --decrypt message.txt.asc > message.txt

Since your private key will be used to decrypt the message and because your private key is password protected, you will be prompted to enter the password.

Encrypt a message for Mullvad

Download and import Mullvad's public key (available at the bottom of our website). Follow the steps above for encrypting a message and sending it, but use support@mullvad.net as the recipient. No one other than our support team will be able to decrypt the message.

If you would like us to reply with an encrypted message, you will need to send your public key to us.

The importance of key management

Key management is 99% of the entire process. How well you protect your private key and manage your list of public keys – making sure they belong to the people you think they do – determines the level of security you obtain.