Main Section
Bookmarker · Google Search Ratings · GMail Encryptor
Key Generation

Gmail Encrypt

Important Update

As of Firefox 3.6.4 I appear to have this working again although it isn't 100% in terms of looks. However, in terms of functionality it is back in operation again!

Right click here if you know Greasemonkey and are in a hurry. Otherwise, read on a bit more...

So, you like using Gmail, but don't want other people to be able to read your email? You are probably not alone and that is where the Gmail Encryption extension enters the picture.

This is a Greasemonkey script. If you don't have it or don't know what it is, then head over to the Greasemonkey site and install that first. If you are not using Firefox, then I believe there are methods out there to help you use these scripts with other browsers, but I don't know what they are.

First time Greasemonkey users: After you have installed Greasemonkey, then come back to this page and right click on the script. The first menu option allows you to install the script.

There is now an Encrypt This! Firefox extension of this script where you can encrypt and decrypt any text.

There is now a standalone version of this script where you can encrypt and decrypt any text without the use of Greasemonkey.

Some History
Generating Keys
My Public Key
Known Issues
Version control
Contact me

Some History

More info
Solitaire Encryption

Originally I planned on using the Solitaire encryption algorithm devised by Bruce Schneier for the book, Cryptonomicon, written by Neal Stephenson. (As an aside, I heartily recommend this book.) However, this method has a couple of drawbacks when used to exchange regular emails rather than keeping spies safe in hostile territory.

RSA Info
Simple explanation and demo of public key encryption
More detailed RSA explanation - Great hand examples
More explanations
RSA Security
AES Info
AES Encryption
AES Example
Source of my AES Code
Hex to Decimal conversion
Javascript Info
RSA scheme in Javascript
Example of the encryption in action
Big Integers in Javascript

With this in mind, I decided to go with public key encryption. I have implemented an RSA type scheme in Javascript. Naturally this is somewhat more cumbersome in GreaseMonkey as the entire scheme needs to live together inside one large file. This, however, solved a number of issues I had with the Solitaire idea.

Public key encryption has one major problem and it is especially noticeable in a scripting language like Javascript. It needs a lot of horsepower - especially on the decryption side! So to prevent your machine grinding to a halt if you want to send emails longer than one character, for example, the actual message is encrypted using AES. The keys to AES are then encrypted using RSA. That gives the receiver a small amount of RSA descryption to work through and the bulk of the decryption then takes place using AES which is much less processor intensive.


Text about to be encrypted:

After the encryption:

Generating Keys

Before sending or receiving encrypted emails, you will need to create public and private keys. Key Generation is available here as well. Note that when using the script you will need to use the full key generated. E.g. paste or type pub:101:11 or priv:123:9 into the appropriate input boxes.

My public key

pub:2219717:17 (See notes above on entering the keys in the input boxes.)


Due to the fact that Javascript can not handle stupendously large numbers in a timeous fashion, even with the BigInt functionality, this encryption is not bulletproof. This routine will conveniently encrypt your emails well enough to prevent your coworker and probably your employer from reading your emails. However, if you decide to annoy somebody working for the NSA then DO NOT be surprised if some bulky guys pull up at your front door in a black SUV. On the other hand if everybody encrypted the bulk of their emails on a regular basis then they would probably have a hard time keeping up with the cryptography as well. (If you want to be more secure then encrypt your text using something like PGP and then copy and paste it in the email.)

The subject of the email is not encrypted so it is probably not a good idea to put vital information in there.

As far as performance is concerned; I tested this with an email of 1000 characters and it took slightly less than 1 second to encrypt. Decryption took approximately 1.5 seconds. (I didn't bother writing in any timing events - this was a pure wristwatch event.)

It would be polite to decrypt an email before typing your reply and then encrypting everything again. That way the recipient will be able to read the email fully. However, this approach might have security implications that I am not aware of.

If you want to, then it is possible to use only the AES encryption by uncommenting the appropriate sections inside the script.

There is theoretically nothing preventing this script from being adapted for use with any webmail system. All that would be needed are the ID's of the various DOM elements contained within your webmail page. If somebody is interested in tackling this, then please feel free to do so. I would like a note so that I could link to your modified script from this page.

Known Issues

Known issues at this time: You must hit the reply button to decrypt the emails you receive.
Unfortunately the Decrypt / Encrypt buttons appear in the reading pane where they have no effect.
This script does not appear to work with versions of Firefox below 1.5.

Version control

Current-Latest Version
1.102010/06/25Restored functionality again under Firefox. Chrome is not working at this point.
1.042006/12/14AES Encryption needed more variables initialised for Firefox 2.0.
1.032006/06/04Formatted text was losing the first line during decryption.
1.022006/06/01Bug fix in RSA decryption routine. This prevented some emails from being decrypted after a change to the Gmail site layout.
1.012006/04/03Minor Bug fix in AES decryption routine. This prevented some emails from being decrypted.
1.02006/03/19Initial Version


Suggestions? Improvements?
mailencrypt at