Communicating securely with me

Any communication over the internet, including e-mail, is insecure by default. Without encryption, anyone with access to a network or device in between sender and receiver can eavesdrop on any messages sent back and forth. This could be anyone on the same (public) Wi-Fi or wired network as you are, your ISP, or even governmental agencies. Encryption alone however is worthless without authentication: the ability to ensure that you’re actually communicating with me rather than someone else. Like with regular mail, you can write any sender address on an e-mail envelope.

If you want to send me messages or files that are secret, you therefore need to secure your communications by (1) encrypting your message so that only I can read the data, and (2) ensure that I am actually the one and only person holding the key for decryption (authentication).

How to send me confidential messages and data

To make secure communication easy, I publish a so-called ‘public key’ that allows you to encrypt any data in a way only I can decrypt it. I do this using a private key that only I have access to. The public key is available in two flavors. You should either:

  • Encrypt e-mail messages or files using my GPG/PGP key (fingerprint: 1E34 4B8C 5441 6D99 2278  A524 8D35 BAC2 D110 A721). Verify that the key is actually mine by contacting me (preferably face-to-face) so I can verify the key (you only need to do this once).
  • If you don’t want or don’t know how to use GPG/PGP, you can alternatively encrypt any files or messages you want to send me with a strong password and a trustworthy encryption tool. Then e-mail me the encrypted file without the password, and give me the password in a secure way (e.g. in person).Only use a proper encryption tool and password (only use a randomly generated, strong one-time password).

How to verify messages and data you receive from me

The private key I can use to decrypt messages encrypted using my public key can also be used by me to sign messages. Using my public key, you can then verify that any message I sent you was signed with my private key (which of course you verified with me). Because I am the only one that has access to my private key (and assuming I am not coerced to reveal it), you can be sure I signed the message. Upon request I will sign messages and files using my GPG key, which provides the authenticity guarantee.

This website is secured using a certificate obtained from StartCom. You should always see the green ‘lock’ in the address bar when navigating this site. The certificate details should verify this claim.

Software (iOS and Mac applications in particular) I publish is usually signed with a certificate obtained from Apple. You can verify the authenticity of the certificate through Apple (OS X and iOS generally won’t allow you to run software with an invalid or unauthentic certificate).

I sometimes use the following certificates to sign things other than e-mail and this website; use only when required:

Closing thoughts

I cannot take responsibility for confidentiality breaches resulting from improper encryption of data sent to me.  However, if you use the proper encryption and authentication methods, you can securely communicate with me over any medium that may be insecure (this includes e-mail, SMS and file transfer services like WeTransfer and Dropbox). Using the methods described on this page allows me to also securely store your data on my devices.