Late Friday, last week, Google announced a new tool for security-minded users, called E2EMail, a Chrome extension that simplifies the installation of PGP encryption for Gmail.

Initially created by Google engineers, E2EMail has now been open-sourced on GitHub, so other security experts can contribute and improve its effectiveness.

E2EMail is not yet available via the Chrome Web Store, and if you want to install it, you'll have to go through a series of complicated steps to build the extension and then load it in Chrome. Instructions are included in the GitHub repo.

E2EMail Chrome extension
E2EMail Chrome extension (via Google)

The idea behind E2EMail is to allow users who access their Gmail accounts to easily encrypt outgoing emails using PGP encryption and open PGP-encrypted emails without having to search for the sender's PGP key online.

E2EMail simplifies working with PGP

All PGP-related tasks are handled via the E2EMail Chrome extension, which generates an OpenPGP ECC encryption key, creates a local public keyserver, and uploads the key's "public" half to it.

The PGP "private" key is stored locally, and users can "regenerate" it on other devices via a special recovery code.

E2EMail uses the official Gmail API and a secure JavaScript cryptographic library to interact with Gmail in order to send and read encrypted messages. Further, the extension is also integrated with the Gmail Contacts API to allow auto-completing email addresses.

When the user receives an encrypted email from another user, the Chrome extension will automatically import the sender's PGP key by searching for it on a list of public PGP keyservers.

E2EMail is not perfect

Currently, E2EMail's only limitation is that it supports only text-based email messages. This means no email formatting and file attachments.

The development team plans to encrypt more than the email's body in future releases, hoping to support encrypted email headers to boost security and anonymity further.

Users should be aware that, just like PGP, E2EMail does not encrypt email subject lines. Also, just like PGP, E2EMail is not bulletproof and encrypted communications can be exposed if attackers get physical or remote access to the user's device(s).

The only benefit of using E2EMail over a classic OpenPGP client is simplicity and ease of installation. PGP is notoriously difficult to install correctly for first-time users if they don't follow tutorials or step-by-step guides.

Google open-sourced the project but does not plan to support it as an official product.