Encrypting email with GnuPG

Slashdot it! Delicious Share on Facebook Tweet! Digg!

Going for It

After signing and integrating the recipient's keys in your keyring, the next step is to configure the email client. In both Thunderbird and KMail, all you need to do is associate an identity with a secret key (Figure 4) that matches its email address. If Thunderbird finds just one matching private key in your keyring, it automatically selects it.

Figure 4: After GnuPG configuration, in both KMail (top) and Thunderbird (bottom), you can simply select a private key for each identity.

After this preparation, sending an encrypted email is a mouse-click away. In Thunderbird, select OpenPGP | Encrypt message; in KMail, select Options | Encrypt message. The email client then asks whether the public key selected based on the email address is the correct one. To unlock the keyring, enter the password of the private key associated with the particular identity.

Upon receiving an encrypted message, KMail decrypts it by default when you click Decrypt message. Thunderbird decrypts the email either unprompted or displays the source code of the OpenPGP encrypted message.

Clicking Decrypt shows the plaintext message after you enter the private key password. Obviously, the private key password is local to your computer only and is not sent to the mail server. Thus, you need to decrypt all emails again after restarting the program.

Thunderbird behaves differently depending on the message because of the two methods that GnuPG uses to embed the encrypted test in the message. The older approach writes the encrypted message text into the mail body ("Inline OpenPGP").

The newer one, OpenPGP/MIME, uses the MIME attachment method and creates the encrypted text as an attachment of type application/pgp-encrypted. Newer email programs don't provide such pgp-encrypted attachments as downloads; instead, they encrypt the included text and display it in the message window.

The benefit of MIME embedding is that encryption includes message attachments that are easier for mail programs to recognize. However, older or simpler programs may not be able to handle MIME types.

In KMail, you can select Options | Message encryption format between Inline-OpenPGP and OpenPGP/MIME. The Thunderbird option is OpenPGP | Use PGP/MIME.

Preventing Key Loss

Losing a private key prevents access to any previously encrypted messages. Therefore, a secure key backup on external media is essential.

The easiest way is to save to the secring.gpg file in the ~/.gnupg directory. Copying the file to the same directory of any Linux installation ensures that the private keys remain accessible. To export private keys, use the following command:

$ gpg --export-secret-keys -a > <MySecretKeys.sec>

To import the keys, use the command gpg --import MySecretKeys.sec. Conversely, to remove compromised or no longer sufficiently secure keys from your keyring, you can create a so-called certificate revocation, as follows:

$ gpg --gen-revoke <id> > revoke.asc

Next, you can import the revocation to your keyring using gpg --import revoke.asc and then import the revoke key to the key server via the following command:

$ gpg --keyserver hkp://keys.gnupg.net --send-keys <id>

The revoked key should already be present in case of a compromised published key and should never fall into the wrong hands.

Buy this article as PDF

Express-Checkout as PDF

Pages: 6

Price $0.99
(incl. VAT)

Buy Ubuntu User

Get it on Google Play

US / Canada

Get it on Google Play

UK / Australia

Related content

  • An overview of the IMAP client Trojitá

    Trojitá is new to the scene of email clients, but it already stands out for its intuitive interface and speed. Even so, this client is still missing some essential functions.

  • Welcome

    The title of this issue's Editorial section is a shameless rip-off of a section that used to run in Omni, the influential and very cool 80s magazine of "Science Fiction, Fact, and Fantasy." The section in Omni talked about advances in science and technology and where they would lead us. The title played on the actual verbal tense – the word "will" was used a lot in the articles, and the fact that, well, it was about the future.

  • GNOME Cleartext Passwords: Bug or Feature?

    The current discussion in the Ubuntu forums is about a possible security hole in GNOME, specifically about GNOME registered users having their passwords appear as cleartext on the keyring. Not a bug, say its defenders, but the security concept behind the GNOME keyring.

  • Anonymous and secure surfing with Tails

    If you need an anonymous connection to the web, Tails 0.19 is just what you need. The Live system conceals all traces of surfing and mailing.

  • Pyspread – The Spreadsheet with a Python connection

    You can find plenty of spreadsheets offering a multitude of features. The Python-based Pyspread demonstrates that a sophisticated spreadsheet application can also be newcomer-friendly.