Roy and Niels

Roy and Niels

Tuesday, October 5, 2010

Pretty Good Privacy and Evolution

This year, the danish government forced all its internet users to use the "NemID" solution for digital communication between the several public institutions, banks etc. The NemID concept is based on regular asymmetric encryption with a public and secret key pair. The developers of NemID realized very wisely that a significant amount of users (if not the majority) won't be capable of storing their secret key safely on their respective computers running windows.

The solution is that a private company "DanID", contracted by the danish government, stores the secret key for the user (imagine this happening in Germany!), and any interaction is realized with a java based login portal and a TAN list.

Without commenting on the trustworthiness of "DanID", this solution obviously does not integrate with typical Linux mailers such as Evolution.

Therefore, my colleague Bjarne Thomsen recently urged me (multiple times, thanks) to encrypt / sign my emails using gpg. Last time I did this was in 2004, but I must admit I cannot remember where I stored my old secret key (it is probably lost), and the revocation file is probably also gone. So, I had to start again from scratch. Here is the recipe:

Fist generate a new key pair. I was very paranoid, and closed down any closed source processes which I do not trust (skype, flash, google earth ...), while generating this key.

$ gpg --gen-key

Let it be valid for 2 years, you will probably loose your secret key, forget your pass phrase and/or your revocation file sooner or later, and there is no way you can delete keys from the key server.
You can also choose between RSA and DSA/ElGamal signing/encryption. I chose RSA, for no specific reason. For the bit length the default is 2048, but I chose 4096 bit, which should be safe until year 2030.

You will get a response akin to:

pub 4096R/xxxxxxxx 2010-10-04 [expires: 2012-10-03]

where the xxxxxxxx value is your public key identifier.

Next, you submit your public key to the key server:

$ gpg --keyserver pgp.mit.edu --send-keys xxxxxxx

And finally I recommend you generate the aforementioned revocation file.

$ gpg --output revoke.asc --gen-revoke xxxxxxxx

Anyone who has this file can revoke your key. You can print the file on paper and store it a safe place, if you wish.

So, now you are ready to go. Fire up evolution, go to your mail account setup. There is a tab which says "Security". In this tab there is a place where you can enter your secret key ID. Don't worry, your key identifier is not secret in that sense, the actual key is protected with your pass phrase.


Now you are able to send signed emails. Evolution will ask for a pass phrase when accessing your key.

But you probably also want to send encrypted emails. In order to do so, you need to import the public key of the recipient. Evolution does not do this automatically, this is a very old bug in evolution which still has not been fixed, see #259665.


Instead, you must manually import the recipients public key. I look up the recipients key id on a key server, such as this one: http://pgp.mit.edu/

$ gpg --keyserver pgp.mit.edu --recv-keys xxxxxxxx

If you are sure you got the right key, sign it:
$ gpg --sign-key xxxxxxxx

Ideally, you meet the person and exchange they key (e.g. at key-signing party)

If you need to sign against a specific secret key, use:
$ gpg --default-key xx(yoursecretkeyID)xx --sign-key xx(keyIDtobesigned)xx

List your keys with:
$ gpg --list-keys


Tadaaa, now you can encrypt the mails in evolution. Note that the email addresses of the public key and the recipient you mail the key to must match.

If you ever need to revoke your key, do:
$ gpg --output revoke.asc --gen-revoke xxxxxxxx
$ gpg --import revoke.asc
$ gpg --keyserver pgp.mit.edu --send-keys xxxxxxxx



Oh yes, and here is my ASCII armored public key:
-----BEGIN PGP PUBLIC KEY BLOCK-----
Version: SKS 1.1.0

mQINBEyqPwEBEACyDaTA6X7nz6N3rsRtnwnld9McaCRPXhUdex3BqbLIj4eKqwESX9Ynv62v
UG4E/DrMfRAThQRjL9R9KJ44S2+Vobk6PMUy7AL3PtWnOkWa5YtrpoUUVTzFlaMPjwQjCf9V
E9BOssPF/iUc5i8vfxg98BM+7oQVaB6EKKuvBqDM3IdkdKGG6e3lzbeJFHQ2vf4vuyKG3Ssb
X4vBiWWeuIVr9ktkhHAHfeDyXYzDbKY7W1XUOytgGydlTWF1ddFvu+knbPvZJdfpWyBoDNGt
2YzQSjsB0PxQbnh7xkLm09u79US+hVfhAQUzgDQPN/qV41xTb5IlMqmTlPBgNghueOFVzHkD
G4LFrFmTCHhtfnTN2jDsL71UuXVfTG9/Rrv68zOvtzw+nfgIGBXpDcJpHShLRsroc/e3Oxy8
iI+Aek5IJviM/jMMi4Ps4lT3g83VD5UP9etxUPs0k/DFupfQKcaqnd1AZey96AicLUKcjLCQ
X8+yCwQkiQ5nulJeokRP97Qo6XVEhEFYrYkLQ6LW86fDlFK0NjbDD2znqEpsWGXAH/O0XWxM
4rFyNsF1uPbfiKcvv2LEUTW9EJywxJ0FRknFHe9V+68Nw/dSY95nh7TWag9wLYNEOEu16OBw
ewWO7an9/fAkJO1UoLsbUsoU0FoZL59wBSmLCZFviHMRtorEfQARAQABtCJOaWVscyBCYXNz
bGVyIDxiYXNzbGVyQHBoeXMuYXUuZGs+iQI+BBMBAgAoBQJMqj8BAhsDBQkDwmcABgsJCAcD
AgYVCAIJCgsEFgIDAQIeAQIXgAAKCRA7KijjAPhkTxK5D/9Fv/hVoWgHwxBAn36jNFpqyL80
e2g4oWlkQ6Ue8WlzoTi8Qa526GOgvC86XqEPzYC6Xgb/IUwqpEfQFJnXjHy2GnChH67WlfBE
hEzWd9Ygmo8uZs3QdY9jfXySkaDHJGzcBeUyz1L1eLLP76iZI1JAI//AkMgdmlzQ55u5it8d
5+huhiQXLFSKpS6O5WlqLqUs9yWnElP/5xjAZFQcbbJxmAesmyhDgOK4R/Lh+5zqcXidZ3IV
f+6oRIg6ln27rkv2eE4/Pe1VXlO3BbIO41oF2OmzTNZityWhIrx6qvTyS63uL69UzFaY2HZq
zt5tcrAX8NUPyUh4MJ62Hq0AVXnWJWMrm1UUc/dNwwWxI/dYYRbLPWMVSqM8K8DFMefor/18
vxXfeRQktxZfbxaglpklJxaGL9WIWdQpP/aGmbz/k1O8eJG5+Xg5jKHGehdc3gvLBhSHfLyX
vx/bjQBbxUoQGAVJYdY7qzp2NLtGI5EOeGl/QJafiqcZ/G1RMqH/mNVWjzGWLF376CYsJcuO
yb1kH9DlEGws+zTARxzxSlgjwE9OI0OwMZb9i/QhzBpsNsDny9XcBDS3MHK2tY1wCDOser6h
j8Cunu8kA936XhHbvGY5RouJwea4B0SK/w4JqfW0/C7NRPJh9zU1eAvooYrSVi3uamYpvaY4
XwawJIOovrkCDQRMqj8BARAAtwInYERMzmgfocG/tITg+jihK4c6sjr44G2g2uquOAJPYVGq
35CKRDQZPXQlv7NTfY2SJOtEPJhx+gm+8AtpuwcxcpG2L4AgtaXjF6os6DJOdGvI5wjeMbSF
0um9/4mf4+Vxvl33aJ0v3sg6+mVhSBtp+UdvVKG/VPD26qdhXxMnO3G20zduX8ikn1nbhF68
gss9VYsrxsdGqJBtUSm3d+UIpI/ylNCpdk8VUwm+o6Iu6aq53tFnQrPi4xywggQY2n2wwVIv
6Uqk4qRxgw6SNpdrFj+VUu6zv8/l+Q5nstjrlEUofI50k88ouyUEw0+uoj+fVZ1fGkBEhzzw
zpyDUwaP4fZJWA6VbYvoWgAzmEYTAD8EFqnGl3OuHSppeQwXu/Ac/a9sNmPr/7Jkprua1KTO
lHv3SLkGKdhA7gOIhQEVEif8H0QrAq0b1Z93lHA2qrcKLUBg94M/syQFZdxfxscxl73x5ntI
qg1ux4t2VSBT9XToZGe1qx3UoVzG52vTO4hSZU4XkvNkla9vGalfr5z0xJVCcZ+1W8oG7/jf
xng1Dqxdk+EBXl+lW4yuCGLvrtWl0GNP1ZHxCKh6jOGIferd9gPgHmi39IE5oXpbNEPKyWBI
PXHCoL8fTkQNwFm01CNNmiYFLzCZpDJ3NVH6NBpfcgxF8sN4fW1Vu0CQ3osAEQEAAYkCJQQY
AQIADwUCTKo/AQIbDAUJA8JnAAAKCRA7KijjAPhkT1YUEACgjt47I/iPHl7CM4DLuVo0t5JW
w5UVG79BtNH6QcKdYm3iYzBlx2bZj9Ig+vIW2il3WZSUgWo1OFZri53p+L0fXaOKaeLJatiF
up0H2a07SzMWEYPjL6i7cmeeb6eSfIf3hBfWcWctGGJT8cYudINFtazR8BMxpB09B33uYqOc
M4wCS9QHCEXu2pzPtvykisjTy69KEtw9SXRjZVC9zJQG8DmahxDtdGUTI/RHrk/MyuJqqv19
ZzV4I08jpfJeFNsmIWZtf5ssHxJA56MDRg2T7gllWXu3fIvP3SsKiMpAA4x2+tsc4J8ul73k
xr4Frftk2cuM2caL8JZteKf4tTJwZRc/7+lIssnfA2/yvCi1IxVFNUl9UMCq7ZBmdA9mgzVl
dbKTWGGi+7XFF2Uk3dXrlvt7WmNQ3y6fKE3FBBy9AdNUPdGpGP2KVcyX4zH49O6C1zzYYTML
6p+6Q6rah6VIOYmfn+GUQEpv3XpY3rWYDzLOyjYUA/LOdMzAP/kjYldWiUOtGIsoUYoR9CeI
Fm/lzatQWyTQDWf5HRB6/gwL9A4+TbUQzFgJY9l4sNPutYq+i4Uo926gPUs4j47b4xAEQGyS
dxCcE9F7b313f5PcvKh/r7t8yT2qDdWt99W4tLGZ+PErJ+Rv6ICTiQqrO5z7eG7IgZh7Z6aG
QoO36dM9fw==
=L/Hy
-----END PGP PUBLIC KEY BLOCK-----

No comments:

Post a Comment