Secure email in Evolution
GnuPG
GnuPG is available in two versions in Debian: gnupg and gnupg2. Both support the OpenPGP standard but both are not compatible to PGP2 because that uses the IDEA algorithm which is patented in some countries. Only gnupg2 includes support for S/MIME. On the other hand, it has more dependencies and gnupg is pre-installed in DebianWheezy.
seahorse is a user interface for Gnome to handle encryption keys.
Nevertheless, the next steps make use of gnupg instead. They are a brief summary of the instructions at http://www.gnupg.org/gph/en/manual.html, which is recommended to read in parallel while performing these steps.
- Create a new primary key-pair.
gpg --gen-key
Follow the instructions. The default values are sufficient in most cases. The pass phrase is used to encrypt your private key. Whereas it is important to use a strong key, this pass phrase has to be re-entered every time you encrypt, decrypt or want to modify your key. - It is best practice to also generate right away a revocation certificate, in case you have to revoke your certificate.
gpg --output revoke.asc --gen-revoke <identifier>
<identifier> is any unique identifier for your key, e.g. your e-mail address you provided in the step before. Store the file revoke.asc in a save place.
- If you have more than one e-mail address you want to use for encryption, you can add them to the certificate:
gpg --edit-key <identifier> gpg> adduid
Follow the instructions as before.gpg> save
to save and quit. - Checking the key with
gpg --list-keys
- Export the public key in readable format to send with your mail to your contacts, so that they can encrypt mails to you:
gpg --armor --output MyPublicKey.gpg --export <identifier>
you can now check your key by using the mail-robot from the Gnu Privacy Project. Send a mail with your public key as attachment to adele-en@gnupp.de.
You will receive a mail with the public key of adele. Copy the key block including
-----BEGIN PGP PUBLIC KEY BLOCK----- : -----END PGP PUBLIC KEY BLOCK-----
to a text file.- Import that key to your gpg
gpg --import <Public key from adele>
- before using that key, it has to be signed, so first list your keys again
gpg --list-keys
check for the identifier of adele and sign that key.
gpg –sign-key <identifier of adele>
send an encrypted mail to adele; in Evolution simply by checking the option to encrypt the mail. adele will return your mail in readable form.
The same process for working with adele is used for any counter-part you want to exchange encrypted mails with. Before signing the key, make sure you have verified the key came from a trusted person.
Copying the key
If you are using more than one computer and want to use that encryption key on all of them either just copy the content of ~/.gnupg, which will copy all of your keys, everyone's key you have, and your entire trust database. It's ideal for backup, or for moving to a new computer.
Alternatively, you may want to copy just your keys.
First export the private and the public key:
gpg --export-secret-keys --armor <identifier> > my_private_key.asc gpg --export --armor <identifier> > my_public_key.asc
Securely copy them to the new machine. On the new machine:
gpg --import my_private_key.asc gpg --import my_public_key.asc
Ensure that the Key ID printed is the correct one, and if so, then go ahead and add ultimate trust for it:
gpg --edit-key <identifier> gpg> trust gpg> quit
S/MIME
First, make sure you have a PKCS certificate. Some free alternatives are:
Thawte freemail is widely used, follow instructions
CAcert, the community driven alternative
Create a PKCS#12 file, for example by exporting from Firefox (Preferences->Advanced->View Certificates->Backup). Import the certificate into Evolution (Settings->Certificates->Import). For each account you want to use it, go to account settings->security and choose the certificate you want to use for signing and encryption. When you compose a new email, check 'sign with S/MIME' and/or 'encrypt with S/MIME' in the 'Security' menu.
see also
- Homepage of gnupg: www.gnupg.org
- Very good tutorials and instructions for using gnupg: