Translation(s): English - Italiano

(!) ?Discussion


Secure email in Evolution

GnuPG

GnuPG is available in two versions in Debian: gnupg and gnupg2. Both support the OpenPGP standard but both are not compatible to PGP2 because that uses the IDEA algorithm which is patented in some countries. Only gnupg2 includes support for S/MIME. On the other hand, it has more dependencies and gnupg is pre-installed in DebianWheezy.

seahorse is a user interface for Gnome to handle encryption keys.

Nevertheless, the next steps make use of gnupg instead. They are a brief summary of the instructions at http://www.gnupg.org/gph/en/manual.html, which is recommended to read in parallel while performing these steps.

  1. Create a new primary key-pair.
     gpg --gen-key 
    Follow the instructions. The default values are sufficient in most cases. The pass phrase is used to encrypt your private key. Whereas it is important to use a strong key, this pass phrase has to be re-entered every time you encrypt, decrypt or want to modify your key.
  2. It is best practice to also generate right away a revocation certificate, in case you have to revoke your certificate.
     gpg --output revoke.asc --gen-revoke <identifier>

    <identifier> is any unique identifier for your key, e.g. your e-mail address you provided in the step before. Store the file revoke.asc in a save place.

  3. If you have more than one e-mail address you want to use for encryption, you can add them to the certificate:
     gpg --edit-key <identifier>
     gpg> adduid
    Follow the instructions as before.
     gpg> save
    to save and quit.
  4. Checking the key with
     gpg --list-keys
  5. Export the public key in readable format to send with your mail to your contacts, so that they can encrypt mails to you:
     gpg --armor --output MyPublicKey.gpg --export <identifier>
  6. you can now check your key by using the mail-robot from the Gnu Privacy Project. Send a mail with your public key as attachment to adele-en@gnupp.de.

  7. You will receive a mail with the public key of adele. Copy the key block including

     -----BEGIN PGP PUBLIC KEY BLOCK-----
     :
     -----END PGP PUBLIC KEY BLOCK-----
    to a text file.
  8. Import that key to your gpg
     gpg --import <Public key from adele>
  9. before using that key, it has to be signed, so first list your keys again
     gpg --list-keys

    check for the identifier of adele and sign that key.

     gpg –sign-key <identifier of adele>
  10. send an encrypted mail to adele; in Evolution simply by checking the option to encrypt the mail. adele will return your mail in readable form.

The same process for working with adele is used for any counter-part you want to exchange encrypted mails with. Before signing the key, make sure you have verified the key came from a trusted person.

Copying the key

If you are using more than one computer and want to use that encryption key on all of them either just copy the content of ~/.gnupg, which will copy all of your keys, everyone's key you have, and your entire trust database. It's ideal for backup, or for moving to a new computer.

Alternatively, you may want to copy just your keys.

First export the private and the public key:

gpg --export-secret-keys --armor <identifier> > my_private_key.asc
gpg --export --armor <identifier> > my_public_key.asc

Securely copy them to the new machine. On the new machine:

gpg --import my_private_key.asc
gpg --import my_public_key.asc

Ensure that the Key ID printed is the correct one, and if so, then go ahead and add ultimate trust for it:

gpg --edit-key <identifier>
gpg> trust
gpg> quit

S/MIME

First, make sure you have a PKCS certificate. Some free alternatives are:

Create a PKCS#12 file, for example by exporting from Firefox (Preferences->Advanced->View Certificates->Backup). Import the certificate into Evolution (Settings->Certificates->Import). For each account you want to use it, go to account settings->security and choose the certificate you want to use for signing and encryption. When you compose a new email, check 'sign with S/MIME' and/or 'encrypt with S/MIME' in the 'Security' menu.

see also