Cryptography setup
From Smith family
| Server setup | |
| ← Previous | Next → |
| Miscellaneous | None |
Cryptography is important to protect email and other files. Here I'll talk about using cryptography for signing and encrypting email.
- Check GnuPG is installed (it should be anyway):
root@desktop:~# apt-get install gnupg gnupg-agent gpgsm
- and install a certificate revokation checker and a graphical front end:
root@desktop:~# apt-get install dirmngr kgpg
Contents |
GnuPG for Email
(Note: these instructions may be a bit inaccurate as I wrote this up some time after doing it. Some details may be wrong.)
When KGpg starts, it appears as a small padlock icon in the system tray. Don't expect a full window and get disappointed when KGpg apparently doesn't work!
Create a key
KGpg is also not reliable when it comes to creating keys. Do key creation from the command line.
Creating a key is simple:
user@desktop:~$ gpg --gen-key
Accept the defaults and use a strong passphrase.
Import a secret/public key pair from another source
Add another identity to a key
Publish a public key
Keys should be exported to and imported from the EU PGP key server.
Sign someone else's public key
Integration into KMail
- Open the KMail settings diaglog: KMail | Settings | Configure KMail
- Select the 'Identities' tab and select the one you want.
- Press the 'Modify...' button and select the 'Cryptography' tab
- Add the key for both Signing and Encryption
You should now be able to sign and encrypt messages with the key.
x509 certificates for Email
The Thawte Web of Trust (WoT) is a free service for asserting your identity. First, you register for a free email signing certificate from Thawte. You then have your identity verified by various Thawte WoT notaries (all volunteers). That allows you to include your name in your certificate. One that is done, you can sign and ecrypt emails with that certificate.
Get a certificate
- Register with Thawte to receive your email signing certificate. Don't create one yet.
- Find WoT notaries in your area and have them corroborate your identity. Each corroboration will give you some trust points.
- Once you have 50 trust points, you can create a certificate that includes your name. Do so now and import it into Firefox.
Import the certificate into GnuPG SM
- In Firefox, export the certificate to somewhere on your local disk (Edit | Preferences | Advanced | Your Certificates | Backup). Let's call the saved file
thawte-wot-certificate.p12. You will need to provide a password for access to this saved certificate file. - Convert the p12 file to a PEM file:
Now you have to get the certificate's keys into GpgSM's keyrings.
user@desktop:crypto$ openssl pkcs12 -in thawte-wot-certificate.p12 -out thawte-wot-certificate.pem -nodes
- (give the password you specified when you exported the certificate)
- Extract your private key:
user@desktop:crypto$ openssl pkcs12 -in thawte-wot-certificate.pem -export -out my-key.p12 -nocerts -nodes
- (give the password you specified when you exported the certificate and specify a password to protect your private key file)
- Import your private key into your private keyring:
user@desktop:crypto$ gpg-agent --daemon gpgsm --call-protect-tool --p12-import --store my-key.p12
- (give the password you specified when you exported the key and specify a password to protect your private key in GpgSM's keyring)
- Extract your public key from the certificate file:
user@desktop:crypto$ openssl pkcs12 -in thawte-wot-certificate.p12 -out certs.pem -nokeys
- (give the password you specified when you exported the certificate)
- Import the certificates into your public keyring.
user@desktop:crypto$ gpgsm --import certs.pem
- Tell GnuPG that you trust Thawte. Get the list of keys and note which have Subjects that relate to Thawte:
user@desktop:crypto$ gpgsm -kv
/home/user/.gnupg/pubring.kbx
-----------------------------
ID: 0x1839990F
S/N: 0D
Issuer: /CN=Thawte Personal Freemail CA/OU=Certification Services Division/O=Thawte Consulting/L=Cape Town/ST=Western Cape/C=ZA/EMail=personal-freemail@thawte.com
Subject: /CN=Thawte Personal Freemail Issuing CA/O=Thawte Consulting (Pty) Ltd./C=ZA
validity: 2003-07-17 00:00:00 through 2013-07-16 23:59:59
key type: 1024 bit RSA
key usage: certSign crlSign
chain length: 0
fingerprint: BC:F0:3A:B1:BD:9A:08:9B:EB:46:8D:AF:99:47:5E:83:18:39:99:0F
ID: 0xA4EB0085
S/N: 00
Issuer: /CN=Thawte Personal Freemail CA/OU=Certification Services Division/O=Thawte Consulting/L=Cape Town/ST=Western Cape/C=ZA/EMail=personal-freemail@thawte.com
Subject: /CN=Thawte Personal Freemail CA/OU=Certification Services Division/O=Thawte Consulting/L=Cape Town/ST=Western Cape/C=ZA/EMail=personal-freemail@thawte.com
validity: 1996-01-01 00:00:00 through 2020-12-31 23:59:59
key type: 1024 bit RSA
chain length: unlimited
fingerprint: 20:99:00:B6:3D:95:57:28:14:0C:D1:36:22:D8:C6:87:A4:EB:00:85
- Copy the fingerprints into
~/.gnupg/trustlist.txt, with <code> S relaxappended to each of them:
BC:F0:3A:B1:BD:9A:08:9B:EB:46:8D:AF:99:47:5E:83:18:39:99:0F S relax 20:99:00:B6:3D:95:57:28:14:0C:D1:36:22:D8:C6:87:A4:EB:00:85 S relax
- There is a problem with Thawte certificates and their certificate revokations, so you need to prevent gpgsm from looking for key revocation certificates. Create
~/.gnupg/gpgsm.conf, containing the line
disable-crl-checks
Testing
- Create a test file, then sign it:
user@desktop:~$ gpgsm --detach-sign test-file > test-file.sig
- Check the signature:
user@desktop:~$ gpgsm --verify test-file.sig test-file
Integration into KMail
- Open the KMail settings diaglog: KMail | Settings | Configure KMail
- Select the 'Identities' tab and select the one you want.
- Press the 'Modify...' button and select the 'Cryptography' tab
- Add the key for both Signing and Encryption
You should now be able to sign and encrypt messages with the WoT certificate.
Allowing GnuPG signing in Squirrelmail
There is a plugin for this, but it hasn't been updated in a long time and no longer works.
Getting trusted keys
Insert descriptions and links to CAcert and GSWoT
