Cryptography setup

Cryptography is important to protect email and other files. Here I'll talk about using cryptography for signing and encrypting email.

• Check GnuPG is installed (it should be anyway):

root@desktop:~# apt-get install gnupg gnupg-agent gpgsm 

and install a certificate revokation checker and a graphical front end:

root@desktop:~# apt-get install dirmngr kgpg

GnuPG for Email

(Note: these instructions may be a bit inaccurate as I wrote this up some time after doing it. Some details may be wrong.)

When KGpg starts, it appears as a small padlock icon in the system tray. Don't expect a full window and get disappointed when KGpg apparently doesn't work!

Create a key

KGpg is also not reliable when it comes to creating keys. Do key creation from the command line.

Creating a key is simple:

user@desktop:~$ gpg --gen-key

Accept the defaults and use a strong passphrase.

Publish a public key

I genererally use the PGP Public Directory for keys.

Integration into KMail

• Open the KMail settings diaglog: KMail | Settings | Configure KMail
• Select the 'Identities' tab and select the one you want.
• Press the 'Modify...' button and select the 'Cryptography' tab
• Add the key for both Signing and Encryption

You should now be able to sign and encrypt messages with the key.

Integration into Thunderbird

Use the Enigmail plugin.

root@desktop:~# aptitude install enigmail

Follow the instructions when you restart Thunderbird.

Integration in Android

• Install AGP.
• Copy the pubring.gpg and secring.gpg onto the device.
• Import the secret and public keys. Note that you should only import a few at a time: the app seems to baulk at importing more than about eight keys at a time.
• In K9 Mail, save any account settings you may already have, remove it, and reinstall. K9 Mail should now provide "Sign" and "Encrypt" checkboxes when composing new messages, and will verify signed messages you receive. (It doesn't seem to decrypt encrypted messages.)

x509 certificates for Email

The Thawte Web of Trust (WoT) is a free service for asserting your identity. First, you register for a free email signing certificate from Thawte. You then have your identity verified by various Thawte WoT notaries (all volunteers). That allows you to include your name in your certificate. One that is done, you can sign and ecrypt emails with that certificate.

Get a certificate

• Register with Thawte to receive your email signing certificate. Don't create one yet.
• Find WoT notaries in your area and have them corroborate your identity. Each corroboration will give you some trust points.
• Once you have 50 trust points, you can create a certificate that includes your name. Do so now and import it into Firefox.

Import the certificate into GnuPG SM

• In Firefox, export the certificate to somewhere on your local disk (Edit | Preferences | Advanced | Your Certificates | Backup). Let's call the saved file thawte-wot-certificate.p12. You will need to provide a password for access to this saved certificate file.
• Convert the p12 file to a PEM file:

Now you have to get the certificate's keys into GpgSM's keyrings.

user@desktop:crypto$ openssl pkcs12 -in thawte-wot-certificate.p12 -out thawte-wot-certificate.pem -nodes

(give the password you specified when you exported the certificate)

• Extract your private key:

user@desktop:crypto$ openssl pkcs12 -in thawte-wot-certificate.pem -export -out my-key.p12 -nocerts -nodes

(give the password you specified when you exported the certificate and specify a password to protect your private key file)

• Import your private key into your private keyring:

user@desktop:crypto$ gpg-agent --daemon gpgsm --call-protect-tool --p12-import --store my-key.p12

(give the password you specified when you exported the key and specify a password to protect your private key in GpgSM's keyring)

• Extract your public key from the certificate file:

user@desktop:crypto$ openssl pkcs12 -in thawte-wot-certificate.p12 -out certs.pem -nokeys

(give the password you specified when you exported the certificate)

• Import the certificates into your public keyring.

user@desktop:crypto$ gpgsm --import certs.pem

• Tell GnuPG that you trust Thawte. Get the list of keys and note which have Subjects that relate to Thawte:

user@desktop:crypto$ gpgsm -kv
/home/user/.gnupg/pubring.kbx
-----------------------------
          ID: 0x1839990F
         S/N: 0D
      Issuer: /CN=Thawte Personal Freemail CA/OU=Certification Services Division/O=Thawte Consulting/L=Cape Town/ST=Western Cape/C=ZA/EMail=personal-freemail@thawte.com
     Subject: /CN=Thawte Personal Freemail Issuing CA/O=Thawte Consulting (Pty) Ltd./C=ZA
    validity: 2003-07-17 00:00:00 through 2013-07-16 23:59:59
    key type: 1024 bit RSA
   key usage: certSign crlSign
chain length: 0
 fingerprint: BC:F0:3A:B1:BD:9A:08:9B:EB:46:8D:AF:99:47:5E:83:18:39:99:0F

          ID: 0xA4EB0085
         S/N: 00
      Issuer: /CN=Thawte Personal Freemail CA/OU=Certification Services Division/O=Thawte Consulting/L=Cape Town/ST=Western Cape/C=ZA/EMail=personal-freemail@thawte.com
     Subject: /CN=Thawte Personal Freemail CA/OU=Certification Services Division/O=Thawte Consulting/L=Cape Town/ST=Western Cape/C=ZA/EMail=personal-freemail@thawte.com
    validity: 1996-01-01 00:00:00 through 2020-12-31 23:59:59
    key type: 1024 bit RSA
chain length: unlimited
 fingerprint: 20:99:00:B6:3D:95:57:28:14:0C:D1:36:22:D8:C6:87:A4:EB:00:85

• Copy the fingerprints into ~/.gnupg/trustlist.txt, with S relax appended to each of them:

BC:F0:3A:B1:BD:9A:08:9B:EB:46:8D:AF:99:47:5E:83:18:39:99:0F S relax
20:99:00:B6:3D:95:57:28:14:0C:D1:36:22:D8:C6:87:A4:EB:00:85 S relax

disable-crl-checks

user@desktop:~$ gpgsm --detach-sign test-file > test-file.sig

user@desktop:~$ gpgsm --verify test-file.sig test-file