Encrypting and signing Emails is crucial since those are sent as plain text messages. Anybody sniffing the connection traffic on routes used to deliver the message could have a look at your private e-mails or manipulate contents without having to open any envelope. Therefore this tutorial is about encrypting your e-mails using PGP (= Pretty Good Privacy). This cipher is 100% proof against cracking attempts if the key is chosen well. This tutorial can be used with any popular email account like Yahoo! Mail, G-Mail, GMX, Web.de,etc. You will not have any costs for encrypting your e-mails pretty good ;) . This way you are also able to create unique signatures for e-mails, files, etc. This way users can ensure the authenticity of a received e-mail.
(As follows I am using Screenshots of the German tutorial - this will be updated - you are welcome to submit appropriate screenshots by email)
time exposure : 20 - 40 minutes
Software used : - GnuPG
- Enigmail is gonna be installed by the package manager of your linux distribution
For most distributions there are up-to-date packages:
apt-get install thunderbird
apt-get install enigmail
Gentoo (you need to activate the crypt USEflag locally in /etc/portage/package.use or globally in /etc/portage/make.conf to install Enigmail Support) :
bzw. mit manuell aktiviertem crypt USEflag
USE="crypt" emerge --ask --verbose thunderbird
yum install thunderbird
yum install thunderbird-enigmail
there are also Sources and Binaries located at Mozilla FTP
1.2 KDE Users should give K-Mail a try:
apt-get install k-mail
yum install k-mail
apt-get install gnupg
yum install gnupg
type gpg --gen-key:
following dialogue will show up:
(1) RSA and RSA (default)(2) DSA and Elgamal(3) DSA (sign only)(4) RSA (sign only)
RSA keys may be between 1024 and 4096 bits long.What keysize do you want? (2048)
I recommend 4096 Bits, default is 2048 Bits.
Please specify how long the key should be valid.0 = key does not expire= key expires in n daysw = key expires in n weeksm = key expires in n monthsy = key expires in n yearsKey is valid for? (0)
Choose 1 Year : 1y
Please specify how long the key should be valid.Real Name:
give your name as it is shown with your email-address
It is important to give the correct E-Mail Address! The comment part is obligatory and can be skipped.
Change (N)ame, (C)omment, (E)mail or (O)kay/(Q)uit?
type in O and press Enter.
You should create a revokation certificate to revoke your keys if your private key ever should get compromised.
To list all keys you got you can do as follows:
To create your revokation certificate simply give following command and save it @ some external storage to keep it save:
gpg --gen-revoke email@example.com > firstname.lastname@example.org
You should also backup your key pairs along with your revoke crt, if you need to reinstall your system or use them on different machines.
Export all private keys:
gpg --export-secret-keys --armor > secret.keys
NEVER SHARE YOUR PRIVATE KEY!!! If this happens by accident just generate a new keypair!
Export all public keys:
gpg --export --armor > public.keys
Export a single public key :
gpg --export --armor youremail@address > email@example.com
To send encrypted e-mails to some friend of yours you have to import his public key and sign it as trusted:
Following example is using this public key.
gpg --import firstname.lastname@example.org
gpg --edit-key email@example.com
pub4096R/9CF1F408created: 2013-11-15expires: 2014-11-15usage: SCtrust: validity: [ultimate] (1). geeBee UG (haftungsbeschränkt) <firstname.lastname@example.org>Please decide how far you trust this user to correctly verify other users' keys(by looking at passports, checking fingerprints from different sources, etc.)1 = I don't know or won't say2 = I do NOT trust3 = I trust marginally4 = I trust fully5 = I trust ultimatelym = back to the main menuYour decision? 5Do you really want to set this key to ultimate trust? (y/N) ypub4096R/9CF1F408created: 2013-11-15expires: 2014-11-15usage: SCtrust: ultimatevalidity: ultimate
You can use this keypair with any mailclient supporting PGP encryption as K-Mail, Thunderbird,Sylpheed,Clawsmail or Balsa.
2.1.1 Setting up a Thunderbird Email Account:
First we click at E-Mail to create a new account.
Following dialog also opens up when we fire up Firebird the first time -
Since we do not want to use a new email address we have to pay for but our already existing free account at yahoo! mail,gmail,gmx,web.de,etc. we klick at
(Means : Skip and use my already existing Email-Address)
Now we have to enter name, email-address, password for your email hoster and click next.
Thunderbird will now determine the correct settings for us.
Short details about IMAP and POP:
The Internet Message Access Protocol (IMAP) : Messages are downloaded for each direct request for opening an e-mail. Your message list gets synced by downloading the headers of the messages. Your Advantage : Data and Folders(Inbox,Trash,Sent,etc.) remain on your Server and you can access them from all over the world as last time you have seen them. With Thunderbird you got the option to completely synchronize folders and subfolders to work offline with your messages.
The Post Office Protocol (POP) : All Folders and Data remains on the local computer you downloaded the messages to. You can also configure Thunderbird to let a copy remained at your server but usually it gets deleted at the server if you synchronize your messages.The disadvantage: You cannot access any message from any computer. So it is hard to continue working with your emails if you have to access your mails for instance from a public terminal.
2.2 Install The Enigmail Addon - this is not needed if you already installed it by your package manager:
Click at extended options(upper corner to the right) => Add-Ons. Now type in enigmail at the searchbox and execute the search.By clicking install we are installing Enigmail.
2.3 Configure Thunderbird:
If you already generated the key by command line you can skip the following step.
2.3.1. Generate a PGP Key with Thunderbird.
First click at extended options(upper corner to the right) and then choose the sub menu Key Management. Now click the option the right Generate/Create and choose new keypair.
Now we need to enter and acknowledge the password which we are asked for when we want to sign/encrypt/decrypt messages. validity period is by default 1 year.
By default the key strenght is set to 2048Bit. I recommend to ensure its set to 4096 Bit.
Clicking at "generate/create keypair" will start the key generation.
After creating the keypair we should create a revoke certificate to be able to revoke the key anytime it got lost or otherwise compromised. You have to save this at a save place (extended hd/flashcard/etc.).
To secure the accessability to your keychains you need to enter your passphrase from time to time.
2.3.2 checking the existing keypair: extended options => OpenPGP => Key Management
If you can lookup your email-adress nothing has gone wrong.
2.3.3. Setting up PGP for your email-account :
with clicking at OpenPGP - Security we can configure PGP.
Activate OpenPGP by clicking Activate Open-PGP Support for this Identity. You can use your Email to identify your Key or select in manually.
By activating automatically signing of messages for encrypted and normal messages any message will be signed so your friends can authenticate your messages as original.
then click "Extended..."on the lower corner to the right.
This will open up the following dialog:
Check the box at "attach public key to messages", to ensure your new generated public key is sent with your messages so your recipients are able to sent encrypted messages to your address. Your contact needs to import this public key to be able to send encrypted messages to your email-address.
2.3.4. Sending Emails with Thunderbird
If we followed all steps we can test if the encryption is working: Just open up a new message dialog, enter your own email-address as recipient, enter some topic, choose encryption and signing, type in some message and click send. You now need to type in your keypair passphrase to sign and encrypt the message.
The email you have just received you can now decrypt with giving your passphrase.
Commonly your email scenarios will look like this:
A wants to send B an encrypted message : so A needs to import first B's public key.
B wants to send A an encrypted message : so B needs to import first A's public key.
As you see you need to exchange your public keys first to have a save talk by PGP encrypted e-mails.
Since we configured to automatically attach the public key to any message sent, we just need to send an email to your contacts.
All they need to do is importing your public key by using the "Key Management" Menu or the command line tools as described before.
[--will be updated--]
Never share your private key !!!
By selecting Settings => Configure Kmail... you can configure your identities:
choose your generated Key for signing and encryption.
With creating a new Email you have now the options to Sign and Encrypt. Encrypt is working if you have already imported your friends public key and signed it as trusted.
Have Fun with your pretty good privacy! ;)Posted at 2014-04-30 21:31:16 ( updated at 2018-09-17 22:26:53 )