[HOW TO] Encrypt your e-Mails

Discussion in 'all things UNIX' started by amarildojr, Sep 30, 2015.

  1. amarildojr

    amarildojr Registered Member

    Joined:
    Aug 8, 2013
    Posts:
    1,977
    Location:
    Brasil
    In this thread, I'll be demonstrating how to create your GPG Keys, how to upload them to a server, and how to encrypt your e-Mails with it.

    For the purposes of this thread, I'll be using KDE 5, along with KMail. At some point in the future I'll also include Thunderbird. If you desperately need Thunderbird to be included then send me a personal message.

    First, let's begin with the following question: Why should you encrypt your e-Mail?

    To answer that, you could look at normal aspects of your daily life. When you have important things, you usually put them into a safe place where people can't easily get access to, like that teddy-bear your grandmother gave you when you were a little kid. When dealing with electronic messages some e-Mails are to be considered important too, yet most people don't encrypt them. Some people don't encrypt their e-Mails because they assume nobody can't get to these e-Mails, and because only they think nobody else knows the password. Is that the case?

    "Hell no".

    These days most e-Mail providers (like Google) have a secure connection with you, via https. This ensures that nobody except you and Google can see those communications (assuming your operating system isn't tampered with). Other e-Mail providers don't use this type of secure connection.

    On both cases, your e-Mail can be read. Let's see why.

    Http connections are not encrypted. If an attacker, who is in between you and your e-Mail server, has bad intentions, he/she can eavesdrop your communications with that server or even act as if they were you or the server, known as a man in the middle attack, "in which the attacker makes independent connections with the victims and relays messages between them to make them believe they are talking directly to each other over a private connection"¹.

    On https connections, your communication with the server are encrypted, either via SSL or TLS. However, Google stil "reads" all of your e-Mails so that they can gather data from you (mostly used for advertising).

    So how can you communicate securely with a friend in a way that only you and your friend can talk to each other? By encrypting your messages so that not even Google (or other such company like Yahoo, Microsoft, etc) can't read your e-Mails.

    So, let's get started!

    First, open your terminal. Here we'll type all the commands needed to create your GPG (GnuPrivacyGuard) Key.

    If you're new to this and want an out-of-the-box Key that doesn't require any configuration, use the following command:
    Code:
    gpg --gen-key
    Just issue your name (if you want), your e-Mail adress, then your passphrase.

    Remember: This default key will NEVER expire, so you might edit that later (with gpg --edit-key), or you may chose to create the keys in a more in-depth mode as shown bellow.

    NOTE: "gpg --gen-key" is the older command that also creates custom keys on GnuPG verions of 2.0.26 and older (might vary). Newer versions of GnuPG will create the out-of-the-box key mentioned above, and require "gpg --full-gen-key" for a custom key generation.

    I'll guide the more advanced users through the advanced method, which is to create a custom GPG Key.

    Let's being.

    The first command is, obviously, to create our Key. To make this tutorial as real as possible, I'll be using an e-Mail alias that will be deleted after the completition of this tutorial.
    Code:
    $ gpg --full-gen-key
    My result:
    Code:
    [amarildo@amarildo ~]$ gpg --full-gen-key
    gpg (GnuPG) 2.1.7; Copyright (C) 2015 Free Software Foundation, Inc.
    This is free software: you are free to change and redistribute it.
    There is NO WARRANTY, to the extent permitted by law.
    
    Please select what kind of key you want:
      (1) RSA and RSA (default)
      (2) DSA and Elgamal
      (3) DSA (sign only)
      (4) RSA (sign only)
    Your selection? 
    If you want to create a key for encrypting AND signing e-Mails/files, chose 1. If you want to create a Key just to encrypt your e-Mails, type 4. I'll use my Key to encrypt both files and e-Mails:
    Code:
    Your selection? 1
    Next:
    Code:
    RSA keys may be between 1024 and 4096 bits long.
    What keysize do you want? (2048)
    I always chose 4096 bits of size. You can chose 1024, 2048 or 4096.
    Code:
    RSA keys may be between 1024 and 4096 bits long.
    What keysize do you want? (2048) 4096
    Requested keysize is 4096 bits
    Next:
    Code:
    Please specify how long the key should be valid.
      0 = key does not expire
      <n>  = key expires in n days
      <n>w = key expires in n weeks
      <n>m = key expires in n months
      <n>y = key expires in n years
    Key is valid for? (0)
    This is where you chose for how long your key will stay valid. Personally I think something between 2-5 years is a good period for personal use.

    To specify other expiration values:
    "500" (or any number) will specify the number of validity in days.
    "2w" would specify a 2 weeks time for expiration.
    "3m" would specify a 3 months time for expiration.
    "5y" would specify a 5 years time for expiration.

    Here's my choice:
    Code:
    Please specify how long the key should be valid.
      0 = key does not expire
      <n>  = key expires in n days
      <n>w = key expires in n weeks
      <n>m = key expires in n months
      <n>y = key expires in n years
    Key is valid for? (0) 5y
    Key expires at Ter 01 Set 2020 22:44:35 UTC
    Is this correct? (y/N) y
    Next, this comes up:
    Code:
    GnuPG needs to construct a user ID to identify your key.
    
    Real name: Amarildo
    Email address: amarildo-wilders@riseup.net
    Comment:
    You selected this USER-ID:
      "Amarildo <amarildo-wilders@riseup.net>""
    
    Change (N)ame, (C)omment, (E)mail or (O)kay/(Q)uit?
    Review your Name, e-Mail adress, and comments. If everything is OK, then press "O" and hit Enter.

    Next comes the most important part: the passphrase.

    I have a pretty good memory, so it's easy for me to remember a good passphrase. If you want to test my method then follow along this really short toturial on how I create passphrases.

    Now a dialog box will appear. Type your passphrase twice, then click OK. GPG will now generate entropy for your Key; let it do it's thing. Usually I just start playing a game and wait till the generation process is finished. On older versions of GnuPG entropy generation is really quick, while on newer GnuPG versions it can take a few minutes.

    When it ends, you should see something like this:
    Code:
    gpg: checking the trustdb
    gpg: 3 marginal(s) needed, 1 complete(s) needed, PGP trust model
    gpg: depth: 0  valid:  1  signed:  0  trust: 0-, 0q, 0n, 0m, 0f, 1u
    gpg: next trustdb check due at 2020-09-28
    pub  4096R/19EE1346 2015-09-30 [expires: 2020-09-28]
      Key fingerprint = D657 88E4 77EC 7639 F561  74EF 8F08 A13B 19EE 1346
    uid  [ultimate] Amarildo <amarildo-wilders@riseup.net>
    sub  4096R/DC3F9091 2015-09-30 [expires: 2020-09-28]
    Key creation is done. Pretty easy, right? :)

    Before we can encrypt/sign our stuff we need to make sure our recipient can decrypt our stuff. In order to do that, note the "pub" section above, right after our key lenght (4096):
    Code:
    19EE1346
    This is our public key. We need to upload this key to a key-server so that other people can receive (the key) and decrypt what has been encrypted. To upload your key to gnu.org's server:
    Code:
    gpg --send-keys 19EE1346
    Here's my result:
    Code:
    amarildo@amarildo:~> gpg --send-keys 19EE1346
    gpg: sending key 19EE1346 to hkp server keys.gnupg.net
    amarildo@amarildo:~> 
    Note: on newer GnuPG versions you'll probably have a lot more verbosity after the keys have been successfully uploaded.

    In order for your friend to receive your key, he/she needs to issue this command:
    Code:
    gpg --recv-keys KEYNUMBER
    This will allow your friend to use your key for de-cryption. In my case, if I wanted to make sure my friend got my key, I'd tell him/her to issue the following command:
    Code:
    gpg --recv-keys 19EE1346
    Now let's use KMail so that we can encrypt our e-Mails. This part of the tutorial will have pictures so that it's easier for everyone to follow.

    The first thing that will pop when you open Kmail is the account assistant. With this tool you'll be able to create and configure your e-Mail account.
    This is the first screen you'll see:
    https://i.imgur.com/MWfCgR9.png


    Next, you'll have to chose between IMAP or POP3. Personally I chose IMAP because it doesn't clog my /home folder, and I can easily configure KMail to download all my e-Mails for offline usage.
    https://i.imgur.com/UZrIguE.png

    On this same page, click "Create account".

    Now KWallet will appear. If you don't want KWallet to manage your passphrases, click "Basic Setup" and uncheck the box that says "Yes, I wish to use KDE wallet to store my personal information".

    I will use KWallet for this, so I'll still click on Basic Setup:
    https://i.imgur.com/shEnJOz.png

    Then I'll select "Use GPG Encryption, for better protection:
    https://i.imgur.com/7vOGjba.png

    Next, my GPG Key automatically appeared. If yours didn't, just click on the drop down menu and select it.
    https://i.imgur.com/YstP32u.png

    A dialog will appear. Type the passphrase you entered when creating your Key.

    Everything should be configured by this point. If not, please send me a personal message and I'll see why you're having problems. If I think I can fix your problem then I'll add the solution to this thread.

    Now, click on the "New" button so that we can create our first encrypted message.
    https://i.imgur.com/TkZ7fEx.png

    Create your message, and don't forget to mark "Sign" or "Encrypt" (or both).
    https://i.imgur.com/SHs1TmS.png

    Next, click "Send". You will be required to type your passphrase every time you send a new encrypted/signed e-Mail.

    DONE! :)

    Happy encrypting.
     
  2. mirimir

    mirimir Registered Member

    Joined:
    Oct 1, 2011
    Posts:
    6,029
    Cool :thumb:

    There's also https://keybase.io for publishing keys, and linking them to your online places. See the link in my sig.
     
  3. amarildojr

    amarildojr Registered Member

    Joined:
    Aug 8, 2013
    Posts:
    1,977
    Location:
    Brasil
    Thanks :) I'll check it out.
     
Loading...