How to Encrypt emails in Debian Etch 64 bit, PCLinuxOS and Ubuntu Hardy Heron.
Why use email encryption?
It's common knowledge that email is not a secure medium to use for communication, but almost everyone has turned a blind eye to that and many millions of messages are sent each day, that are wide open to interception. More recently, the UK government has published plans to create a massive database of every email sent through the UK Internet system and this has raised very serious questions about personal privacy.
Although in truth I have nothing to hide, I personally find this latest trend a step too far and for me, it has now become a question of principal. I would not expect a letter I have sent to be opened and read (except by the recipient) and equally, I expect my emails to have the same level of protection.
In my view, businesses really shouldn't be sending emails in an unprotected form; particularly internally within the business. IT departments should be well able to set-up encryption for their users. We have witnessed in recent times, massive loss of data via government departments and large companies, including financial institutions. There really is no excuse for this behavior and IT professionals, aught to know better.
As you will see, communicating to individuals via encrypted email, is rather a different story and one I feel, where education will be ongoing for many years to come.
Having said all that, it is not my intention to attempt to impose my views on you. But it is food for thought!
Later on in this wiki page, I'll deal with installing the necessary applications, configuring them and showing you how to use encrypted email in a Debian Etch 64 bit system. This method has also been demonstrated to work on PCLinuxOS 2007 and Ubuntu Hardy Heron. I'll try and note any differences or gotchas along the way.
In order to use encryption, you need a pair of keys. One key is your Private key, to be kept absolutely secure and known only to you. You will access this key via a passphrase. The other, a Public key, which others will need in order to communicate with you via encrypted email. Just how you distribute this Public key, will be discussed later on.
Loss of these keys WILL RESULT in NO EXISTING encrypted emails being able to be read. This is part of the security that encryption provides and there is NO WAY around it; BE WARNED! It is possible to backup your key pair and I would highly recommend you do. But they MUST reside in a secure place.
Of course, you can generate a new pair of keys, but they will not decypher existing emails.
At the time of writing, the version of Enigmail (see - What do I need?) available in the Debian repositories was
0.94.2 and on their web site,
0.95.7 It is clear then, the Enigmail developers still consider the application to be in beta (pre-production). Although to date, I have had absolutely no problems whatsoever with Enigmail, if you are at all worried about beta software, you should consider whether you want to pursue this option.
The developers recommend that if a pre-compiled version is available for your system, you should use it. Apparently, compiling this application from source is no mean feat! Hence my use of an older version.
OpenPGP (see - What do I need?) with Enigmail will offer two options when it is installed. You can choose just to Digitally Sign your email. This simply confirms to the recipient that it's from you and hasn't been tampered with. Or, you can Encrypt it, in which case, it will not be able to be read by anyone other than those with the appropriate keys. Of course, you can also use both options together; Sign and Encrypt.
Both GnuPG and Enigmail have good documentation on their respective web sites.
The key pair that are generated as part of this process can be thought of as the keys to two distinctly separate secure areas.
The Private key, is the key you use to encrypt emails you send out and decrypt emails you receive.
The Public key, is the key you give to your friends and colleagues, in order that they may send encrypted emails to you.
If your friends do not have your public key, they cannot send encrypted emails to you, even if they have installed encryption software. Therefore, it is vitally important you give the Public key to those you want to use this medium of communication.
If this seems a bit of a muddle right now, bear with me, as after installation and when we get to use encryption for real, hopefully, it will become a lot clearer.
What do I need?
In Debian, PCLinuxOS and Ubuntu, the component parts are either installed, or available via the repositories. So there should be no problem in installing the applications.
The first is a compatible email client see the section: How do I install encryption software?
The second is GNU Privacy Guard or gnupg. In all cases tested, this was installed by default and in two out of three cases, no further action was required (more about the third later). This is the GNU project's complete and free implementation of the OpenPGP standard.
The third is Enigmail; a Graphical User Interface front end for OpenPGP. It takes all the command line hassle away from setting up encrypted email and offers a comparatively simple tool to configure gnupg.
Warning: according to the Enigmail documentation, it requires GnuPG 1.4.9 or later to work. But although I would not wish to argue with the developers (who clearly have infinitely better knowledge than me), I found that it worked just fine with version 1.4.5 on PCLinuxOS and version 1.4.6 on Ubuntu. However, in Debian, I needed to install GnuPG2, which upgraded the version from 1.4.6-2 to 2.0.0-5.2 This actually required a ''minor adjustment within Enigmail, in order for the executable to be found;'' more about that during the installation phase. Debian was the odd one out, that needed the upgrade. Both the others worked "out of the box". It may be the developers of the other two systems, have tweaked GnuPG to work with Enigmail, but whatever the reason, it did!
In order to find which version of gpg you have installed, open a Terminal and use the command:
How do I install encryption software?
The obvious start is to need the Thunderbird email client, (or SeaMonkey or Eudora 8.0 beta also known as Penelope), as Enigmail is effectively a plug-in for these clients. It is highly likely Thunderbird, if not available as the default client in your system, is available via your package manager. Simply select it for installation by highlighting and Mark for Installation, then click Apply. IceDove, (the Thunderbird derivative in Debian) works just fine.
Next, you need to install GnuPG or GnuPG2 in your system. All three tested systems had GnuPG installed by default and as already mentioned, PCLinuxOS and Ubuntu needed no further action. In Debian I needed to install GnuPG2, via the Synaptic Package Manager. Again, it's a simple click to highlight the package, Mark for Installation and then click Apply at the top of the page. Synaptic will then work its magic!
Note: Once gnupg2 was installed, I was tempted to remove gnupg. However, when attempting to remove it, I noted there were a lot of dependencies that I knew were needed elsewhere, were going to be removed as well. So I opted to have both applications on the system. This has not proven to date, to be a problem.
Finally, you need to install Enigmail. All three systems provided Enigmail via their respective package managers. Follow the same course of action to install select, mark and Apply.
Prior to carrying out this installation process, your Thunderbird client probably looked something similar to this:
Note: the above image is taken from another machine not yet installed with encryption software and is a Thunderbird client. Subsequent images will be of the IceDove derivative. You will also notice on some screen-shots, some personal information edited out. This should not have any material effect on your understanding of the methods involved.
After installation, note the additional menu item at the top of the page.
The one we are interested in, is marked: OpenPGP.
Note: when testing the encryption capabilities to make sure it all worked as planned, the S/MIME button was tried on one occasion. You will find this when you open up a new email to write. This caused some unexpected configuration problems. It is outside the scope of this page to explain why, but suffice to say, DO NOT use S/MIME for signing, encryption or set-up. ALWAYS use OpenPGP.
Note: all references to Thunderbird should be taken to mean IceDove in Debian.
It may be worth mentioning, that before you can configure Enigmail, you need to have an operational email account(s). If you don't have one, start Thunderbird and set it up now. Make sure you can send and receive emails normally, before you try and continue. If you're setting up a fresh email account, a quick way to make sure it's working, is to send an email to yourself.
So now you have an email account, you can continue.
In Thunderbird, click on the OpenPGP menu item and select Key Management.
Note: at this point, the first time you run this tool, a Wizard will appear to help you through setting up a key pair. But this is a once only option. You'll never see the Wizard again. So in the interests of showing you how to understand the fundamentals of setting this up, I'm going to ignore the Wizard and explain how to do it manually. This will help you if you can't understand what information the Wizard wants and give you a greater insight in how to use the tool to make changes in the future. All the Wizard does, is to automate what I'm about to explain.
This will open up the Key Management window. Move to Generate >> New Key Pair.
This will lead you to the main window for dealing with key management and crucially, the ability to create a key pair for your email account.
The very top option, is to select the email account you want to be able to encrypt. If you only have one email account, it will appear here automatically. If you have multiple accounts, click on the one showing and a drop down box will appear, showing all the other accounts. Simply select the one you want to use.
The little box to the left: Use generated key for the selected identity should have a tick in it. The generated key pair will then be associated with this address.
As this is all about security, please, please, please DO NOT place a tick in the box marked: No passphrase. The passphrase you are about to use, is your passport to secure communication. It should be a phrase that is familiar to you, but is strong. That is, it should be a mixture of upper and lower case letters, numbers and other characters. In order for the system to make sure you have not made an error, you need to repeat this precisely in the box beside the first box. Note: as is usual in Linux, this passphrase is case sensitive.
The rest of the boxes can be left at default values.
However, if you wish to change the key expiry date, you can change that down to one day.
Under the Advanced tab, you can change the key size and key type if you have a specific reason for doing so.
Now click: Generate Key and you will be given a confirmation screen where you need to select Yes.
You will be warned this can take a little while. A progress bar moves across the bottom of the screen, but strangely on my system didn't complete. Perhaps that is one of the final bugs the developers are addressing before upgrading the release to 1.0. You do however get a confirmation screen on completion, so there is no guessing involved as to whether the process is complete or not. DO NOT be tempted to close the screen while the key generation is in progress. It is recommended however, you use other applications, as this speeds the generation process up.
In PCLinuOS and Ubuntu it took around a minute, in Debian, it didn't happen at all. The reason was, if you recall, I changed from gnupg to gnupg2 and Enigmail did not find the executable file. This is easily overcome by clicking on the OpenPGP menu item in Thunderbird and selecting Preferences.
This will open up a window which will show the path to the executable. It had defaulted to:
All I had to do was select Browse and make sure gpg2 was in /usr/bin. It was, so I selected the new path;
clicked OK and all was well.
The new key pair generated and I was in business!
Your Public key will be shown as a series of numbers and letters preceded by 0x (zero) It is always eight digits long. This could be an example key:
0xABCD1234 Write your own key down somewhere and keep it safe. In actual fact, it's a lot longer than this, but this is the part you'll need for practical purposes.
Note: as already mentioned, make absolutely sure you KNOW YOUR PASSPHRASE. It IS case sensitive and if you loose it, NO ONE can help you. Your emails are locked, encrypted forever. Your passphrase is your passport to your Private key. The one you will use to access encrypted mail and to send it.
You will next be asked if you want to generate a Revocation Certificate. The purpose of this is if you had a laptop stolen for example, or a hard drive crash, you may wish to stop using the key pair in use at that time. The certificate is an authority provided by you to send to others to say; please stop using this key pair now. It can be generated now or at a later time. I would recommend you do it now, so it doesn't get consigned to "things to do" and get forgotten.
If you really insist on doing it later, you can click on OpenPGP >> Key Management and highlight the key you want the certificate for. Now go to Generate >> Revocation Certificate. Either way, you will be asked where to store the certificate.
Before we go any further, there was a hiccup in Ubuntu. The installation failed to install an OpenPGP button in Thunderbird, when you open up a new email window. Strangely enough, it was happily sitting in the Customise toolbar options, so a simple drag and drop cured that. Remember what I said; DO NOT attempt to use S/MIME instead. It wont work.
I mentioned early on, you can backup your key pair. To do this, go to OpenPGP >> Key Management and highlight your key. Now select File >> Export Keys to File. It will now ask you if you want to include your Private key. Select Yes and then where you want to export them to. When completed, you have your backup. A secure USB stick may be ideal providing it is stored in a secure place.
After all that, how do I use it?
Note: the pen and key symbols discussed here and appearing in Icedove will probably be a sealed letter and lock in Thunderbird. The icons may differ between email clients, but the principal remains constant. These symbols should not be broken or open.
The key is, don't run before you can walk.
If you recall, I said you can either digitally sign an email or encrypt it, or both. So lets start with digitally signing an email.
Write your email in the normal way. When you've finished, in the email you've just written, you can digitally sign it in two ways. You can click on OpenPGP and tick the box Sign Message. Or, down in the bottom right hand corner are two symbols, one of which looks like a pen. Click on the pen and it will turn green in colour.
Now click send. A box will pop up asking for your passphrase.
Type it in carefully and click OK. Your message should now send. Remember, for the purposes of testing, you can send it to yourself. When you get it back, you will be able to read the message as you didn't encrypt it. But you should see a nice solid pen (as against broken) with a message telling you who digitally signed it.
Providing that was successful, try the same again, this time signing and encrypting the message. Just tick the two boxes or click on both icons (the key and the pen).
Again you will be asked for your passphrase. Fill in as required and send.
When you get it back, try and open it. You will again be asked for your passphrase, but this time, select Cancel. Your email will open, but all you will see is a jumble of characters, like so:
Click on the message again and this time give your passphrase and the message will be decrypted for you to read. You will also see a pen and a key (both solid), indicating the message was signed and encrypted.
From the above, you can see you can digitally sign your emails to anyone, whether or not they have encryption installed. They will see you have digitally signed it via a hash (not the nice little pen), but still be able to read the contents.
So far, I have only discussed how to send an encrypted email to yourself; not much use! How do you extend this, to send to your friends?
Well first, they need encryption set-up on their computers and they need to send you their Public key. You also need to send them yours, so how does this exchange of keys work?
Essentially, there are three major ways this can happen.
There are Public key servers that you can upload your key to for anyone else to find. There are arguments for and against this method, mainly the possibility of getting encrypted spam messages. Some say it's a price worth paying; others not. It's your choice. Enigmail provides a method for doing this.
Click on OpenPGP >> Key Management and highlight your key. Now select Keyserver >> Upload Public Key and Enigmail will send it to it's default public server. You are in fact given a choice of four public servers and could if you wish upload to each one. You can in fact add or delete a server by going to OpenPGP >> Preferences and you will find them in a box that you can write to. Each server address is separated with a comma. You can also search for a Public key from these servers by writing an email as usual and then selecting encryption. When you try to send it, Enigmail will tell you it can't find a key, but give you the option to search for it from the public servers. Or, you can simply go to OpenPGP >> Key Management >> Keyserver >> Search for Keys and pop in the email address you're searching for. If the key for that address is on a public server, it will be found and you will get another window showing you the key(s) found and offering to import them.
Or, you can send your Public key to each of your friends or contacts separately, by adding your key to an email. You do this by writing an email in the normal way and in the top OpenPGP (on the toolbar), select Attach My Public Key.
Send this in the normal manner and digitally sign it if you wish. When you receive a key in this manner from a friend, Right Click the file and select Import OpenPGP Key.
The key will automatically be associated with the email address from where it came and you will be able to encrypt emails to that person from that point in time.
Some people that have their own web sites choose to publish their Public key on their site. A small number of IT professionals, particularly those involved with security will simply not accept non-encrypted emails. So if you want to write to them, you have no choice but to download their Public key, import it on to your keyring and use it.
Whichever method you use, you will need to assign a level of Key Trust to the received key.
The default level is: I don't know.
There are five levels of trust and you can set a level as follows:
Click on OpenPGP in Thunderbird and then select Key Management.
Now highlight the key you want to assign a level of trust to, and select Edit >> Set Key Trust
This will open up another window, where you can select, one of the five levels of trust.
If you select any level "other than: I trust ultimately," you will receive a header message saying they are UNTRUSTED. However, you should only select that level of trust for your own key(s). I will expand on this important subject, as soon as time allows.
In IceDove, the header also changes colour; Blue for UNTRUSTED and Green for ''trusted'' messages.
When you've selected your level of trust, click OK and you're done.
As at the moment, encrypted email is in it's infancy, I have chosen to send my Public key to those that need it, but you must choose your own option.
With a little bit of effort, encrypted email works very well in Debian and the other two distros tried.
In truth, it is more about the initial learning curve, than being hard to use, as once installed, it's available at the click of a button and submitting your passphrase.
I would encourage everyone to take a look at this and never more so, if you use a laptop on the road and on public networks. If your company does not provide an encrypted option, I would suggest you encourage them to do so.
The staggering amount of public data loss must stop and encryption is a first step in the right direction.