In this article I am going to show you how to take your encryption key and add it to your outgoing mail with Evolution. I will show you how to set up both signing and encrypting of email.

Your key

If you do not already have a key, I highly recommend you use Seahorse to create one. For more information on Seahorse you can read my article “Create, sign, and publish your PGP key with Seahorse“. When you create that key you will do so with a name associated with it. You will use that name for Evolution. If you don’t remember the name you used you can see it by opening up Seahorse, clicking on the My Personal Keys tab, and see the name as listed.

Once you have that key you are ready to set up Evolution.

Evolution

Figure 1

Once in Evolution click on Edit > Preferences. From the Preferences window select the account you want to associate the key with and click Edit.

In this tab you will see a section where you can enter your PGP/GPG ID. This is where you enter your name from you key (see Figure 1). Once you’ve done this, you have a few options to choose:

• Always sign outgoing messages: This means all outgoing messages (new messages, replies, forwards) will have your PGP/GPG signature attached.
• Do not sign meeting requests: Probably a good idea if you are going to using Evolution inside a company where others use Outlook – otherwise Outlook will see this as an attachment and add it to the invitation.
• Always encrypt to myself when sending encrypted messages: This will send an encrypted copy of the email to yourself when.
• Always trust keys in my keyring when encrypting: If you know your keys in your keyring are valid you can select this which will allow Evolution to skip the keyring check of those keys.

Once you have all of this set up, you are ready to go.

Sending signed and/or encrypted mail

When you create an email in evolution you will notice a Security menu in the menu bar. When you click that you will see four entries, of which only the top two (PGP Sign and PGP Encrypt) are of interest to you now. Say you want to sign that outgoing email with your key. To do this check the check box associated with PGP Sign in the Security menu. Say you want to encrypt that email. To do that check the check box associated with PGP Encrypt in the Security menu.

You must know, however, that when attempting to send out an encrypted email, Evolution will query key servers to see if there is an associated public key with the email address. If no public key is found on a key server then you will not be able to encrypt that email. You can, however, sign all outgoing email.

Final thoughts

If you are seriously concerned about your privacy, and you use Evolution, I highly recommend using this feature. Even if you are only signing your emails, those receiving your email will be far more secure in knowing that email definitely came from you.

Once such tool is Seahorse. Seahorse is the default keyring manager for the GNOME desktop and it makes the task of key management quite simple. In this article you will see how easily Seahorse handles creation, signing, and publishing of your PGP key to a PGP keyserver. Of course this does assume you want to publish your key on a public keyserver. There are benefits to publishing your PGP key. For instance it makes for easy access to your key so that those who need it, can get it. In some cases you would want to publish these keys to a non-public keyserver. For the simplicty of this article we will be publishing to the Ubuntu keyserver.

Features

Seahorse contains a number of outstanding features:

• Create/manage both PGP and ssh keys.
• Publish/retrieve keys from keyserver.
• Key backup.
• Passphrase caching.

But the feature that makes Seahorse stand out the most is it’s user-friendly interface. A task which other applications can make new users shy away from, Seahorse makes simple. You can create, sign, and publish your own keys to a keyserver quickly and easily.

Installing Seahorse

More than likely Seahorse is already installed on your machine. If you are using the GNOME desktop, chances are it is there. To check to see if Seahorse is installed go to the GNOME Applications menu and look in the Accessories sub-menu. If it’s there you’re good to go. If not, you don’t have much to do.

To install Seahorse all you need to do is follow these steps:

1. Fire up your Add/Remove Software tool.
2. Search for “Seahorse” (no quotes).
3. Mark the entry for installation.
4. Click Apply.

That’s it. Once Seahorse is installed you are ready to create, sign, and publish.

Creating your PGP key

Figure 1

When the main Seahorse window opens (see Figure 1) the first thing you need to do is click the File menu and then select the New entry. This will open up another window where you can select from one of three keys to create:

• Password Keyring
• Secure Shell Key
• PGP Key

Since we are creating a PGP key, the choice should be obvious. Select PGP and then click the Continue button. The next window is where you fill out your information for your PGP key. All you need to fill out is:

• Full Name
• Email Address
• Comment

You also have the option of configuring some advanced options such as:

• Encryption type
• Key strength
• Expiration date

I recommend sticking with the defaults unless you have reason to alter one of the above options. You can up the strength of the Key to 4096 bits if you need. Naturally the higher the key strength the longer the creation time as well as the larger the file size. But if strength is important, take it to the max.

Once you have filled out this information, click the Create button. The next window will ask you to set a passphrase for this key. Remember, this key is going on a keyserver so make sure the passphrase is strong. And if you are creating a key with strength in mind, that passphrase should reflect this.

When the key is created it will be listed in your main window. In order to sign this key you simply have to select the key and click the Sign button.  If you are going to distribute this key you should certainly sign the key. Why? When you sign (even self-sign) your key, if someone tries to tamper with your key PGP will notify you of the tampering. If you do not sign the key, someone could fairly easily modify your key without you being the wiser. Now with that said, all you need to do to self-sign your key is select the key you want to sign and click the Sign Key button.

Figure 2

Once the key is signed you can then publish your key. To do this click the Remote menu and then selec the “Sync and Publish Keys” entry. A new window will open asking what you want to do. The button you want to click is the “Key Server” button. When you click this a new window will open (see Figure 2) where you can select the keyserver you want to use for publishing your keys.

If you are using an internal keyserver (or one that is not listed) click the Add button and enter the appropriate information. Once you select your keyserver click the Close button and you will be back at the window where you selected “Key Servers”. Now you want to click the Sync button which will sync your new key.

You can check to make sure your key was uploaded by clicking the Find Remote Keys button, enter the name you used for the key, and click search. If your sync was successful your key will be listed. Now when users need your key you can tell them to grab it from the specific keyserver.

Final thoughts

I hope you can see that using PGP doesn’t have to be difficult. In fact, Seahorse makes PGP so simple there is little to no reason not to take advantage of this security tool.

If you do not have a key pair generated, Enigmail can even do this for you. So with this extension you can encrypt/decrypt email without having to touch the command line. Pretty sweet. Let’s take a walk through this system.

I am going to assume you know how to install an extension in Thunderbird (I am also going to assume gpg is installed). Knowing that, install the Enigmail extension. Once this extension is installed (and you have restarted Thunderbird), you will notice a new menu entry called OpenPGP. This is where you take care of the setup of Enigmail.

Generate your key pair

Keymanager

The first step is to generate your key pair. This can be done either from command line or from Enigmail itself. From within Thunderbird click the OpenPGP menu and click the Key Management entry to open the key manager window (shown in the image to the left.)

Click on the Generate menu and select New Key Pair to open the key generation window (shown below to the right.)

Keygen Window

From within this new window you have a number of options to consider (which are all fairly self explanatory.)For most instances the defaults will work. The only change you might make is if you do not want the key to expire click the Key Does Not Expire checkbox.

As the window says, during the generation process you will want to go about the business of using your PC in order to help randomize the process of key generation. This even holds true when you are generating keys via the command line in Linux.

If you already have a key on your machine (generated from the command line or some other tool) you can import that key from the same key manager tool shown above. Just click on the File menu and select Import Key from File.

Once your key has been imported into (or generated by) Enigmail you are ready to use Enigmail to encrypt your messages.

Encrypt and Sign a Message

Start composing a new email and you will notice the OpenPGP menu entry has been added. Once you have completed composing your email click on the OpenPGP menu and select Encrypt Message and/or Sign Message to encrypt and/or sign your outgoing messages with your key.

Default Encryption Options

This brings up an issue. If you do not configure Enigmail to not encrypt/sign by default all of your outgoing messages are going to be encrypted and signed. This is a problem when the recipient doesn’t have your key. I highly recommend configuring Enigmail to not encrypt/sign by default. To set this click on the OpenPGP menu entry in the MESSAGE COMPOSITION WINDOW (not the main Thunderbird window). From there click on the Default Composition Options sub menu and then select Signing/Encryption Options. A new window will appear (shown to the left.) Make sure you de-select all of the options in the Message Composition section. Now you have to manually choose to sign and encrypt each message. It’s one extra step but your non-geek friends and family will thank you for it.

Decrypting

Like send mail, you have two options for receiving mail. You can have encrypted mail automatically encrypted or you can do it manually. Of course for either options you have to have the senders’ key imported into the system.

If you click on the OpenPGP menu (in the main Thunderbird menu) you will see an entry for Automatically Decrypt/Verify Messages. If this is checked all incoming encrypted/signed mail will be decrypted/verified. If it is not checked you will have to do this manually by selecting the encrypted/signed email and then clicking the Decrypt/Verifyentry in the OpenPGP menu.

Final Thoughts

And that’s it! Simple email encryption in Linux with Thunderbird and Enigmail. You can, of course, do this manually from the command line, but why make things difficult? If you have needs to encrypt/sign outgoing or incoming email, Enigmail is the perfect solution for every Linux and Thunderbird user. And for those BSD, Solaris, OS/2, Mac, or Windows users there is an Enigmail for you as well.

GnuPG, in technical terms, utilises a mixture of symmetric-key cryptography and public-key cryptography. This basically means a person generates a pair of keys; one of which is publicly shared and one is not. The publicly shared key is used to people can encrypt data for a specific person whilst the private key is used to decrypt, encrypt and sign data.

If you encrypt data to only be decrypted only by your private key and you carry your private key on another medium of storage, the data you encrypted will be effectively impossible to decipher.

To get started with GnuPG, you must download GnuPG which is free and open-source.

GnuPG is available for effectively all operating systems. After you have downloaded and installed GnuPG, it might be wise to download a graphical interface because it is command line based.

Some GUIs focus on the management of keys, such as the generation of them and storing other people’s public keys, whilst others focus on the encrypting/decrypting.

WinPT is a popular Windows option. As for encrypting and decrypting, there are many choices including Enigmail for Thunderbird, FireGPG for Firefox and WinPT also provides facilities to do this.

With a GUI, it is fairly easy to get to grips with GnuPG. Most key managers provide wizards for the generation of keys.

To obtain someone’s public key, so you can send data to them securely, you could either ask them or go onto a keyserver such as pgp.mit.edu, copy their key into Notepad and then import it into your key manager.

It is essential to send your keys to keyservers, I would suggest pgp.mit.edu, and this can be done either through the GUI or through exporting your public key and uploading it to these sites. Once you have someone’s public key, and you are sure it belongs to them and is not a hoax, you can sign the key inside your key manager and then submit it, so people know that key is authentic.

Key software to get started with GPG

1. GnuPG is absolutely necessary. There is a Windows binary available.
   
2. A GUI is also necessary. For Windows users, WinPT is a safe bet.
3. If you use Thunderbird, install Enigmail. If you use Firefox, install FireGPG.

If you have installed GPG and would like to try it out, feel free to send me an encrypted email. My email is computerjoe (at) gmail.com and my key is on this page.

After that he explains why cryptography is essential for today’s internet communication: “cryptography is necessary when communicating over any untrusted medium, which includes just about any network, particularly the Internet.”

“Cryptography, then, not only protects data from theft or alteration, but can also be used for user authentication. There are, in general, three types of cryptographic schemes typically used to accomplish these goals: secret key (or symmetric) cryptography, public-key (or asymmetric) cryptography, and hash functions, each of which is described below. In all cases, the initial unencrypted data is referred to as plaintext. It is encrypted into ciphertext, which will in turn (usually) be decrypted into usable plaintext.”

After that interesting history lecture he starts with types of cryptographic algorithms over trust models to cryptographic algorithms in action. All supported by lots of figures that makes it easier to understand the concepts.

Take a look at gary kesslers site for the article.

Update: The developer is constantly adding new information to the website. You can now for instance find information about the Open Source encryption software True Crypt on the site, as well as match notes which may be interesting for programmers and math students alike.

Cryptographic algorithms in action furthermore look at the SSL “Family” of secure transaction protocols, IPsec protocol and RSA public key cryptography.

It is a long read that gets technical at times. You will also find lots of outgoing links for additional information about a concept or subject. The introduction nevertheless is one of the best that you will find about cryptography on today’s Internet.