James Stanley

Encrypted email is still a pain in 2017

Mon 13 February 2017

Tagged: cryptography

Today I sent an email to somebody who specified that he "prefers GPG mail". I didn't have any GPG set up, so I just sent a normal email, which worked perfectly well. But it made me look in to GPG, and this is what I learnt...

Act I: Try to set it up on my own

I DuckDuckGo'd for keywords like GPG, Thunderbird, Linux, and found that the tool I need to install is Enigmail. It is a Thundebird add-on that handles GPG (or PGP? or OpenPGP? are they all the same?).

I installed it and restarted Thunderbird. An Enigmail setup wizard appeared. "Excellent," I thought, "this must be just what I need". I selected the recommended configuration for new users, and Enigmail started generating a key (or so I thought!). It said it may take "several minutes" to generate the key. No problem.

10 minutes later I checked back and found that the progress bar had not advanced at all. I DuckDuckGo'd a bit and found that Enigmail has a bug where it doesn't drive gpg correctly and therefore hangs forever instead of generating keys. What a shitfest.

Act II: Enlist the help of an expert

Charlie recommended using the gpg command-line tool directly, which I tried next.

$ gpg --gen-key

After entering my name and email address, and opting for the recommended key length and expiration, I was told "You need a Passphrase to protect your secret key". But it didn't ask me to input a passphrase, and when I tried to, it was echoed back; unusual for a passphrase. I hit enter and nothing happened for about 20 seconds. What a shitfest.

To cut a long story short, gpg eventually popped up a GUI box, but I accidentally skipped it because I was hammering the enter key trying to get it to do something...

So I tried again. This time I was prepared for the GUI, which this time loaded substantially faster. I entered a passphrase and gpg started generating my key, and eventually it was done. Golden.

I was informed that gpg had checked the trustdb and it needed 3 marginals and 1 complete, and that my trust was 0 each for - , q , n , m , and f , and 1 for u . There might also have been something about a +4 defence bonus against melee attacks.

I went back into Enigmail and this time selected the Advanced option in the setup wizard. It asked me for the path to my public key file and my private key file. Unfortunately, despite the wealth of obscure stats I'd been given, gpg had not told me the paths to the key files, so I had to go hunting. What a shitfest.

The Enigmail file selection dialogue was looking for .gpg files, which was a helpful clue. I found 3 under ~/.gnupg : pubring.gpg , secring.gpg , and trustdb.gpg . I guessed that pubring.gpg was the public key file and secring.gpg was the private key file, which turned out to be correct but wasn't as obvious as it could have been.

Act III: Put it to use

From here it worked pretty flawlessly. I tried to email Charlie by typing his email address in the box. Enigmail told me it didn't know of a key for him, but I could look him up in a key server (?) which it had a GUI for. I did this, found him quickly, and sent an email. It arrived, and he was even able to send an encrypted email back to me.

So I now have an encrypted email setup. Although at 2 hours, it took me about 1 hour and 55 minutes more than I expected. I still need to participate in a key-signing party of some sort, which I am looking forward to.

In the absence of having my key signed in a key server (?), I think you can retrieve my key by copying and pasting the text at the bottom of this post. I generated it with gpg --export -a "James Stanley" . I think you can import it into your client by saving it to a file (e.g. jes.key ) and running gpg --import jes.key .

If that doesn't do the trick, how you are supposed to import it is anyone's guess.

Conclusion

Encrypted email is nothing new (PGP was initially released in 1991 - 26 years ago!), but it still has a huge barrier to entry for anyone who isn't already familiar with how to use it.

I think my experience would have been better if Enigmail had generated keys out-of-the-box, or if gpg (a.) agreed with Enigmail on nomenclature (is it a secring or a private key?) and (b.) output the paths of the files it had generated. My experience would have been a lot worse had I not been able to call on the help of somebody who already knows how to use it.

Please send me an encrypted email if you can work out how to do it. And if I can work out how to do it, I'll send you an encrypted reply.

I am "James Stanley" and "james@incoherency.co.uk", and this is my key:

Update: The key below was initially wrong. I had some <h2> tags which I changed to <h3> with search and replace. This replaced the "h2" in the third line of the key with "h3" and therefore broke it. My bad.

-----BEGIN PGP PUBLIC KEY BLOCK----- Version: GnuPG v1 mQENBFihmuQBCACzmsZ8DTjmcsoAoeFwrFVGn35kalJGFuIW5q7yIB3EzaTso48j xOcFLSXl25BmonT3wDj5RdnA0ONgo9Gtrq34dweAHXyfHwkLdy1Nz/lkLMakZ8xw ng3toh2d7Ri/8o6tTaCum/cKDjeDRWxADz5a/rtM8DBt+8OJyhd9rhObxJKW5L8m LdO5CWrGb8Fr1yIb9LYUiCMfzuirPqYVGfYiIG/OI4V/wGFvHt7fq1ybBCMTEiVT UGXDedyNLOsAjTqx9bN/i2CGPMMKqsqFSkPfAa3BfXQrqnubnTCFTV696U41GxtI guN0II3mhNc2s20Z8Bq7/H3X6dc3fspma4gLABEBAAG0J0phbWVzIFN0YW5sZXkg PGphbWVzQGluY29oZXJlbmN5LmNvLnVrPokBOAQTAQIAIgUCWKGa5AIbAwYLCQgH AwIGFQgCCQoLBBYCAwECHgECF4AACgkQWKuFKgoswTcNhAf9HfiZnEa7Dlz9iriH MlqDzmgk0pQf3Ja9PZOw9wJhUxlFsjjxvkbdV7dcBprd+ukOby01k0A57e89/Wb5 Xn/Kq7efkWJwXCb1UAj7DHYYfIdlvPslMSLp1WAqFH6GC6JSBTTsPdDmvyqhu0pP XNzvURPtOQzMMjfR/r3jQNoU9P+l0LFZpq3Cfn41/oR396S+wiwk2TXC5On9Bg7d SiGAOBA8kwaYDFdX3TmGzSgQ4EkNgfewi/S6UImdPVetGfT4xzNkpmG/Nw4y2LHm L4yn9LqIZOqrrWyRU1eU/41E5+OXEDkQrkTPdD7VodwnNqDZ5M9BSuCHY0bPP6bq rRSPdbkBDQRYoZrkAQgAmLl0AAd5zH/pzGM/ZfNKWkO3aKmSCkw/kdslZJm2werq fI7NEK2PyXZPn5hGv9LjQaSi/wC+S4iAtHMvYUb2LEY8Jrtf55sI9mTSWbCKEji4 JpOmpSzB6ynydn/RyrvinWyVPNiVzai9cJTyh5rBrnZNIA9eYkWuk4RVCZwfCQzj vtv+tl5qS2V05S0TfYkdGqJ5TiyIguNz22TpxmwhIdEJBQVGFIT6OW+DWqME/ufT av6uonpXF2pW2QaSao5m1R9znJUbT+3HHnc8Y4nwOQjVjriD/Tzw4V6LFRgki7zN +ySSJmvVbBvlYqpjQgjzORLlm6RPPBZICkKu2LN4OwARAQABiQEfBBgBAgAJBQJY oZrkAhsMAAoJEFirhSoKLME3AIgH/1MSecs1CQDbDU561CKZczmPWpyqQ8B/D6JL WJsYsROuu+KPYbqs12pmlu/69H24DWt2stlAA6kek3t4KiaaZrtX8or6zm16hd4n 04Oi+oE2bn7AYjvMql6FJv5RwQnHzazhNX79DPA6b16dPotEtmo9MALp5ZV9bcL7 SnnW+60H0Dh6cSzFdlBW3UGXxNzRjQGZ5GkTtLKn7rSqB5qw3PlDsRSezT6R7E28 21ozqazzoo4RVEkHfQpwXslPJuWOfOKnKYLr+CuCkaUDlbj2SLhPkAHFthCFFXqU 7AaSswbvNrtQyUv2W2zps9FO2dTrLMmj81K4XT24GDzqmpWGqhs= =KTV8 -----END PGP PUBLIC KEY BLOCK-----