Archive for April 27th, 2011
In part 1, I explained how to generate and manage your encryption keys in GNOME. Now I’ll explain how to use your keys to easily encrypt your email. I’m going to only address doing this in Evolution (the default email manager in GNOME). You can access the Evolution email account settings by going to System > Preferences > Email settings [Natty/Unity: System Settings > Email], and I’ll assume that Evolution is already set up for your email account.
Integration into Evolution is painlessly simple: You just need the Key ID of your key.
Go to System > Preferences > Passwords and Encryption Keys and look in the column under Key ID. The Key ID is hex, so it only uses the characters 0-9 and A-F.
Once you have the Key ID, start Evolution and go to Edit > Preferences > Mail Accounts and click your mail account and click edit. Then, go to the Security tab and enter your Key ID in the PGP/GPG Key ID field.
That’s it. Now whenever you compose a message, you’ll see the PGP menu which will allow you to sign and/or encrypt your email messages, and in the reading pane you will see the status of signed/encrypted messages sent to you.
Questions, comments, and feedback to this are welcome, as always.
For the security-minded, or anyone who simply wants to be able to exchange secure, encrypted email quickly and easily, GNOME offers a really user-friendly way to generate and manage PGP/GPG keys. This program is located at System > Preferences > Passwords and Encryption Keys. [Natty/Unity: System Settings > Passwords and Encryption Keys]
You can make a new key by going to File > New… > PGP Key. This guide explains some of the basic key management functions in this application.
Fill in the name, email, and an optional comment. PGP is considered a network of trust, so etiquette states you should use your common legal name (shortened versions are ok) and your primary email address (unless you have a reason to do otherwise). If you frequently go by a nickname, enter that in the comment field.
If you’re interested in the advanced options, you can change them by dropping down “Advanced Key Options.” I’m not going to go too much in to what the various options are, but here’s a quick run-down:
Encryption Type: RSA is generally considered stronger and overall a better choice than DSA. Choose “sign only” if you’re using this as a signing key, and not an encryption key. Only select that option if you know what you’re doing.
Key Strength (bits): The higher the number, the stronger the encryption, but the longer it takes.
Expiration Date: Set this if you want your key to expire at a predefined date/time, or set to never expire. Expiration keys can still decrypt messages, but no new messages can be encrypted to them.
After choosing your options, you’ll be prompted to enter your key pass phrase. DO NOT FORGET IT! Your key will be completely unusable (and you will be unable to revoke it) if you forget the pass phrase. On the same token, avoid making it too easy or guessable.
Next, the key will be generated. This could take a while depending on the key size and the speed of your computer.
Once your key is generated, your public keyring and private keyring will be stored in
~/.gnupg — NEVER distribute your private keyring (
secring.pgp). This is the decryption segment of your keyring.
Next, some more exploration through the Passwords and Encryption Keys application.
Right-clicking on a key gives you the following options, which I’ll explain briefly.
Properties: Here is where you can change your passphrase, add a photo, view your key’s fingerprint, and edit the expiration date and trust level.
Export: This is where you can export your public key for distribution to others (this is the portion of the key that you DO share). By selecting export, you will export an “ASCII-armored” file that can be pasted in email, etc.
Copy: Similiar to export, Copy copies your “ASCII-armored” public key to the clipboard. Makes it easier to post in email, web page, etc.
Delete: This deletes the key. Make sure this is what you want to do!
Sign Key: This is a core part of the key-sharing portion of PGP/GPG. This “signs” the key, using your key. This applies your signature to the key, explicitly stating that you trust the key to some degree. Once you’ve signed the key, you should export the key and send it back to the originator so they can begin distributing it with your signature attached.
So how do you sign a friend’s key?
First, have them export it and send it to you. Next, drag-and-drop the file into the Passwords and Encryption Keys window. It will appear under the Other Keys tab. Once the key has appeared, just right-click on it and click ‘Sign…’ Follow the prompts. Don’t forget to export the key and return it to the sender after you’ve signed it! Work this process in reverse for getting a friend to sign your key. Drag/drop the updated keys back into your key manager to add the new signatures. To verify signatures are present, double-click on the key and look at the Names and Signatures tab.
That’s a quick run-down of the key management functions.
Questions, comments, and feedback about key management are welcome and appreciated. Note that key management may be different in the Unity interface, which is shipped with Ubuntu Natty.
This was written more specifically for Ubuntu Maverick and previous, though Natty is just around the corner.
Previous Ubuntu versions, by defafult, had the key sequence CTRL-ALT-BKSP (Control-Alt-Backspace) enabled as a way to kill the X server in case a full-screen program was frozen beyond recovery. This key combination was turned off in Lucid, but can be re-enabled.
To re-enable, go to:
System > Preferences > Keyboard > Layout > Options [Natty/Unity: System Settings > Keyboard]
Drop down “Key sequence to kill the X server” and check the box next to Control + Alt + Backspace
That’s it! The key sequence is now re-enabled.
Questions, comments, and feedback is appreciated, as always.