Encrypting email with GnuPG

Going for It

After signing and integrating the recipient's keys in your keyring, the next step is to configure the email client. In both Thunderbird and KMail, all you need to do is associate an identity with a secret key (Figure 4) that matches its email address. If Thunderbird finds just one matching private key in your keyring, it automatically selects it.

Figure 4: After GnuPG configuration, in both KMail (top) and Thunderbird (bottom), you can simply select a private key for each identity.

After this preparation, sending an encrypted email is a mouse-click away. In Thunderbird, select OpenPGP | Encrypt message; in KMail, select Options | Encrypt message. The email client then asks whether the public key selected based on the email address is the correct one. To unlock the keyring, enter the password of the private key associated with the particular identity.

Upon receiving an encrypted message, KMail decrypts it by default when you click Decrypt message. Thunderbird decrypts the email either unprompted or displays the source code of the OpenPGP encrypted message.

Clicking Decrypt shows the plaintext message after you enter the private key password. Obviously, the private key password is local to your computer only and is not sent to the mail server. Thus, you need to decrypt all emails again after restarting the program.

Thunderbird behaves differently depending on the message because of the two methods that GnuPG uses to embed the encrypted test in the message. The older approach writes the encrypted message text into the mail body ("Inline OpenPGP").

The newer one, OpenPGP/MIME, uses the MIME attachment method and creates the encrypted text as an attachment of type application/pgp-encrypted. Newer email programs don't provide such pgp-encrypted attachments as downloads; instead, they encrypt the included text and display it in the message window.

The benefit of MIME embedding is that encryption includes message attachments that are easier for mail programs to recognize. However, older or simpler programs may not be able to handle MIME types.

In KMail, you can select Options | Message encryption format between Inline-OpenPGP and OpenPGP/MIME. The Thunderbird option is OpenPGP | Use PGP/MIME.

Preventing Key Loss

Losing a private key prevents access to any previously encrypted messages. Therefore, a secure key backup on external media is essential.

The easiest way is to save to the secring.gpg file in the ~/.gnupg directory. Copying the file to the same directory of any Linux installation ensures that the private keys remain accessible. To export private keys, use the following command:

$ gpg --export-secret-keys -a > <MySecretKeys.sec>

To import the keys, use the command gpg --import MySecretKeys.sec. Conversely, to remove compromised or no longer sufficiently secure keys from your keyring, you can create a so-called certificate revocation, as follows:

$ gpg --gen-revoke <id> > revoke.asc

Next, you can import the revocation to your keyring using gpg --import revoke.asc and then import the revoke key to the key server via the following command:

$ gpg --keyserver hkp://keys.gnupg.net --send-keys <id>

The revoked key should already be present in case of a compromised published key and should never fall into the wrong hands.