PGP tools with FastMail

Technical

This is the twenty third and penultimate post in the 2016 FastMail Advent Calendar. Stay tuned for the final post tomorrow.


Earlier in our advent series, we looked at why FastMail doesn't have PGP support, and we mentioned that the best way to use PGP was with a command line or IMAP client.

So, as promised, a quick guide to (some of) the open source options PGP clients available for use with your FastMail account! We definitely recommend that you use Open Source encryption software, and preferably reproducible builds.

Not sure how encryption like PGP works? This is a basic overview of encryption which leads into an understanding of PGP to encrypt email. If you plan on taking your privacy seriously, we recommend further reading to understand the risks, rewards and usability issues associated with using encryption software.

While we have done some basic research on these options, we can't provide any guarantees as to their suitability for your particular situation.

Browser plugins

Mailvelope

WebPG

  • Platform: Firefox and Chrome browsers. Mozilla Thunderbird and SeaMonkey desktop applications.
  • Pre-requisites: You need to install GnuPG and a Key Agent on your system for WebPG to work.
  • Instructions

Native clients

MacOS

GPGTools

  • Platform: macOS
  • Works with Mac's Mail.app, however it is currently not working with macOS Sierra. They have a workaround.
  • Instructions

iOS (iPhone/iPad)

There are no open source applications available for iOS, but these apps are available (and claim to be built on open source implementations of Open PGP) if you are looking for options.

iPGMail

PGPEverywhere

Windows/Linux

Install a mail client compatible with a set of plugins to enable PGP.

Plugins:

Android

OpenKeychain

Command Line

We recommend GNU Privacy Guard on the command line. It is available as source code and binaries for many platforms.

Chris our intrepid tester, has set up gpg on his work laptop to allow him to securely transfer data to his home machine, without ever bringing a copy of the private key to work. He's given the following set of steps which include easy-to-use aliases:

Generate a key with: gpg --gen-key (it asks some questions)

Export the public key with: gpg --armor --output ~/example.fm.key --export chris@example.fm. It will look like this:

-----BEGIN PGP PUBLIC KEY BLOCK-----
Version: GnuPG v1

mQENBFhbajUBCADO7Rp0dVuVb2JWv86zvnqUC32NuarYXIeCpesvqIxU8wqr7hh5
R4IwZyVEcBYTyVaMWVhjGmxGCBhvauKb8ZivRwuUw0bHwVKCfjI+uWjB27lVwRLE
9zxNa2NA8svzY8EgImo48KO2/YA4Rw9ozMLxM/KkmRnmnoo5oDk1jXe7I0ILOPb1
6pQVDT/PJRrb+QXc7AMCD/Jj61PgFnPBGqLvICTTKwoeIE8dfFu7l0hwOTSloDv7
KiiM4+Xwz2Lptt7eJAlpKImCzeH96/yPK4IfkAId2IJCC5GfChG2aovNFBrhPsMv
9jWVNDvFvoLTyYqM5V2slaa/U6qTkWiyV3tpABEBAAG0NUNocmlzIEV4YW1wbGUg
KFRoaXMgaXMgYSBkZW1vIGtleSkgPGNocmlzQGV4YW1wbGUuZm0+iQE4BBMBAgAi
BQJYW2o1AhsDBgsJCAcDAgYVCAIJCgsEFgIDAQIeAQIXgAAKCRAZ87lBaIIEbq/d
B/0Z2K9gF+e65B9da2Gim0bpEH8MNmHJlkcHgIxheMyQ7s8ClrqRRnGZRFEBw55F
x7VGphBjav8H2czp3LKE5OrAyoT1z+kCmXZff7iHII2YIK0zzU3DsyUTpM2AOZKL
fQ5d9nZMJY7Jg7BbDM+N1SJsw6+nRuyG0FnZfF57Qk+h1p2rZn/jadno/XeargeZ
I2TI7GhkBg4ujB0k6Cpvr8gq394TohDcCPEYUBDI5m/5FkyHkUFO8SUGQu0fJ9/t
xX1J91z9EW0xbcjIsmg7TtIpbM3UocoSz++svSjYz2mU546gz/76688nSrYKJ+Os
IZ+wmJdOBc3Du28QbffXGRahuQENBFhbajUBCAC+rldeh9LKxoRblhUfaCxttOQ8
PeqSlNC5IvPikTnjWtkThbVCsM3OYITh18Q66WSSK+2AkWlHdSH6HdaA6zNP7wqZ
iAWf7LP1maLg/a/e8zbC3rTL5LXrtkln0IIje6aXtyq4bLGDuLQEJBo7eBqetr27
Cb5pCatDBkOmxpQxzFQmnYfCMyC8Dm6Z2GIrLj6u5Zb0GIrNoBqhPFxD1MRsromU
ERwWYNQjKodEllv/DMt3yAn2CQRlABxPFem16cDqFEGD/UhcJQrvpVrMbHpANWqh
nLgcBPLhXcmJ5Zd0JhtkwapZ/mLqZkTWWmGGQRdE9RlbKoYsT1yNVeX0RntRABEB
AAGJAR8EGAECAAkFAlhbajUCGwwACgkQGfO5QWiCBG5MYwf/ff7WBragmfCXOaTz
LjERK1nScXzlTZ5ZeEUQTcoujbQvSuFBTw0XtiKWNN3imGhmhorjmQyMFjCmIys2
YCur+c3Jmh6BO8q0xRJwS0jxtNjkObSx2+ICBi6gTTkrBb3ya6Uy2k4BhVfQArlv
5UZeMcxZB8Gh8S0pC4S9s4dTBn1+i4aKSJSGITleDtSj4ZfrZ2JI/mMaJSpk1BKg
JtTb9s+AcWpurV5HW5HCb8PKQsLndPJH5cH0xqIjW8Ha6dbsXmlCfpTNaAoOkQDC
rqWyA3a+f4o/kgq/0cOlJHponcxWmbvTXIBwMtR0O91E5pqp4/no9SmSWefLd0yM
zbOJdA==
=K7Ec
-----END PGP PUBLIC KEY BLOCK-----

On another machine, eg your work machine (somewhere you want to send messages/files from), import the key with: gpg --import-key ~/example.fm.key. Then add the following to your ~/.bashrc file:

alias ToChris='gpg --encrypt --recipient="chris@example.fm" --armour'
alias scramble="gpg --output encrypted.gpg --encrypt --recipient chris@example.fm "

As the work machine does not have your password or private key, you can then create encrypted messages/files from the command line:

echo "This is a private message. Remember to feed Ninja" | ToChris
-----BEGIN PGP MESSAGE-----
Version: GnuPG v1

hQEMA9bIhjnGSgZUAQf+N6nr/t0uGi8HRYAhaxNteWgWR0uwkDPvec6tjHj0gk50
wtBGm1agVAIRWBg5e6w2wkfk2RqQ+ecqPCV4SpgBxdFkcEhsbYOSd81hS2jtQZtH
EUjHK/s0ANqeN8L5a9j6NynwRYjrnFpGWKsSA+Ubd4xUb2vIktXi+BnwNsXdfRw9
A27LZch69w2pr4zHjAyZO/PIq/SEuQ8Xu/+xhR+bq7gHBGOo9sokOle7yTDXnNdR
VsTJaFev4K3didFsNPQWENC6dQ3gHds8qMYGMR4Nt5hIfIfrulyQItjYi/z5LGBq
i6f7y2jSB27wUaGr4EY6vZMyjHpoIlSK0eq4h9bvRNJrAQhcLoEzDxD83oECGXTD
8KIEc78TYlIPgPyGZ3O7GanBxg9tX0UWnjZ8ohk+QStgDiZdivkGOUL1UfByQE7B
qwvgjYrTzu9JJll9LUDjTR0ow4OLaJdIIdPq7uRoBEyhX23mfZIFAruoc3w=
=mjJW
-----END PGP MESSAGE-----

You can then send the GPG message without others being able to read it (e.g. by copying and pasting that text directly into the FastMail web interface as the body of an email)

The command: scramble <filename> will create encrypted.gpg which can be attached to an email.

Key parties

There's are plenty of good resources for how to prepare for a key signing party online. Parties are often associated with conferences, allowing you to build a web of trust with other people in your field. Just make sure you know which kind of key party you're attending.

Example GPG bootstrapping

Bron shows the full process of creating a brand new key to replace his expired key, and signing a document with it.

brong@wot:~$ gpg --list-keys brong@fastmail.fm
pub   rsa2048 2015-09-20 [SC] [expired: 2016-09-19]
      0FBAC288980E770A5A789BA1410D67927CA469F8
uid           [ expired] Bron Gondwana <brong@fastmail.fm>

Shows how long since I've last needed to sign something!

brong@wot:~$ gpg --gen-key
gpg (GnuPG) 2.1.15; Copyright (C) 2016 Free Software Foundation, Inc.
This is free software: you are free to change and redistribute it.
There is NO WARRANTY, to the extent permitted by law.

gpg: starting migration from earlier GnuPG versions
gpg: porting secret keys from '/home/brong/.gnupg/secring.gpg' to gpg-agent
gpg: key 410D67927CA469F8: secret key imported
gpg: migration succeeded
Note: Use "gpg --full-gen-key" for a full featured key generation dialog.

GnuPG needs to construct a user ID to identify your key.

Real name: Bron Gondwana
Email address: brong@fastmail.fm
You selected this USER-ID:
    "Bron Gondwana <brong@fastmail.fm>"

Change (N)ame, (E)mail, or (O)kay/(Q)uit? O
We need to generate a lot of random bytes. It is a good idea to perform
some other action (type on the keyboard, move the mouse, utilize the
disks) during the prime generation; this gives the random number
generator a better chance to gain enough entropy.

At this point it popped up a dialog asking me to choose a passphrase.

We need to generate a lot of random bytes. It is a good idea to perform
some other action (type on the keyboard, move the mouse, utilize the
disks) during the prime generation; this gives the random number
generator a better chance to gain enough entropy.
gpg: key D92B20BCF922A993 marked as ultimately trusted
gpg: directory '/home/brong/.gnupg/openpgp-revocs.d' created
gpg: revocation certificate stored as '/home/brong/.gnupg/openpgp-revocs.d/8D8DEE2A5F30EF2E617BB2BBD92B20BCF922A993.rev'
public and secret key created and signed.

pub   rsa2048 2016-12-22 [SC]
      8D8DEE2A5F30EF2E617BB2BBD92B20BCF922A993
uid                      Bron Gondwana <brong@fastmail.fm>
sub   rsa2048 2016-12-22 [E]

brong@wot:~$

Now I have a new key. Let's pop that on the keyservers:

brong@wot:~$ gpg --send-keys 8D8DEE2A5F30EF2E617BB2BBD92B20BCF922A993
gpg: sending key D92B20BCF922A993 to hkp://keys.gnupg.net
brong@wot:~$
brong@wot:~$ echo "So you can all encrypt things to me now, and verify my signature (assuming you trust a fingerprint from a blog)" | gpg --clearsign
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

So you can all encrypt things to me now, and verify my signature (assuming you trust a fingerprint from a blog)
-----BEGIN PGP SIGNATURE-----

iQEcBAEBCAAGBQJYW7nPAAoJENkrILz5IqmT554IAL6cg6+ILkrKeLQlzDtA7pZ9
IluYJCt+HpvGw4wXnOmxLyWa/PkWvHUwAAQ9GpgZq7ZB8Sv4HPkm4sRz3zRvcsfR
gpfp5YmYk/i8Oj482jYp1lsngTCEeHkLNWrvXZyoiVUzWbfhYOzrkIDRwgNUCXuF
i/pgYT4K36d6OdfKbI4jsC62sJT20H8qjO9/I5o0gcmb+axv/kSuO87jvGySMXT5
EAYtogDd+jCL1FB0iyu01oUUoTRqgayMUWChJeofVZ9sehqyhXNoYNp4+/+jusmG
nblWeEYZ2S9d5jBNcHgd5cWQDwlBCJKnx1O8Qj9VO+hkBJBB7wHMAIyei8VsIbM=
=QT0N
-----END PGP SIGNATURE-----

And you can tell that I wrote this and none of my colleagues can edit that text and put words in my mouth (unless they create a different key with my email address and falsify the key generation part of the blog post as well!)

The command line is the most secure way to use PGP, where your email software and your encryption software running as entirely separate processes, only ciphertext or signed cleartext is transferred into the emails which are sent out from your secure computer.