PGP tools with FastMail
This is the twenty third and penultimate post in the 2016 FastMail Advent Calendar. Stay tuned for the final post tomorrow.
Earlier in our advent series, we looked at why FastMail doesn't have PGP support, and we mentioned that the best way to use PGP was with a command line or IMAP client.
So, as promised, a quick guide to (some of) the open source options PGP clients available for use with your FastMail account! We definitely recommend that you use Open Source encryption software, and preferably reproducible builds.
Not sure how encryption like PGP works? This is a basic overview of encryption which leads into an understanding of PGP to encrypt email. If you plan on taking your privacy seriously, we recommend further reading to understand the risks, rewards and usability issues associated with using encryption software.
While we have done some basic research on these options, we can't provide any guarantees as to their suitability for your particular situation.
- Platform: Firefox and Chrome browsers.
- Platform: Firefox and Chrome browsers. Mozilla Thunderbird and SeaMonkey desktop applications.
- Pre-requisites: You need to install GnuPG and a Key Agent on your system for WebPG to work.
- Platform: macOS
- Works with Mac's Mail.app, however it is currently not working with macOS Sierra. They have a workaround.
There are no open source applications available for iOS, but these apps are available (and claim to be built on open source implementations of Open PGP) if you are looking for options.
Install a mail client compatible with a set of plugins to enable PGP.
- To be used with a mail app such as K-9 on Android.
- They have a list of compatible clients
Chris our intrepid tester, has set up gpg on his work laptop to allow him to securely transfer data to his home machine, without ever bringing a copy of the private key to work. He's given the following set of steps which include easy-to-use aliases:
Generate a key with:
gpg --gen-key (it asks some questions)
Export the public key with:
gpg --armor --output ~/example.fm.key --export firstname.lastname@example.org. It will look like this:
-----BEGIN PGP PUBLIC KEY BLOCK----- Version: GnuPG v1 mQENBFhbajUBCADO7Rp0dVuVb2JWv86zvnqUC32NuarYXIeCpesvqIxU8wqr7hh5 R4IwZyVEcBYTyVaMWVhjGmxGCBhvauKb8ZivRwuUw0bHwVKCfjI+uWjB27lVwRLE 9zxNa2NA8svzY8EgImo48KO2/YA4Rw9ozMLxM/KkmRnmnoo5oDk1jXe7I0ILOPb1 6pQVDT/PJRrb+QXc7AMCD/Jj61PgFnPBGqLvICTTKwoeIE8dfFu7l0hwOTSloDv7 KiiM4+Xwz2Lptt7eJAlpKImCzeH96/yPK4IfkAId2IJCC5GfChG2aovNFBrhPsMv 9jWVNDvFvoLTyYqM5V2slaa/U6qTkWiyV3tpABEBAAG0NUNocmlzIEV4YW1wbGUg KFRoaXMgaXMgYSBkZW1vIGtleSkgPGNocmlzQGV4YW1wbGUuZm0+iQE4BBMBAgAi BQJYW2o1AhsDBgsJCAcDAgYVCAIJCgsEFgIDAQIeAQIXgAAKCRAZ87lBaIIEbq/d B/0Z2K9gF+e65B9da2Gim0bpEH8MNmHJlkcHgIxheMyQ7s8ClrqRRnGZRFEBw55F x7VGphBjav8H2czp3LKE5OrAyoT1z+kCmXZff7iHII2YIK0zzU3DsyUTpM2AOZKL fQ5d9nZMJY7Jg7BbDM+N1SJsw6+nRuyG0FnZfF57Qk+h1p2rZn/jadno/XeargeZ I2TI7GhkBg4ujB0k6Cpvr8gq394TohDcCPEYUBDI5m/5FkyHkUFO8SUGQu0fJ9/t xX1J91z9EW0xbcjIsmg7TtIpbM3UocoSz++svSjYz2mU546gz/76688nSrYKJ+Os IZ+wmJdOBc3Du28QbffXGRahuQENBFhbajUBCAC+rldeh9LKxoRblhUfaCxttOQ8 PeqSlNC5IvPikTnjWtkThbVCsM3OYITh18Q66WSSK+2AkWlHdSH6HdaA6zNP7wqZ iAWf7LP1maLg/a/e8zbC3rTL5LXrtkln0IIje6aXtyq4bLGDuLQEJBo7eBqetr27 Cb5pCatDBkOmxpQxzFQmnYfCMyC8Dm6Z2GIrLj6u5Zb0GIrNoBqhPFxD1MRsromU ERwWYNQjKodEllv/DMt3yAn2CQRlABxPFem16cDqFEGD/UhcJQrvpVrMbHpANWqh nLgcBPLhXcmJ5Zd0JhtkwapZ/mLqZkTWWmGGQRdE9RlbKoYsT1yNVeX0RntRABEB AAGJAR8EGAECAAkFAlhbajUCGwwACgkQGfO5QWiCBG5MYwf/ff7WBragmfCXOaTz LjERK1nScXzlTZ5ZeEUQTcoujbQvSuFBTw0XtiKWNN3imGhmhorjmQyMFjCmIys2 YCur+c3Jmh6BO8q0xRJwS0jxtNjkObSx2+ICBi6gTTkrBb3ya6Uy2k4BhVfQArlv 5UZeMcxZB8Gh8S0pC4S9s4dTBn1+i4aKSJSGITleDtSj4ZfrZ2JI/mMaJSpk1BKg JtTb9s+AcWpurV5HW5HCb8PKQsLndPJH5cH0xqIjW8Ha6dbsXmlCfpTNaAoOkQDC rqWyA3a+f4o/kgq/0cOlJHponcxWmbvTXIBwMtR0O91E5pqp4/no9SmSWefLd0yM zbOJdA== =K7Ec -----END PGP PUBLIC KEY BLOCK-----
On another machine, eg your work machine (somewhere you want to send messages/files from), import the key with:
gpg --import-key ~/example.fm.key. Then add the following to your ~/.bashrc file:
alias ToChris='gpg --encrypt --recipient="email@example.com" --armour' alias scramble="gpg --output encrypted.gpg --encrypt --recipient firstname.lastname@example.org "
As the work machine does not have your password or private key, you can then create encrypted messages/files from the command line:
echo "This is a private message. Remember to feed Ninja" | ToChris -----BEGIN PGP MESSAGE----- Version: GnuPG v1 hQEMA9bIhjnGSgZUAQf+N6nr/t0uGi8HRYAhaxNteWgWR0uwkDPvec6tjHj0gk50 wtBGm1agVAIRWBg5e6w2wkfk2RqQ+ecqPCV4SpgBxdFkcEhsbYOSd81hS2jtQZtH EUjHK/s0ANqeN8L5a9j6NynwRYjrnFpGWKsSA+Ubd4xUb2vIktXi+BnwNsXdfRw9 A27LZch69w2pr4zHjAyZO/PIq/SEuQ8Xu/+xhR+bq7gHBGOo9sokOle7yTDXnNdR VsTJaFev4K3didFsNPQWENC6dQ3gHds8qMYGMR4Nt5hIfIfrulyQItjYi/z5LGBq i6f7y2jSB27wUaGr4EY6vZMyjHpoIlSK0eq4h9bvRNJrAQhcLoEzDxD83oECGXTD 8KIEc78TYlIPgPyGZ3O7GanBxg9tX0UWnjZ8ohk+QStgDiZdivkGOUL1UfByQE7B qwvgjYrTzu9JJll9LUDjTR0ow4OLaJdIIdPq7uRoBEyhX23mfZIFAruoc3w= =mjJW -----END PGP MESSAGE-----
You can then send the GPG message without others being able to read it (e.g. by copying and pasting that text directly into the FastMail web interface as the body of an email)
scramble <filename> will create encrypted.gpg which can be attached to an email.
There's are plenty of good resources for how to prepare for a key signing party online. Parties are often associated with conferences, allowing you to build a web of trust with other people in your field. Just make sure you know which kind of key party you're attending.
Example GPG bootstrapping
Bron shows the full process of creating a brand new key to replace his expired key, and signing a document with it.
brong@wot:~$ gpg --list-keys email@example.com pub rsa2048 2015-09-20 [SC] [expired: 2016-09-19] 0FBAC288980E770A5A789BA1410D67927CA469F8 uid [ expired] Bron Gondwana <firstname.lastname@example.org>
Shows how long since I've last needed to sign something!
brong@wot:~$ gpg --gen-key gpg (GnuPG) 2.1.15; Copyright (C) 2016 Free Software Foundation, Inc. This is free software: you are free to change and redistribute it. There is NO WARRANTY, to the extent permitted by law. gpg: starting migration from earlier GnuPG versions gpg: porting secret keys from '/home/brong/.gnupg/secring.gpg' to gpg-agent gpg: key 410D67927CA469F8: secret key imported gpg: migration succeeded Note: Use "gpg --full-gen-key" for a full featured key generation dialog. GnuPG needs to construct a user ID to identify your key. Real name: Bron Gondwana Email address: email@example.com You selected this USER-ID: "Bron Gondwana <firstname.lastname@example.org>" Change (N)ame, (E)mail, or (O)kay/(Q)uit? O We need to generate a lot of random bytes. It is a good idea to perform some other action (type on the keyboard, move the mouse, utilize the disks) during the prime generation; this gives the random number generator a better chance to gain enough entropy.
At this point it popped up a dialog asking me to choose a passphrase.
We need to generate a lot of random bytes. It is a good idea to perform some other action (type on the keyboard, move the mouse, utilize the disks) during the prime generation; this gives the random number generator a better chance to gain enough entropy. gpg: key D92B20BCF922A993 marked as ultimately trusted gpg: directory '/home/brong/.gnupg/openpgp-revocs.d' created gpg: revocation certificate stored as '/home/brong/.gnupg/openpgp-revocs.d/8D8DEE2A5F30EF2E617BB2BBD92B20BCF922A993.rev' public and secret key created and signed. pub rsa2048 2016-12-22 [SC] 8D8DEE2A5F30EF2E617BB2BBD92B20BCF922A993 uid Bron Gondwana <email@example.com> sub rsa2048 2016-12-22 [E] brong@wot:~$
Now I have a new key. Let's pop that on the keyservers:
brong@wot:~$ gpg --send-keys 8D8DEE2A5F30EF2E617BB2BBD92B20BCF922A993 gpg: sending key D92B20BCF922A993 to hkp://keys.gnupg.net brong@wot:~$
brong@wot:~$ echo "So you can all encrypt things to me now, and verify my signature (assuming you trust a fingerprint from a blog)" | gpg --clearsign -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 So you can all encrypt things to me now, and verify my signature (assuming you trust a fingerprint from a blog) -----BEGIN PGP SIGNATURE----- iQEcBAEBCAAGBQJYW7nPAAoJENkrILz5IqmT554IAL6cg6+ILkrKeLQlzDtA7pZ9 IluYJCt+HpvGw4wXnOmxLyWa/PkWvHUwAAQ9GpgZq7ZB8Sv4HPkm4sRz3zRvcsfR gpfp5YmYk/i8Oj482jYp1lsngTCEeHkLNWrvXZyoiVUzWbfhYOzrkIDRwgNUCXuF i/pgYT4K36d6OdfKbI4jsC62sJT20H8qjO9/I5o0gcmb+axv/kSuO87jvGySMXT5 EAYtogDd+jCL1FB0iyu01oUUoTRqgayMUWChJeofVZ9sehqyhXNoYNp4+/+jusmG nblWeEYZ2S9d5jBNcHgd5cWQDwlBCJKnx1O8Qj9VO+hkBJBB7wHMAIyei8VsIbM= =QT0N -----END PGP SIGNATURE-----
And you can tell that I wrote this and none of my colleagues can edit that text and put words in my mouth (unless they create a different key with my email address and falsify the key generation part of the blog post as well!)
The command line is the most secure way to use PGP, where your email software and your encryption software running as entirely separate processes, only ciphertext or signed cleartext is transferred into the emails which are sent out from your secure computer.