Using GPG Encryption with Web Mail

Tags

1024, 2048, commands, decrypt, encrypt, gnupg, gpg, openpgp, pgp, rsa, webmail

I’ve covered this before, but wanted to redo it as an easier to follow step-by-step guide (with better quality screenshots).

GPG is most commonly used as an email client plugin, but most people use webmail for their personal emails, and most webmail services don’t support PGP encryption.
This post will demonstrate an alternative, where email is composed in a text editor, encrypted, and the ciphertext pasted into a webmail interface. I’ll also show how to do the reverse, so you can also receive PGP-encrypted emails to your webmail address and decrypt them.

While there are graphical interfaces for using GPG, this guide will demonstrate the command line usage, as it will be the same for everyone with GPG installed. Plus, using the command line is a healthy habit to cultivate.

2. Creating Keys
Firstly, you’ll require a ‘key pair’ – your public and private keys, associated with your email address. The point of this is people can exchange encrypted messages without ever sending a secret key – encrypted messages and public keys are communicated openly, but only the recipient has the private key to decrypt. It’s also extremely difficult for a third-party to derive one from the other, if the key sizes are sufficiently large.
So, here the public key is what you make public, and the private key is what you keep secret. The public key encrypts, and the private key decrypts.
The command used for generating the keys is:
$gpg --gen-key

If it works, the following menu appears:

My personal preference is to stick with defaults, using RSA with a 2048-bit key. RSA 512 is relatively easy to break, and I suspect RSA 1024 is breakable with custom hardware within a reasonable amount of time (i.e. within months). Conversely, it’s also safe, because the speculation is on resources required to decrypt one individual ciphertext, and the attackers wouldn’t bother unless it was really worth the effort.

Anyway, moving on, the GPG program will generate the keys, using /dev/random as the entropy source (or whatever the equivalent is for Windows NT). The ‘entropy pool’ is populated with values derived from hardware events, so this involves doing pseudo-random stuff with the mouse and keyboard while the keys are generated.

3. Compose and encrypt email
With the key pair generated, it’s possible to demonstrate the actual encryption and decryption processes. I composed an email message with a standard text editor, saved it as ‘test-email.txt’, then used the following command:
$gpg -e -a [filename].txt

GPG will prompt for the recipient(s) email address, find the relevant public key in its database, then encrypt the plaintext message.

The ciphertext is written to another file ([filename].asc). Copy and paste the file’s content into the webmail interface as the message body.

4. Decrypting email
The process is simply reversed to decrypt. This time, we receive the GPG-encrypted ciphertext, paste into a text editor and save the file as ‘filename.asc’.

When running the following command, GPG should automatically detect the encryption used, fetch the relevant private key and decrypt.

5. Importing public keys
Lastly, in order to encrypt emails for other recipients, their public keys must be added to the GPG agent’s database. Like the encrypted email, the public key will be a large block of ASCII ciphertext. Copy and paste this into a file, and save it as ‘[filename].gpg’.

Next, use the ‘gpg --import -a [filename]‘ command to import the contents of the file. The new entry should appear when using ‘gpg --list-keys‘.

One issue to be aware of: Exercise caution when exporting private keys for backup. The GPG password is not the encryption key, and only protects the application’s key storage function. Once the private key exported to another storage device, it is entirely unprotected, and might be copied and used by others.

Advertisements

Making PGP/OpenPGP Work with Webmail

Tags

command, editor, email, encrypt, gnupg, gpg, key, line, message, offline, openpgp, pgp, privacy, private, public, webmail

Here’s a problem in need of a practical solution: I’ve recently been assigned an account by an organisation that uses a very untrustworthy firm to host its emails, and I’m insisting (or at least strongly encouraging) that nothing sensitive is uploaded to the servers without being properly encrypted.

Normally email encryption is handled by some part of a client application, or a PGP/OpenPGP extension like Enigmail (for Thunderbird). The problem I’m addressing here is that most people have at least one email/webmail account that isn’t compatible with email clients, and there’s no obvious way of using PGP/OpenPGP without that.

Overview of the Solution
The solution I attempted to find here was:
1. Compose message on local machine
2. Encrypt the message with recipient’s public key
3. Copy and paste the encrypted email in the browser.
4. Send email to recipient

The recipient should then get the encrypted email, and with a bit of luck the encryption can be reversed with his/her private key. If we are the recipient, we simply do the reverse: copy and paste the encrypted email into a text editor and decrypt the message offline.

The Command Line Method
While this method won’t appeal to the average person at first, it’s what we’re stuck with in the absence of a simple GUI application. The good news is it’s pretty quick once we’ve done it a couple of times.
This method assumes that the user has created key pairs for each email/webmail account, and has the public key of the recipient. These can be created/added using a key management application such as Seahorse or Kleopatra.

The following command will list the public and private keys stored on the local system:
$gpg --list-keys

To prepare an email, I opened a standard text editor and typed a message, saving it as TestMessage.txt:


Dear Recipient

Can I request a meeting for Thursday afternoon?

Yours,
Michael


The content of TestMessage.txt (the message) can be encrypted with a single command:
$gpg --armor -e [file name]

In this case:
$gpg --armour -e TestMessage.txt

GPG will then prompt the user for the recipient(s) email address and check whether a public key is available for that address. The ‘–armor‘ option produces ASCII ciphertext, as opposed to a pure encrypted file.
Having encrypted the message, GPG will create a file called [filename].asc that will contain the ciphertext. The content of that file should appear something like:

This block of ciphertext can now be pasted into a webmail message and sent to the recipient. Job done.

Decrypting the Message
A recipient receiving the message simply does the reverse. Here, the ciphertext is copied from the browser into a text editor, and saved locally as [filename].asc. I’ve tested this by deleting the plaintext file I created earlier and using the following command to decrypt the ciphertext in TestMessage.txt.asc:
$gpg -d TestMessage.txt.asc

If we’re the recipient and we have the relevant private key, GPG will then prompt for the password before displaying the plaintext in the command line:

So there we have it. Problem solved. All that remains is to develop the software to make the solution more accessible.

Symmetric File Encryption with GPG

Tags

algorithm, crypt, decrypt, encrypt, file, gnupg, gpg, symmetric

Many cloud storage providers boast strong encryption, but that does little to protect users’ data if they retain the keys. On the other hand, the conventional method of using GPG to encrypt data relies on a private key that must also be stored somewhere, making it logistically unsuitable for backing up.
Fortunately there’s a very simple way to encrypt files (or .zip archives) with GPG using symmetric encryption, and with a password instead of a keyfile. This feature can be used with just two simple commands.

To encrypt a given file:
$ gpg -c example.txt

The program will ask for a password twice, and the encrypted copy of the file, with the .gpg extension, is generated in the same directory.

Of course, anyone wanting to decrypt the file must use the same password, as there is no public key here. To decrypt the file, simply use:
$ gpg example.gpg

Which Algorithm?
It’s also possible to define which algorithm to use for encrypting file, from the following:

For example:
$ gpg -c --cipher-algo=BLOWFISH example.txt

To encrypt with AES, substitute ‘BLOWFISH’ with ‘AES’:
$ gpg -c --cipher-algo=AES example.txt