On my Linux desktop, I use mutt for email. I have a friend who also uses mutt. He used to run mutt on a Linux desktop, but he has since migrated to using mutt on a Mac. You can do that using MacPorts or Homebrew or similar add-ons that give a better Unix experience on a Mac.
Back in 2003, we set up encrypted email between ourselves. This was a bit of an adventure, but we did it. We continue to use encrypted email. We don't have to, we don't have any massive secrets, we did it because we could, and we keep doing it to keep our knowledge fresh. We use gpg for the encryption.
My friend wants to expand the encryption. We are using older keys. Mine is 2003 vintage, my friend's key is 2006 vintage. Mine is only 1024 bits long. It's old, it's near worthless. Also, my friend wants to access his mail in two ways now. He wants to keep reading it in mutt when he's home, but he wants to read the mail when he's on the road, using his iPad. He can use Canary Mail on the iPad, but it doesn't support our old keys. Canary Mail supports OpenPGP. So does gpg, and therefore mutt can too, but we have to change our keys. We did that today, and I updated my notes, and wanted to add my notes here so we have access to them next time we have to fiddle with the keys.
(These notes assume that you already have mutt configured to use gpg. This can be a bit of a struggle, but mutt provides good instructions and a sample config file. I'm not going to go into detail about this here.)
First thing I did was look at what keys I had.
$ gpg --list-keys /home/xxx/.gnupg/pubring.gpg -------------------------------- pub 1024D/91D9A11F 2003-12-03 uid Henry Brown (Change 3) <email@example.com> sub 1024g/233C1CA4B 2003-12-03 pub 1024D/CCFF1021 2006-02-21 uid My Friend <firstname.lastname@example.org> sub 2048g/1614AAFF 2006-02-21
Look at that. My key was created back in 2003. My friend updated his key in 2006. Here we are in 2019 and we're using such ancient keys, and such small ones. Tsk.
What we did was add two new keys, one mine, one his.
I created my new key using these steps:
Creating a new key for myself
- gpg --openpgp --gen-key
- Using --openpgp will create an OpenPGP key that will be more compatible with a lot more software.
- Choose 1 for the default, RSA and RSA
- keysize 4096
- 0 for key not expire
- my name
- my email address
- a small comment. This will appear in brackets after the name, so make it useful. As this change is to add an OpenPGP key, I made my comment "OpenPGP compatible" so I can immediately distinguish this key from others.
- passphrase - make this smallish. You'll have to type it in the first time each mutt session you want to use this key, so don't make it 300 bytes long because you'll get sick of typing it in. This is the password to using this key.
- Your new key will be generated. I got complaints from the operating system that I wasn't generating enough entropy and needed to move the keyboard and jiggle things around, and in the end I played music on my desktop with cmus, and that generated enough entropy and the key finished creating.
Examine my new key
$ gpg --list-keys /home/xxx/.gnupg/pubring.gpg -------------------------------- pub 1024D/91D9A11F 2003-12-03 uid Henry Brown (Change 3) <email@example.com> sub 1024g/233C1CA4B 2003-12-03 pub 1024D/CCFF1021 2006-02-21 uid My Friend <firstname.lastname@example.org> sub 2048g/1614AAFF 2006-02-21 pub 4096R/57BC136C 2019-02-16 uid Henry Brown (OpenPGP compatible) <email@example.com> sub 4096R/81CAF066 2019-02-16
So there's my new key. I have the comment in brackets beside my name which will help distinguish between the old key and the new key. I note the key ID so I can specifically refer to that key. The key id is the second number on the first line, the one after the slash. In this case, 57BC136C.
Make the new key the default
Edit the file ~/.gnupg/gpg.conf and change the default to the email address, and you may as well change the encrypt-to to the same address.
default-key firstname.lastname@example.org encrypt-to email@example.com
Send the public key to my friend
I now have both my public and private keys, but that's not much use. I have to pass my public key to my friend, and I have to get his public key. There are a number of ways to do this. The easy way is to use mutt and send an email. An encrypted email. You want to send the new key inside an email encrypted with the old key. Right now, we are still emailing with the old keys, so we can do this.
- Start mutt
- Create a new message for the other person
- At the Compose screen, press Esc-k to generate the public key to send
- Enter the ID of my new public key because that's what I want to send to him. Yes, the key id I mentioned up above, so run "gpg --list-keys" and get the key id of my new public key and type it here.
- Send the message, making sure the message is encrypted using the old key.
Accept my friend's new public key
While I've been creating my new key, my friend has been creating his new key using the same instructions. He emails me his public key in an email encrypted with our old keys.
- Start mutt
- Look at the new email, and press v to view the components
- Mutt will put the word 'key' at the start of the email component that is his new public key
- Move the cursor to that line
- Press Ctrl-K and his key will be imported into GPG and stored.
If I look at my list of keys now, I see this:
$ gpg --list-keys /home/xxx/.gnupg/pubring.gpg -------------------------------- pub 1024D/91D9A11F 2003-12-03 uid Henry Brown (Change 3) <firstname.lastname@example.org> sub 1024g/233C1CA4B 2003-12-03 pub 1024D/CCFF1021 2006-02-21 uid My Friend <email@example.com> sub 2048g/1614AAFF 2006-02-21 pub 4096R/57BC136C 2019-02-16 uid Henry Brown (OpenPGP compatible) <firstname.lastname@example.org> sub 4096R/81CAF066 2019-02-16 pub 4096R/15BC809F 2019-02-16 uid My Friend (OpenPGP) <email@example.com> sub 4096R/FFCCAA13 2019-02-16
So now we have our two old keys, and we have our new keys stored. But his new key isn't quite ready for action yet. I have to sign it and trust it.
Sign his new key
Get his key id, we're going to need it for this. His key id is the second number on the first line, in this case 15BC809F.
- gpg --edit-key keyid
- Answer yes all the way
- Make sure you are signing it with your new key
- quit and save
Trust his new key
- gpg --edit-key keyid
- You have a choice. You can use 4 (trust fully) or 5 (trust ultimately). I used 5. What's the difference? StackExchange answers this question
And now his key is ready for action.
Switch to the new keys
Right now, we are both still using our old keys. Now we co-ordinate. I have imported his public key and signed it and trusted it. He has imported my public key and signed it and trusted it. So we send one final email to each other using our old keys, telling us to switch to the new.
All my gpg stuff for mutt is stored in a config file called ~/.mutt.gpg. Your mutt configuration might well be different. At the end of .muttrc, I have these lines:
# Add in GPG configuration source ~/.mutt.gpg
and at the end of .mutt.gpg, I have this line:
This tells mutt to sign and encrypt messages with the key identified by the key id of 91D9A11F. If you look at my list of keys, you can see that this is my old original public key.
So I change this to the key id of my new public key.
So now, mutt will start using my new key.
Just FYI, I have two lines in .mutt.gpg that determine who gets encrypted email and who doesn't.
send-hook . "set nopgp_autoencrypt nopgp_autosign" send-hook "~t firstname.lastname@example.org" "set pgp_autoencrypt pgp_autosign"
The first line sets the default and no encrypting and signing happens for everyone. The second line makes an exception for my friend, and emails to his email address are encrypted and signed.
Exchange emails encrypted with the new key
Now that I have switched to my new public key, I can send him an email or wait for him to email me. We both did this.
I used mutt and created an email for him. It recognised that his email address needs signing and encrypting, per the config up above. It gets my new public key, because it knows which one is the default now. It has to combine my public key with his public key, but oh look, his email address is associated with two public keys. Mutt shows a list of both keys and lets me choose which one to use. This is where the comment becomes useful, as one has a comment of OpenPGP and the other has no comment. See the list of keys up above. I select the new key, press Enter, and then mutt wants to know if I am really authorised to use these keys by asking for my passphrase. I type the passphrase, and press Enter, and then the email is encrypted using my new public key and his new public key, and mutt emails that encrypted email to him.
In the meantime, an email from my friend has arrived and it is encrypted with the his new public key and my new public key. I start mutt again, select his email and press Enter. Mutt knows it is encrypted, and it knows how to decrypt it, but first it wants to know if I am authorised to do this, so it asks for my passphrase. I type that and press Enter, mutt decrypts the message and displays it.
And we are done.
So now we have two keys each, and we are using only the latest one. If I have any old encrypted messages, I need to keep the old key around to be able to decrypt those old emails. But if I have saved all the messages in unencrypted form and never expect to get another one with the old key, I could delete my old key, and probably my friend's old key. I would do this:
gpg --delete-key keyid