More on mutt, but this time with gpg
#377 Henry, Sunday, 17 February 2019 7:55 PM (Category: Linux)
(Tags: mutt gpg email encryption)

On my Linux desktop, I use mutt for email. I have a friend who also uses mutt. He used to run mutt on a Linux desktop, but he has since migrated to using mutt on a Mac. You can do that using MacPorts or Homebrew or similar add-ons that give a better Unix experience on a Mac.

Back in 2003, we set up encrypted email between ourselves. This was a bit of an adventure, but we did it. We continue to use encrypted email. We don't have to, we don't have any massive secrets, we did it because we could, and we keep doing it to keep our knowledge fresh. We use gpg for the encryption.

My friend wants to expand the encryption. We are using older keys. Mine is 2003 vintage, my friend's key is 2006 vintage. Mine is only 1024 bits long. It's old, it's near worthless. Also, my friend wants to access his mail in two ways now. He wants to keep reading it in mutt when he's home, but he wants to read the mail when he's on the road, using his iPad. He can use Canary Mail on the iPad, but it doesn't support our old keys. Canary Mail supports OpenPGP. So does gpg, and therefore mutt can too, but we have to change our keys. We did that today, and I updated my notes, and wanted to add my notes here so we have access to them next time we have to fiddle with the keys.

(These notes assume that you already have mutt configured to use gpg. This can be a bit of a struggle, but mutt provides good instructions and a sample config file. I'm not going to go into detail about this here.)

First thing I did was look at what keys I had.

$ gpg --list-keys
/home/xxx/.gnupg/pubring.gpg
--------------------------------
pub   1024D/91D9A11F 2003-12-03
uid                  Henry Brown (Change 3) <xxx@brownsack.com>
sub   1024g/233C1CA4B 2003-12-03

pub   1024D/CCFF1021 2006-02-21
uid                  My Friend <friend@redsack.com>
sub   2048g/1614AAFF 2006-02-21

Look at that. My key was created back in 2003. My friend updated his key in 2006. Here we are in 2019 and we're using such ancient keys, and such small ones. Tsk.

What we did was add two new keys, one mine, one his.

I created my new key using these steps:

Creating a new key for myself

Examine my new key

$ gpg --list-keys
/home/xxx/.gnupg/pubring.gpg
--------------------------------
pub   1024D/91D9A11F 2003-12-03
uid                  Henry Brown (Change 3) <xxx@brownsack.com>
sub   1024g/233C1CA4B 2003-12-03

pub   1024D/CCFF1021 2006-02-21
uid                  My Friend <friend@redsack.com>
sub   2048g/1614AAFF 2006-02-21

pub   4096R/57BC136C 2019-02-16
uid                  Henry Brown (OpenPGP compatible) <xxx@brownsack.com>
sub   4096R/81CAF066 2019-02-16

So there's my new key. I have the comment in brackets beside my name which will help distinguish between the old key and the new key. I note the key ID so I can specifically refer to that key. The key id is the second number on the first line, the one after the slash. In this case, 57BC136C.

Make the new key the default

Edit the file ~/.gnupg/gpg.conf and change the default to the email address, and you may as well change the encrypt-to to the same address.

default-key xxx@brownsack.com
encrypt-to xxx@brownsack.com

Send the public key to my friend

I now have both my public and private keys, but that's not much use. I have to pass my public key to my friend, and I have to get his public key. There are a number of ways to do this. The easy way is to use mutt and send an email. An encrypted email. You want to send the new key inside an email encrypted with the old key. Right now, we are still emailing with the old keys, so we can do this.

Accept my friend's new public key

While I've been creating my new key, my friend has been creating his new key using the same instructions. He emails me his public key in an email encrypted with our old keys.

If I look at my list of keys now, I see this:

$ gpg --list-keys
/home/xxx/.gnupg/pubring.gpg
--------------------------------
pub   1024D/91D9A11F 2003-12-03
uid                  Henry Brown (Change 3) <xxx@brownsack.com>
sub   1024g/233C1CA4B 2003-12-03

pub   1024D/CCFF1021 2006-02-21
uid                  My Friend <friend@redsack.com>
sub   2048g/1614AAFF 2006-02-21

pub   4096R/57BC136C 2019-02-16
uid                  Henry Brown (OpenPGP compatible) <xxx@brownsack.com>
sub   4096R/81CAF066 2019-02-16

pub   4096R/15BC809F 2019-02-16
uid                  My Friend (OpenPGP) <friend@redsack.com>
sub   4096R/FFCCAA13 2019-02-16

So now we have our two old keys, and we have our new keys stored. But his new key isn't quite ready for action yet. I have to sign it and trust it.

Sign his new key

Get his key id, we're going to need it for this. His key id is the second number on the first line, in this case 15BC809F.

Trust his new key

And now his key is ready for action.

Switch to the new keys

Right now, we are both still using our old keys. Now we co-ordinate. I have imported his public key and signed it and trusted it. He has imported my public key and signed it and trusted it. So we send one final email to each other using our old keys, telling us to switch to the new.

All my gpg stuff for mutt is stored in a config file called ~/.mutt.gpg. Your mutt configuration might well be different. At the end of .muttrc, I have these lines:

# Add in GPG configuration
source ~/.mutt.gpg

and at the end of .mutt.gpg, I have this line:

set pgp_sign_as=0x91D9A11F

This tells mutt to sign and encrypt messages with the key identified by the key id of 91D9A11F. If you look at my list of keys, you can see that this is my old original public key.

So I change this to the key id of my new public key.

set pgp_sign_as=0x15BC809F

So now, mutt will start using my new key.

Just FYI, I have two lines in .mutt.gpg that determine who gets encrypted email and who doesn't.

send-hook . "set nopgp_autoencrypt nopgp_autosign"
send-hook "~t friend@redsack.com" "set pgp_autoencrypt pgp_autosign"

The first line sets the default and no encrypting and signing happens for everyone. The second line makes an exception for my friend, and emails to his email address are encrypted and signed.

Exchange emails encrypted with the new key

Now that I have switched to my new public key, I can send him an email or wait for him to email me. We both did this.

I used mutt and created an email for him. It recognised that his email address needs signing and encrypting, per the config up above. It gets my new public key, because it knows which one is the default now. It has to combine my public key with his public key, but oh look, his email address is associated with two public keys. Mutt shows a list of both keys and lets me choose which one to use. This is where the comment becomes useful, as one has a comment of OpenPGP and the other has no comment. See the list of keys up above. I select the new key, press Enter, and then mutt wants to know if I am really authorised to use these keys by asking for my passphrase. I type the passphrase, and press Enter, and then the email is encrypted using my new public key and his new public key, and mutt emails that encrypted email to him.

In the meantime, an email from my friend has arrived and it is encrypted with the his new public key and my new public key. I start mutt again, select his email and press Enter. Mutt knows it is encrypted, and it knows how to decrypt it, but first it wants to know if I am authorised to do this, so it asks for my passphrase. I type that and press Enter, mutt decrypts the message and displays it.

And we are done.

Cleaning up

So now we have two keys each, and we are using only the latest one. If I have any old encrypted messages, I need to keep the old key around to be able to decrypt those old emails. But if I have saved all the messages in unencrypted form and never expect to get another one with the old key, I could delete my old key, and probably my friend's old key. I would do this:

gpg --delete-key keyid
0 comments