Showing posts with label mcabber. Show all posts
Showing posts with label mcabber. Show all posts

02 May 2012

128. Encrypting your email, chat and VOIP in linux (Debian Wheezy)

I'll show how to use GnuPG with Gajim, mcabber, Evolution, Thunderbird and Mutt below
I'll also show SRTP/ZRTP using Twinkle with iinet for encrypted VOIP calls -- this solution should work computer-to-computer, but not from computer to phone and vice versa.

You may also want to look at truecrypt ( to secure your files and/or devices, in particular portable storage media like USB sticks. Truecrypt is a good way of backing up or managing your pgp/gpg keys.

I do recognise that there's a lot of info on this page, so don't feel shy about using 'search' to get to where you want to be.

If you have nothing to hide, why worry?

University and company email systems get hacked. What you do and say can come back to haunt you in unintended way. A lot of employers in the US are scared of submitting honest letters of recommendation because they fear getting sued if they are not favourable enough. Politicians are, often illegally, using private email for official business.

On the one hand, if something doesn't pass the 'newspaper test' (how would you feel if this was the headline on today's newspaper?) maybe you shouldn't be doing/writing/saying that.

On the other hand, in particular in academia, it is important that discourse can be direct and honest.

For these reasons I favour using PGP/GPG encryption as much as possible, since I feel that it strikes a good balance between the need for privacy and unfettered discourse, and the need for a paper trail. PGP/GPG encrypts the content of your conversation, but still leaves it open with whom you converse, thus providing a trail ensuring  that you don't get involved in something which you shouldn't.

In some jurisdictions this means that you can be ordered to decrypt your conversation, while, to my understanding, in e.g. the US the content and relevance of the conversation needs to be known to some extent for this to happen. The bottom line is that you will be involved in the release of the material, and that it will take a court order for that to happen.

As with everything else, encryption is just a tool, and it can be used responsibly for good purposes, or irresponsibly with bad intent.

And if even you truly don't have anything to hide, you may support the right for each citizen to decide for themselves whether they want to use encryption or not. The view of law enforcement in many countries seems to be that only criminals have reasons to use encrypted communication, while at the same time security/intelligence agencies believe that their job becomes more difficult to do if they can't sniff all traffic (e.g. ECHELON).  These are legitimate opinions, but as with everything you have to make a choice between how much liberty you are willing to sacrifice for a little bit of security. You have to decide for yourself where you draw that line.

Enough meaningless banter, time to get configured.


The key KEY principle is that:

You can encrypt with a private key (e.g. signing), but then anyone with your public key can decrypt it.

I'll write this in bold because it is central to encryption with public and private keys:
use the recipients PUBLIC key to encrypt correspondence to them, and they should use your public key to encrypt correspondence to you. If a private key is used to encrypt, everyone can read the correspondence.

IF, on receiving an encrypted email from someone else, you have to go online to download their key to decrypt, then they used their private key and not your public key to encrypt. That is wrong and INSECURE.

A side effect is that,UNLESS you cc and encrypt to yourself using your public keys when emailing, you WILL NOT BE ABLE TO READ SENT EMAILS which have been encrypted using someone else's public key.

In a more formal setting you will probably want to use expiring keys. For personal use, keys that don't expire are probably fine.

2. How?

2a. Keys and key-management

First install seahorse, gnupg, and gnupg2.

Regardless of how you create your key, it will be found in ~/.gnupg

ls ~/.gnupg/
gpg.conf      pubring.gpg   pubring.gpg~  random_seed   secring.gpg   trustdb.gpg

This means that anyone with root/sudo access on that system can access your private key and decrypt all your correspondence unless you password protect it.  In general, don't store your key on a shared computer.

Creating a key

  • using gpg (terminal)

gpg --gen-key
gpg (GnuPG) 1.4.12; Copyright (C) 2012 Free Software Foundation, Inc.
Please select what kind of key you want:
   (1) RSA and RSA (default)
   (2) DSA and Elgamal
   (3) DSA (sign only)
   (4) RSA (sign only)
Your selection? 1
RSA keys may be between 1024 and 4096 bits long.
What keysize do you want? (2048)
Requested keysize is 2048 bits
Please specify how long the key should be valid.
         0 = key does not expire
      <n>  = key expires in n days
      <n>w = key expires in n weeks
      <n>m = key expires in n months
      <n>y = key expires in n years
Key is valid for? (0) 0
Key does not expire at all
Is this correct? (y/N) Y
You need a user ID to identify your key; the software constructs the user ID
from the Real Name, Comment and Email Address in this form:
    "Heinrich Heine (Der Dichter) <>"
Real name: I Lindqvist
Email address:
Comment: fake address
You selected this USER-ID:
    "I Lindqvist (fake address) <>"
Change (N)ame, (C)omment, (E)mail or (O)kay/(Q)uit? O
You need a Passphrase to protect your secret key.
You'll get asked for a passphrase twice. Then:
We need to generate a lot of random bytes. It is a good idea to perform
some other action (type on the keyboard, move the mouse, utilize the
disks) during the prime generation; this gives the random number
generator a better chance to gain enough entropy.
Not enough random bytes available.  Please do some other work to give
the OS a chance to collect more entropy! (Need 283 more bytes)
We need to generate a lot of random bytes. It is a good idea to perform
some other action (type on the keyboard, move the mouse, utilize the
disks) during the prime generation; this gives the random number
generator a better chance to gain enough entropy.
Not enough random bytes available.  Please do some other work to give
the OS a chance to collect more entropy! (Need 109 more bytes)
gpg: key 2B4C5636 marked as ultimately trusted
public and secret key created and signed.
gpg: checking the trustdb
gpg: 3 marginal(s) needed, 1 complete(s) needed, PGP trust model
gpg: depth: 0  valid:   1  signed:   0  trust: 0-, 0q, 0n, 0m, 0f, 1u
pub   2048R/2B4C5636 2012-05-02
      Key fingerprint = 5B71 C3F1 0C2D E008 B299  21A8 019F 907E 2B4C 5636
uid                  I Lindqvist (fake address) <>
sub   2048R/78F9B6C1 2012-05-02
gpg --list-key
pub   2048R/2B4C5636 2012-05-02
uid                  I Lindqvist (fake address) <>
sub   2048R/78F9B6C1 2012-05-02
To add more email address, do
gpg --edit-key 2B4C5636
and follow the prompts. You do not want to add subkeys.

to set the trust level. Ultimate for your own key, full for your pals.

  •  using seahorse:
    if it isn't already installed, then
    sudo apt-get install seahorse

    and start it by typing seahorse in the terminal, or selecting Passwords and Keys in gnome. Select New
PGP key
Add details

You can add additional addresses later by selecting your key and right-click, then select Properties

Publish your PUBLIC key:
You can either do this directly using seahorse (very easy), or, if you prefer a more manual approach:

gpg --export -a
Version: GnuPG v1.4.12 (GNU/Linux)
Then copy/paste it into the front page at

2b. Chat

Gajim is seven kinds of awesome, but is primarily used for jabber-compatible protocols. This means gmail gmx, etc.

To set up encryption for an address, go to Edit, Accounts, select the address and go to the Personal tab.
GPG Agent is broken on Debian, so don't use that.
 Before you use gajim to encrypt chat you may need to rightlick on the recipient and assign the correct key:
 Once all that is done, encryption is easy.

Mcabber is a terminal chat client and that makes configuration very easy.
Edit ~/.mcabber/mcabberrc and add (or uncomment):

set pgp = 1
set pgp_private_key = "06403515C1XXXX6B"
set pgp_passphrase_retries = 3
The private key ID is much longer than what you may be used to -- you can look it up using seahorse. will also report it if you've uploaded your public key:

Anyway, start mcabber, select the contact you presumably already have a key for and type:

05-02 16:02 *** jid:  <>                                                                                                                                                                      
05-02 16:02 *** Name: xxxxx at xxxx                                                                                                                                                                              
05-02 16:02 *** Type: user                                                                                                                                                                                        
05-02 16:02 *** Subscription: both                                                                                                                                                                                
05-02 16:02 *** Resource: [o] (50) Gajim76E72461                                                                                                                                                                  
                Status timestamp: 2012-05-02 16:02:09                                                                                                                                                              
                PGP key id: 06403515C1XXXX6B                                                                                                                                                                         
                Last PGP signature: good                                                                                                                                                                             

The contact is recognised and you have their key. So, you should be able to simply start chatting.

Switch encryption on and off using
/pgp enable
/pgp disable

So how can you tell whether it's encrypted or not?

05-02 16:02 -~> This is encrypted

05-02 16:09 --> This is not encrypted

Yup. A ~ makes the difference.

Received encrypted messaged look like this:
05-02 16:12 <~= encryption the other way

2c. E-mail

Evolution supports integration with gnupg out of the box, but each email address needs to be configured separately. Start evolution, click on Edit, select Preferences, Mail Accounts, highlight the email address you want to configure, click on Edit. Select the Security tab in the Account Editor and type in the key ID.
When you're composing, this is what meets you:

You will have problems encrypting to people who's keys haven't been associated properly with the email address you're composing to.

Thunderbird isn't as well-supported for PGP/GPG as evolution but there's an add-on, Enigmail 1.4.1 (you might have to download it manually from, which is compatible with Earlybird/Thunderbird 11. The downside on using an add-on is that compatibility sometimes breaks.
The key here is the 'GnuPG was found...' bit. To  gain access the tabs below you can click on Display Expert Settings.

Once you've installed enigmail via the add-on menu and restarted, you can set the preferences:
Most options are straight-forward
You may need to set the key manually if the email address isn't explicitly associated with an address.

Go to Edit, Account Settings, and uncheck use html under Composition and Addressing for each address. Partly because signing will work better, but mainly because you have no reason to use html. Ever.

 And this is how it looks when you are composing emails:
You can choose to sign and/or encrypt emails from simple menu.

The key ID is C1XXXX6B. Edit your  .mutt/muttrc file and add (the field which need to be edited are given in red below):
# GPG stuff - autosign
set pgp_decode_command="gpg %?p?--passphrase-fd 0? --no-verbose --batch --output - %f"
set pgp_verify_command="gpg --no-verbose --batch --output - --verify %s %f"
set pgp_decrypt_command="gpg --passphrase-fd 0 --no-verbose --batch --output - %f"
set pgp_sign_command="gpg --no-verbose --batch --output - --passphrase-fd 0 --armor --detach-sign --textmode %?a?-u %a? %f"
set pgp_clearsign_command="gpg --no-verbose --batch --output - --passphrase-fd 0 --armor --textmode --clearsign %?a?-u %a? %f"
set pgp_encrypt_only_command="pgpewrap gpg --batch --quiet --no-verbose --output - --encrypt --textmode --armor --always-trust --encrypt-to 0xC1XXXX6B -- -r %r -- %f"
set pgp_encrypt_sign_command="pgpewrap gpg --passphrase-fd 0 --batch --quiet --no-verbose --textmode --output - --encrypt --sign %?a?-u %a? --armor --always-trust --encrypt-to 0xC1XXXX6B -- -r %r -- %f"
set pgp_import_command="gpg --no-verbose --import -v %f"
set pgp_export_command="gpg --no-verbose --export --armor %r"
set pgp_verify_key_command="gpg --no-verbose --batch --fingerprint --check-sigs %r"
set pgp_list_pubring_command="gpg --no-verbose --batch --with-colons --list-keys %r"
set pgp_list_secring_command="gpg --no-verbose --batch --with-colons --list-secret-keys %r"
set pgp_autosign=yes
set pgp_sign_as=0xC1XXXX6Bset pgp_replyencrypt=yes
set pgp_timeout=1800
set pgp_good_sign="^gpg: Good signature from"
In mutt, p is associated with gpg/pgp:
 In mutt, write your email in vim or nano, then exit the editor and hit p. Select e to encrypt:
And it now shows 'Security: Encrypt', and you can send.

Encrypted VOIP
While skype encrypts by default, skype isn't 'open', and you are not in control.

For twinkle (below), you need a sip address. You sometimes have one via your ISP, but you can also get one for free from e.g.

Twinkle and ccRTPp are available in the debian repos.
sudo apt-get install twinkle
pulls in everything you need

Next, start twinkle and configure it:

The only interesting step is this one:
Next log in:

 My guess is that you need to include the country code. Don't forget to drop any leading 0s off the area code (the scatter brained cause of the failed call listed in the log below)

11 December 2011

25. Linux The Basics: Google talk using Gajim or mcabber

Empathy is the stock gnome chat client, gajim is a REALLY versatile python-based chat client which integrates with gpg/pgp and mcabber is a command line chat client.

While I used empathy for a few years, I much prefer gajim. Partly it's the geek cred that comes with using something a bit less common, but mostly it's because it 1) supports gpg, 2) is highly configurable and 3) is easy to use. It's available in the debian repos. I like mcabber over centerim for the same reason - gpg support. Now, if I only had friends who were as paranoid as I...

Jabber ID:
Resource: Gajim
Priority: adjust to status

Port: 5223

If you use gpg, go to the Personal information tab
You don't need to select 'Use gpg agent' (gpg agent segfaults on one of my boxes)


The following goes into ~/.mcabber/mcabberrc

set color_background=default #allows transparent background

# Account
set jid =
set password = areallylongandcomplicatedpasswordwhichyoullneverremember
set server =
set port = 5222
set ignore_self_presence = 1 #show self in list?

set pgp = 1
set pgp_private_key = "01100110C1C1C1C1" # get the Key ID from seahorse 
set pgp_passphrase_retries = 3

set nickname = blofeld
set spell_enable = 1
set spell_lang = en_GB
set spell_encoding = UTF-8
set cmdhistory_lines = 250
set roster_display_filter = ofdna
set max_history_blocks = 8
set message_autoaway = Auto-away (idle)
set escdelay = 50

alias me = say /me
alias online   = status online
alias away     = status away
alias dnd      = status dnd
alias notavail = status notavail

bind 17 = roster unread_next
bind 24 = roster alternate
bind 269 = roster toggle_offline
bind 276 = roster toggle
bind 521 = buffer up
bind 514 = buffer down