Showing posts with label thunderbird. Show all posts
Showing posts with label thunderbird. Show all posts

22 November 2022

675. Surviving a migration to Outlook 365 in a Linux-hostile environment

 At work we were just migrated to o365 ('M365' as they call it), and :

* they've disabled forwarding (so can't automatically forward my mail to e.g. a gmail account)

* they've disabled access for all email clients other than Outlook


This happened half a year ago to the students at my university, and here's the solution one of them sent me:

1. Get evolution-ews

 -- on thunderbird you have the non-free (as in beer) options of OWL for exchange and ExQuilla

-- DAVmail may also be a solution, but I haven't managed to get it to work. It will act as a layer between your mail client (e.g. thunderbird) and the EWS server, allowing you to continue using e.g. thunderbird without having to install anything.

2. Create a 'New Mail Account':

Identity: do whatever is appropriate for you organisation. Disable 'Look up mail server ...'



Receiving Email: Add the appropriate username for connecting to the mail server.

Host URL: use https://outlook.office365.com/EWS/Exchange.asmx -- it's the same for all organisations these days.

Authentication type: OAUTH2 (Office 365)

Check 'Override Office365 OAuth2 settings'

Tenant: leave empty

Application ID: d3590ed6-52b3-4102-aeff-aad2292ab01c

Redirect URI: urn:ietf:wg:oauth:2.0:oob


Then click on Fetch URL. This should populate the OAB URL field.


You should now be done.

07 November 2013

527. Briefly: setting up thunderbird 24.1.0 on Debian (binaries)

Not much to say, other than that building thunderbird is a bit more complex these days than simply doing a configure/make/make install pass. For once I decided that rolling my own version wasn't worth it, and grabbed the pre-built binaries instead.

Here's a very brief description of how to get them set up:

mkdir ~/tmp
cd ~/tmp
wget ftp://ftp.mozilla.org/pub/mozilla.org/thunderbird/releases/24.1.0/linux-x86_64/en-GB/thunderbird-24.1.0.tar.bz2
tar xvf thunderbird-24.1.0.tar.bz2 
cd thunderbird/
sudo mkdir /usr/local/lib/thunderbird-24.1.0
sudo cp * -R /usr/local/lib/thunderbird-24.1.0
sudo rm /usr/local/bin/thunderbird
sudo ln -s /usr/local/lib/thunderbird-24.1.0/thunderbird /usr/local/bin/thunderbird

20 August 2013

496. Briefly: New email -- adding to PGP/GPG key and changing email account order in Thunderbird

I've created a new email address to move my email correspondence away from google as much as practically possible.

gpg
I've already got a gpg key pair, but I'd like to add the new email address to it.

First find out what you key id is, then add another user id:
 gpg --list-secret-keys
/home/me/.gnupg/secring.gpg ----------------------------- sec 1239G/F8F8FF8F 2011-11-11 uid me <aaa bbb.com> uid lindqvist <ccc ddd> uid verahill <eee fff.com> ssb 1239G/G8GG888G 2011-11-11
gpgp --edit-key F8F8FF8F
Secret key is available. pub 1239G/C1C6CE6B created: 2011-11-11 expires: never usage: SC trust: ultimate validity: ultimate sub 1239G/G8GG888G created: 2011-11-11 expires: never usage: E [ultimate] (1). me <aaa@bbb.com> [ultimate] (2) me <ccc@ddd.com> [ultimate] (3) lindqvist <eee@fff.com> [ultimate] (4) Verahill <ggg@hhh.com> gpg> adduid Real name: Linuxuser Email address: iii@jjj.fr Comment: 20/8/2013 You selected this USER-ID: "Linuxuser (20/8/2013) <iii@jjj.fr>" Change (N)ame, (C)omment, (E)mail or (O)kay/(Q)uit? O You need a passphrase to unlock the secret key for user: "Linuxuser <iii@jjj.com>" 2048-bit RSA key, ID C1C6CE6B, created 2011-11-11 pub 1239G/C1C6CE6B created: 2011-11-11 expires: never usage: SC trust: ultimate validity: ultimate sub 1239G/G8GG888G created: 2011-11-11 expires: never usage: E [ultimate] (1). me <aaa@bbb.com> [ultimate] (2) me <ccc@ddd.com> [ultimate] (3) lindqvist <eee@fff.com> [ultimate] (4) Verahill <ggg@hhh.com> [ unknown] (5) Linuxuser (20/8/2013) <iii@jjj.fr> gpg> quit Save changes? (y/N) Y

Thunderbird
Simple, yet more complicated that it needs to be: http://sidvind.com/wiki/Thunderbird/Change_account_order

Go to Edit, Preferences, Advanced, General, Config Editor.


Search for mail.accountmanager.accounts, and edit the order of the accounts.

Note that the default account (mail.accountmanager.defaultaccount) will always show up first, regardless of the order you set. Restart thunderbird and the changes should take effect.

17 August 2013

494. Very briefly: issue with thunderbird, failed connections and repeatedly being asked for the password

Even if you've set up thunderbird so that everything is working perfectly most of the time you occasionally end up in a very annoying situation: you keep on getting error messages about failed connections, and you keep being asked to supply the correct password. You can hit retry, or you can enter the correct password -- but why would you, given that you know based on previous successful connection attempts that your password is correct?
Leaving things along for 5-10 minutes tends to resolve it (or restarting thunderbird, given that you don't do it too quickly i.e. you basically let things stay quiet for a little while).

Anyway, while there are a number of potential reasons for this, in my case it's always been due to too many simultaneous connections, so that some of them are rejected. Not that that's what the error message really says, but whatever, the solution is actually pretty simple -- limit the number of simultaneous connections.

Go to Edit, Account Settings, select the account (typically a gmail one), Server Settings, click on Advanced, and change the 'Maximum number of server connections to cache' from the default 5 to e.g. 1.

On the computers I've done this on I've completely gotten rid of the annoying password requests.

08 April 2013

381. Encrypting chat, voice, video-- revisited

About a year ago I published this post:
128. Encrypting your email, chat and VOIP in linux (Debian Wheezy)

While I'm using gajim for encrypted chatting on a daily basis, always sign my emails with PGP/GPG in thunderbird and evolution, and keep a truecrypt container in my dropbox account, I've noticed that I don't ever use twinkle, which was the voice encryption solution I looked at in post 128.

The time is thus ripe to explore alternatives. Also, seahorse and evolution have changed enough that updated screenshots may be warranted. So here's Encryption for 2013. You will find that the most difficult thing  about encryption is to convince other people to use it as well.

The tl;dr version is: use gajim. It's awesome.


--- Beginning of the boring bits ---

Why?
I'm not actually paranoid, but what about

*'If you don't have anything to hide, then what are you worrying about?' ? The issue with that kind of reasoning is that it can twisted into meaning that if you do worry, then you do have something to hide, and  mere possession of  will imply guilt. Presumably, if people in general are using e.g. PGP, the risk of it being banned or restricted (or being enforceable) is smaller. See e.g. this if you're living in the US.

* What happens if you gmail account gets hacked? Could someone glean enough information from your conversations and email to steal your identity?

* Do you need to send someone your PIN, bank card info or SSN but don't necessarily feel

* Do you need to discuss something but keep it confidential?

* It's fun! Being able to encrypt gives you a bit of a power trip.

What does annoy me are people who think that they aren't targets because 'why would anyone want to hack me'? Low-profile individuals are rarely targets in their own right, but what about the company you are working for? What about friends of yours? What about the possibility of opportunistic drive-by hacking where targets aren't selected by who they are, but by lapses in security?

In my case, I work for a large university -- gaining access to the intranet for an outsider would only be the first step in potentially compromising thousands of computers or accessing the personal information of tens of thousands of people (has happened at every uni I've worked). I manage servers at two universities -- if they get compromised their access to high speed internet could be used for spam routing (has also happened).

 I have friends who work with classified projects presumably involving nuclear weapons (nat'l lab in the US) -- I might be an intermediary target.

 I have a credit card, and a credit history. What if someone steals my identity and takes out a loan in my name? (has happened)

Or what if I have confidential data on a USB stick and I lose it -- if it's encrypted damage control is a lot easier (has happened at my uni).

Again, I'm not really paranoid, but there is always a tiny risk that someone, for whatever reason, is targeting you.

OTR and GPG/PGP
Note that I am NOT an expert on this. I've used PGP a lot, but have only recently been introduced to OTR. Also, merely being a user of something doesn't make an expert at it. What I write might be wrong.

PGP (pretty good privacy)/GPG (it's open sourced implementation) is a proven encryption method which uses asymmetric encryption with a private and a public key. You use someone else's public key to encrypt messages to them, and only their private key can decrypt it. Likewise, you give your public key to someone who wants to email you -- they use that to encrypt messages to you, and you -- and only you -- can decrypt it with your private key. PGP also supports signing to verify authorship -- you can sign (not encrypt) a message using your private key, and then anyone with your public key can decrypt it.

It's worth emphasizing this: if you encrypt with your private key, anyone in the world can decrypt it.

Whenever you generate a new key pair, you can publish the public key on a range of online repositories, such as http://pgp.mit.edu/ I think seahorse (gnome, evolution) and enigmail (thunderbird) can automatically search public key servers for public keys.

PGP is in principle a very strong encryption method using a 2048 byte (or larger) key. However, it suffers from a major drawback:  anyone who can get their hands on your private key can decrypt everything. That basically means that anyone who gets access to your unencrypted harddrive can copy your key and eavesdrop. The longer you use the same key, the more likely it is that this will already have happened, especially if you have traveled through the US and been forced to give them access to your laptop. Leaving your laptop in your hotel room -- especially in a place like China (although it goes for anywhere) -- is probably also not advisable. Since you can't keep an eye on your hardware 24/7, this is a serious issue.

Another potential issue is that if you sign conversation with a key, then that conversation can be attributed to you i.e. a third, eavesdropping party may be able to ascertain who the conversing parties are.

Again, emphasis: your conversation may be safe now, but if in three months your key is lost all your conversations for years will be decrypted.

You can deal with this to some extent by either encrypting your entire harddrive, or by keeping your private key on an encrypted USB stick (be mindful of the increased risk of misplacing your usb stick and other people gaining access to it -- any encryption can generally be broken, given enough time and resources).

My main use of PGP/GPG is to have candid discussions via chat, and to sign my email.

OTR (Off the Record) is a 'new' (since 2004) alternative and is described in (accessible) detail here: http://www.cypherpunks.ca/otr/otr-wpes.pdf

It aims to solve a lot of the issues with PGP by doing away with a long-lived key. It also aims to make it impossible for a third party to identify the conversing parties. From what I understand it works more or less like this:

If we decide to chat, I generate a key,and you generate a key. Once we're done talking, we dispose of the keys. No-one --- not even the conversing parties -- can decrypt the conversation, which also ensures that nothing will surface by accident at a later date. PGP can obviously be used in the same manner, but it's the implementation of it which has to be convenient. Obviously, in practice this works a whole lot better for chat than email.

Anyway, from my reading of it OTR works pretty much the same as PGP (using large primes and public/private keys) -- it's just the actual implementation which differs. On starting the chat you click on a button to generate your key pair, and the public key gets sent to your chat partner and vice versa. Exit the chat session and your keys are gone. OTR also uses authentication of messages to ensure authorship i.e. even though a man in the middle can encrypt messages to you using your public key and pretend that they are written by your conversation partner, the lack of the correct authentication signature will alert you to the fact that someone is spoofing the messages. PGP does the same by signing with the private key. There's no way to prove authorship based on the authentication signature though -- all you can do is determine that a series of messages came from the same author, but there's nothing which intrinsically proves who that person is. With PGP, on the other hand, if the assumption is that the private keys of the conversing parties have not been compromised, then they both are who they claim they are (of course you might've been duped into using someone else's public key and then all bets are off).

Anyway, OTR improves on PGP and works well for chat. PGP is probably still the easier solution for email.

SRTP (secure real-time transport protocol)
I don't know much about this, and am heavily relying on the Wikipedia page.
SRTP is an encryption method for streamed data, which I read to include voice and video. It needs a key management protocol, such as ZRTP. The way keys are managed depend on the protocol. As far as I understand ZRTP uses temporary asymmetric keys which are exchanged at the beginning of the encryption part of the conversation, similar to OTR, but includes one major difference: a call begins with a verbal exchange of a specific value displayed in the clients of the two parties conversing. This is to avoid that there's a man in the middle attack -- you will presumably recognise the voice of the person you're talking to and be able to verify the identity that way.

I won't cover data encryption using e.g. Truecrypt, in particular, since I've covered it in detail before, e.g. here: http://verahill.blogspot.com.au/2012/04/using-truecrypt-with-dropbox.html

Solutions that I won't consider:
While e.g. skype uses encryption, you're not in control. Also, it's not open source, so who knows how it works

While you using https and google talk in a browser encrypts you video/voice calls and chat, you're not in control -- google can decrypt your conversation any time.

--- End of the boring bits ---


PGP/GPG keypair
The easiest way to do it is probably via the seahorse GUI.
sudo apt-get install gnupg seahorse

Start seahorse (known as Passwords and Keys in Gnome 3).


Once you've made a key pair, synchronise it with a server so that other people can get your public key, e.g.


Alternatively, you can do everything on the command line:
gpg --gen-key
gpg (GnuPG) 1.4.12; Copyright (C) 2012 Free Software Foundation, Inc. [..] Please select what kind of key you want: (1) RSA and RSA (default) (2) DSA and Elgamal (3) DSA (sign only) (4) RSA (sign only) Your selection? 1 RSA keys may be between 1024 and 4096 bits long. What keysize do you want? (2048) Requested keysize is 2048 bits Please specify how long the key should be valid. 0 = key does not expire = key expires in n days w = key expires in n weeks m = key expires in n months y = key expires in n years Key is valid for? (0) 0 Key does not expire at all Is this correct? (y/N) Y You need a user ID to identify your key; the software constructs the user ID from the Real Name, Comment and Email Address in this form: "Heinrich Heine (Der Dichter) " Real name: I Lindqvist Email address: i.lindqvist@email.net Comment: fake address You selected this USER-ID: "I Lindqvist (fake address) " Change (N)ame, (C)omment, (E)mail or (O)kay/(Q)uit? O You need a Passphrase to protect your secret key.
You'll get asked for a passphrase twice. Then:
We need to generate a lot of random bytes. It is a good idea to perform some other action (type on the keyboard, move the mouse, utilize the disks) during the prime generation; this gives the random number generator a better chance to gain enough entropy. Not enough random bytes available. Please do some other work to give the OS a chance to collect more entropy! (Need 283 more bytes) ..+++++ ...+++++ We need to generate a lot of random bytes. It is a good idea to perform some other action (type on the keyboard, move the mouse, utilize the disks) during the prime generation; this gives the random number generator a better chance to gain enough entropy. +++++ Not enough random bytes available. Please do some other work to give the OS a chance to collect more entropy! (Need 109 more bytes) .....................+++++ gpg: key 2B4C5636 marked as ultimately trusted public and secret key created and signed. gpg: checking the trustdb gpg: 3 marginal(s) needed, 1 complete(s) needed, PGP trust model gpg: depth: 0 valid: 1 signed: 0 trust: 0-, 0q, 0n, 0m, 0f, 1u pub 2048R/2B4C5636 2012-05-02 Key fingerprint = 5B71 C3F1 0C2D E008 B299 21A8 019F 907E 2B4C 5636 uid I Lindqvist (fake address) sub 2048R/78F9B6C1 2012-05-02
gpg --list-key
/home/me/.gnupg/pubring.gpg ----------------------------- pub 2048R/2B4C5636 2012-05-02 uid I Lindqvist (fake address) sub 2048R/78F9B6C1 2012-05-02
To add more email addresses, do
gpg --edit-key 2B4C5636
>adduid


and follow the prompts. You do not want to add subkeys. Do
>trust

to set the trust level. Ultimate for your own key, full for your pals.

Implementation

Chat:

Gajim 
Gajim supports both PGP (natively) and OTR (via a plug in). It's also easy to use and written in python, which is a plus.

To enable PGP/GPG, go to Edit, Accounts, Personal Information, Choose Key:

You need to assign the public key to the contacts you want to chat with. First get the public key -- either from an online repo or by email from your contact. In e.g. seahorse, go to Remote, Find Remote Keys and search:




Then, in gajim, do


To enable OTR, go to Edit, Plugins, click on the Available tab and wait a little while for the list to populate:





To use OTR, do the following:
Start chat, click on the settings icon, select off-the-record, and start

It's now encrypted

To verify the identity of the other party, click on Authenticate contact

Ask a question

And the other person answers

Authentication achieved

Alternatives
mcabber also support PGP/GPG, and is a curses based program. See here for configuration.

pidgin and jitsi both support OTR, but not PGP.

Pidgin and mcabber are in the debian repos.


Email:

Evolution:
Enabling PGP/GPG is very easy -- edit your account, and go to the Security tab:
To encrypt, start a new message and click on Options. You might want to have html turned off.
Thunderbird:
You'll need to install enigmail.

 You can select your key etc. under key management.

Alternatives
Mutt does PGP/GPG and is a neat curses-based program.


Z/SRTP in Voice

There are a couple of solutions for 'secure' voice and video. I looked at Twinkle before, and while it's a capable SIP program, the downside is that it requires access to a SIP service (e.g. Ekiga, or via your ISP). What is really needed are clients which can encrypt communication going via e.g. google talk/jabber and the likes. Jitsi does that, and is open source.

I won't consider Skype for the usual reasons -- it's not free, open or transparent.

Jitsi
Get jitsi by doing
wget https://download.jitsi.org/jitsi/debian/jitsi_1.0-latest_amd64.deb
sudo dpkg -i jitsi_2.0-latest_amd64.deb

Start Jitsi and set up an account. You can add more accounts later by going to Options and clicking the Accounts tab.

Anyway, start Jitsi, and go to Options, Security to get an overview. Here's the ZRTP tab. Basically you CAN change the parameters, but you're advised not to:

Jitsi also does OTR chat:

And you can set a master password, so that people can't start jitsi if you leave your desktop unprotected.

You don't need to do anything to enable ZRTP as it will automatically be used if both your and your partner's clients support it, so here's OTR in Jitsi:





24 January 2013

326. Compiling Thunderbird 17.0.2 on Debian Testing

I tested this compile in a bare chroot, so the dependencies should be pretty much hammered out. The build is easy but fairly slow.

sudo apt-get install bzip2 build-essential python zip libgtk2.0-dev libdbus-glib-1-dev libasound2-dev libogg-dev libxt-dev yasm libcurl4-openssl-dev mesa-common-dev
mkdir ~/tmp
cd ~/tmp
wget ftp://ftp.mozilla.org/pub/mozilla.org/thunderbird/releases/17.0.2/source/thunderbird-17.0.2.source.tar.bz2
rm -rf comm-release/
tar xvf thunderbird-17.0.2.source.tar.bz2
mkdir bldthunder17
cd bldthunder17/
../comm-release/./configure --disable-necko-wifi
make
sudo make install

That took 122 minutes on a single core.
Checkinstall doesn't work and ends with segfault.


12 October 2012

254. Compiling Thunderbird 16 on Debian Wheezy

I've posted how to compile thunderbird (12 and 13) in the past. Here's v 16.0.1:

First you need to sort out the dependencies:

sudo apt-get install libdbus-glib-1-dev gir1.2-notify-0.7 libnotify-dev yasm checkinstall libzip-dev zip libgtk2.0-dev

As usual, I prefer to do the building in ~/tmp
If you have a ~/tmp/comm-release directory, make sure to delete it first:

rm ~/tmp/comm-release -rf

Now download the new source (106 Mb):

cd ~/tmp
wget ftp://ftp.mozilla.org/pub/mozilla.org/thunderbird/releases/16.0.1/source/thunderbird-16.0.1.source.tar.bz2

Untar it, and create a new directory for out-of-tree building:

tar xvf thunderbird-16.0.1.source.tar.bz2
mkdir thunderbird16
cd thunderbird16/

Time to configure:
../comm-release/./configure --disable-necko-wifi

And build (40 minutes on a triple core AMD II)

make -j4

where -j4 indicates that it's built in parallel on a 3 core (3+1=4) processor. Note that this has nothing to do with running the finished binaries in parallel -- it's just a way of speeding up the compilation.


Make sure that you don't have an older version of thunderbird install via dpkg i.e.

aptitude search thunderbird|grep ^i

should come up blank. If not, uninstall that package.

Finally, install your new binaries:

sudo make install

And you're done.

04 May 2012

134. Introducing a CA certificate in debian

So, for some reason you've been issued a CA certificate. Now what?

I've presumed that you've somehow downloaded both the root certificate (cacert.crt) and your personal certificate (usercert.pem). You'll need both.


Openssl

Convert to .p12
openssl pkcs12 -export -in usercert.pem -inkey userkey.pem -out usercert.p12

Verify
You can verify your issued certificate, e.g.
openssl verify  -CAfile ~/Downloads/cacert.crt ~/.globus/usercert.pem


Browsers:

Iceweasel/Firefox 
Go to Edit, Preferences, Advanced, Encryption: View certificates. Click import under Your Certificates and select your usercert.p12 (see above for conversion).  Got to servers, import cacert.crt.

Make sure that your cert authority shows up under the authority tab (otherwise try importing cacert.crt). Highlight the relevant authority, and click on edit trust: select the relevant fields of identification (e.g. website and/or email).


Chrome/Chromium
Click on the spanner icon, go to Settings, Under the bonnet, Manage Certificates and select Import under Your Certificates. Click on server, import the cacert.crt. Approve the certificate authority for the intended uses of the certificate. If you did it already in firefox it may have carried over.


Email:

Evolution
First go to Edit, Preferences, scroll down to Certificates and import your certificate and, under authorities, import the root certificate (cacert.crt).

Under the Authorities tab, select the issuing authority, click on edit and set the trust level (probably all)


Next, go to Edit, Preferences, Mail Accounts, Select an account and click on Edit. Select the Security tab


Repeat this for all accounts you want to use this certificate with.

Test it:


Send it. Receive it.

If all is correct, this is what greets you

If you don't add the certificate authority as being trusted -- and this will be the case for some of your recipients, this is what you see. Signature no good.


Thunderbird
Go to Edit, Account Settings... and under each account click on Security, then on View Certificates -- import your certificate and the issuing authority's certificate here, or you won't be able to Select the certificates under Digital Signing and Encryption.

Also, under View Certificates, highlight the certificate authority and select Edit Trust -- click on Edit CA trust, select website, mail etc., then select I do trust...
I presume that you do trust the authority or this is an exercise in futility.
You need to do this for ALL accounts that you intend to use, or you'll run into trust issues.

You can select/de-select signing when composing using the S/MIME menu.

If all goes well, users which also have the same certificate authority listed as trusted (probably not the case, but whatever) will see a sealed envelope (this message has been signed by pgp as well as S/MIME:

02 May 2012

128. Encrypting your email, chat and VOIP in linux (Debian Wheezy)

I'll show how to use GnuPG with Gajim, mcabber, Evolution, Thunderbird and Mutt below
.
I'll also show SRTP/ZRTP using Twinkle with iinet for encrypted VOIP calls -- this solution should work computer-to-computer, but not from computer to phone and vice versa.

You may also want to look at truecrypt (http://verahill.blogspot.com.au/2012/04/using-truecrypt-with-dropbox.html) to secure your files and/or devices, in particular portable storage media like USB sticks. Truecrypt is a good way of backing up or managing your pgp/gpg keys.

I do recognise that there's a lot of info on this page, so don't feel shy about using 'search' to get to where you want to be.

Why?
If you have nothing to hide, why worry?

University and company email systems get hacked. What you do and say can come back to haunt you in unintended way. A lot of employers in the US are scared of submitting honest letters of recommendation because they fear getting sued if they are not favourable enough. Politicians are, often illegally, using private email for official business.

On the one hand, if something doesn't pass the 'newspaper test' (how would you feel if this was the headline on today's newspaper?) maybe you shouldn't be doing/writing/saying that.

On the other hand, in particular in academia, it is important that discourse can be direct and honest.

For these reasons I favour using PGP/GPG encryption as much as possible, since I feel that it strikes a good balance between the need for privacy and unfettered discourse, and the need for a paper trail. PGP/GPG encrypts the content of your conversation, but still leaves it open with whom you converse, thus providing a trail ensuring  that you don't get involved in something which you shouldn't.

In some jurisdictions this means that you can be ordered to decrypt your conversation, while, to my understanding, in e.g. the US the content and relevance of the conversation needs to be known to some extent for this to happen. The bottom line is that you will be involved in the release of the material, and that it will take a court order for that to happen.

As with everything else, encryption is just a tool, and it can be used responsibly for good purposes, or irresponsibly with bad intent.

And if even you truly don't have anything to hide, you may support the right for each citizen to decide for themselves whether they want to use encryption or not. The view of law enforcement in many countries seems to be that only criminals have reasons to use encrypted communication, while at the same time security/intelligence agencies believe that their job becomes more difficult to do if they can't sniff all traffic (e.g. ECHELON).  These are legitimate opinions, but as with everything you have to make a choice between how much liberty you are willing to sacrifice for a little bit of security. You have to decide for yourself where you draw that line.

Enough meaningless banter, time to get configured.

1. IMPORTANT

The key KEY principle is that:
1. the PUBLIC key ENCRYPTS
2. the PRIVATE key DECRYPTS.

You can encrypt with a private key (e.g. signing), but then anyone with your public key can decrypt it.

I'll write this in bold because it is central to encryption with public and private keys:
use the recipients PUBLIC key to encrypt correspondence to them, and they should use your public key to encrypt correspondence to you. If a private key is used to encrypt, everyone can read the correspondence.

IF, on receiving an encrypted email from someone else, you have to go online to download their key to decrypt, then they used their private key and not your public key to encrypt. That is wrong and INSECURE.

A side effect is that,UNLESS you cc and encrypt to yourself using your public keys when emailing, you WILL NOT BE ABLE TO READ SENT EMAILS which have been encrypted using someone else's public key.

In a more formal setting you will probably want to use expiring keys. For personal use, keys that don't expire are probably fine.


2. How?


2a. Keys and key-management

First install seahorse, gnupg, and gnupg2.

Regardless of how you create your key, it will be found in ~/.gnupg

ls ~/.gnupg/
gpg.conf      pubring.gpg   pubring.gpg~  random_seed   secring.gpg   trustdb.gpg

This means that anyone with root/sudo access on that system can access your private key and decrypt all your correspondence unless you password protect it.  In general, don't store your key on a shared computer.

Creating a key


  • using gpg (terminal)


gpg --gen-key
gpg (GnuPG) 1.4.12; Copyright (C) 2012 Free Software Foundation, Inc.
[..]
Please select what kind of key you want:
   (1) RSA and RSA (default)
   (2) DSA and Elgamal
   (3) DSA (sign only)
   (4) RSA (sign only)
Your selection? 1
RSA keys may be between 1024 and 4096 bits long.
What keysize do you want? (2048)
Requested keysize is 2048 bits
Please specify how long the key should be valid.
         0 = key does not expire
      <n>  = key expires in n days
      <n>w = key expires in n weeks
      <n>m = key expires in n months
      <n>y = key expires in n years
Key is valid for? (0) 0
Key does not expire at all
Is this correct? (y/N) Y
You need a user ID to identify your key; the software constructs the user ID
from the Real Name, Comment and Email Address in this form:
    "Heinrich Heine (Der Dichter) <heinrichh@duesseldorf.de>"
Real name: I Lindqvist
Email address: i.lindqvist@email.net
Comment: fake address
You selected this USER-ID:
    "I Lindqvist (fake address) <i.lindqvist@email.net>"
Change (N)ame, (C)omment, (E)mail or (O)kay/(Q)uit? O
You need a Passphrase to protect your secret key.
You'll get asked for a passphrase twice. Then:
We need to generate a lot of random bytes. It is a good idea to perform
some other action (type on the keyboard, move the mouse, utilize the
disks) during the prime generation; this gives the random number
generator a better chance to gain enough entropy.
Not enough random bytes available.  Please do some other work to give
the OS a chance to collect more entropy! (Need 283 more bytes)
..+++++
...+++++
We need to generate a lot of random bytes. It is a good idea to perform
some other action (type on the keyboard, move the mouse, utilize the
disks) during the prime generation; this gives the random number
generator a better chance to gain enough entropy.
+++++
Not enough random bytes available.  Please do some other work to give
the OS a chance to collect more entropy! (Need 109 more bytes)
.....................+++++
gpg: key 2B4C5636 marked as ultimately trusted
public and secret key created and signed.
gpg: checking the trustdb
gpg: 3 marginal(s) needed, 1 complete(s) needed, PGP trust model
gpg: depth: 0  valid:   1  signed:   0  trust: 0-, 0q, 0n, 0m, 0f, 1u
pub   2048R/2B4C5636 2012-05-02
      Key fingerprint = 5B71 C3F1 0C2D E008 B299  21A8 019F 907E 2B4C 5636
uid                  I Lindqvist (fake address) <i.lindqvist@email.net>
sub   2048R/78F9B6C1 2012-05-02
gpg --list-key
/home/me/.gnupg/pubring.gpg
-----------------------------
pub   2048R/2B4C5636 2012-05-02
uid                  I Lindqvist (fake address) <i.lindqvist@email.net>
sub   2048R/78F9B6C1 2012-05-02
To add more email address, do
gpg --edit-key 2B4C5636
>adduid
and follow the prompts. You do not want to add subkeys.

Do
>trust
to set the trust level. Ultimate for your own key, full for your pals.

  •  using seahorse:
    if it isn't already installed, then
    sudo apt-get install seahorse

    and start it by typing seahorse in the terminal, or selecting Passwords and Keys in gnome. Select New
PGP key
Add details

You can add additional addresses later by selecting your key and right-click, then select Properties




Publish your PUBLIC key:
You can either do this directly using seahorse (very easy), or, if you prefer a more manual approach:

gpg --export -a
-----BEGIN PGP PUBLIC KEY BLOCK-----
Version: GnuPG v1.4.12 (GNU/Linux)
mQENBE+gt4IBCADPY9CyEr1aqU1uqOKquwFOUgsiLNV7pYRLKkTa3hki/8Zz0Ssr
16DIvuO5dGQVsDu712E2FaW3FSzThzPBW9R9z1WNHjZUWtRu78WVNyJJ3WwjJFWV
hmA9kmWzFn14pcqzeD6RAkpK7YrKENu05A2vWB47mWFxlysCxo8VdPoj/uEG0Cvw
BHNrI8raVarwWOPPZiVTp7nbbHySQxZjJTpdR5bEFH+L1AqA3T0YG5FdXryGFXG0
DMLPD3mCSZHoT27WRH4l8mH7K25m6ONUV8u6JDLtSy/WAi9J2nGo5K5r/OetDqe7
zTOaQk7u+WyTxK41nzNk/NRVAUlcc7aM7WXFABEBAAG0MkkgTGluZHF2aXN0IChm
YWtlIGFkZHJlc3MpIDxpLmxpbmRxdmlzdEBlbWFpbC5uZXQ+iQE4BBMBAgAiBQJP
oLeCAhsDBgsJCAcDAgYVCAIJCgsEFgIDAQIeAQIXgAAKCRABn5B+K0xWNtxlB/9K
GAq9Q8YlZjKOnOx2jZWRqE6dHZ5BjNX24SmsVWf0jpEIP1Bj699QiWxxEYeIc2S7
E0vm3G323oEHfiGUlTpqi4piCnrEgm63JKNGWKamKBkYBTvygRFRC7DUWhB6kwP3
FmOU8SMR9+8lSei6IJoRlJUThdF3gWLiNnQtDDowjQL2gIHvh+Ht/geC+fDtN0i5
R7yGUOyIicYDa04dSsX5LZJneouIavNYulTpJc0wth6GOrzAbitVsfdQ84O/Q/Ld
lyI6HSzz/QNDuY2YkAPiejapHBtBP9LukBvFChfkiwNv+RPG9VE8zm0vIg9ylmaf
Fbe1CrawAsjQDM8f1KEtuQENBE+gt4IBCADK5PJMH0I8CB1RoMLo13Ewd8tFoIYu
bXIuV2RpUCTwxOA1nbKiJUrZP0Dxe0aK6GXspEzRtYjpT2QdIvdYsHrr85V4+AsJ
BFQ3ehp6XW2NtyECQyzYlUm4Yo06EU128E0whfeK42b+egWazOrdnt9QKlZCP5lz
UU8L9zJiDI64old79AkbRm7mKdH6uIAwkPG3Eft+2H312MkRGfmiJ/Eq/HQO8ygo
pcg93kqU9RrI8xwfO5plqF9yc9iNzrgDu8iuOPSxYuJtG3cj0W4CzuwLRzMnWFXO
CQpcCWF38/a2HTrXCxA5QAf0Td3P7zc7eZd6JhpzNTTJ7zQeeQreKjhfABEBAAGJ
AR8EGAECAAkFAk+gt4ICGwwACgkQAZ+QfitMVjbn2Af/SURRS72DJ66F0Gpt9bIe
p2zr98c+W4bPru7fVg4uOAxz95H1vK65kX7jZ+9M5yqHGqLNxmVcUcVhbXS+Fkik
LoBxLezU7s1bC40HSFPu00IQQxiH5jv9Dd/kqP16oel+JVGDwmRXFWXqByaWaaNm
6JYHYcCH6B4UwSpSRiwJScbTWsvxq9+WVAUO730FwGy3BYnZAXNeibV2/bbtZbz6
P23zyitFqOizuafvwFIS9pGvbL3pmUkQne0dF1OGhfhsdczZi+LVhnKy6iOy7lTx
6saK149HMndyLNOlS8pmJez2ULXF/fijLlrXAi3zr8a2UFkpYPEIj+emkeFpAGiE
mQ==
=VnnT
-----END PGP PUBLIC KEY BLOCK-----
Then copy/paste it into the front page at pgp.mit.edu




2b. Chat

Gajim
Gajim is seven kinds of awesome, but is primarily used for jabber-compatible protocols. This means gmail gmx, etc.

To set up encryption for an address, go to Edit, Accounts, select the address and go to the Personal tab.
GPG Agent is broken on Debian, so don't use that.
 Before you use gajim to encrypt chat you may need to rightlick on the recipient and assign the correct key:
 Once all that is done, encryption is easy.



mcabber
Mcabber is a terminal chat client and that makes configuration very easy.
Edit ~/.mcabber/mcabberrc and add (or uncomment):

set pgp = 1
set pgp_private_key = "06403515C1XXXX6B"
set pgp_passphrase_retries = 3
The private key ID is much longer than what you may be used to -- you can look it up using seahorse. pgp.mit.edu will also report it if you've uploaded your public key:



Anyway, start mcabber, select the contact you presumably already have a key for and type:
/info

05-02 16:02 *** jid:  <xxx.xxxxx@xxxx.xxx>                                                                                                                                                                      
05-02 16:02 *** Name: xxxxx at xxxx                                                                                                                                                                              
05-02 16:02 *** Type: user                                                                                                                                                                                        
05-02 16:02 *** Subscription: both                                                                                                                                                                                
05-02 16:02 *** Resource: [o] (50) Gajim76E72461                                                                                                                                                                  
                Status timestamp: 2012-05-02 16:02:09                                                                                                                                                              
                PGP key id: 06403515C1XXXX6B                                                                                                                                                                         
                Last PGP signature: good                                                                                                                                                                             

The contact is recognised and you have their key. So, you should be able to simply start chatting.

Switch encryption on and off using
/pgp enable
and
/pgp disable


So how can you tell whether it's encrypted or not?


05-02 16:02 -~> This is encrypted

05-02 16:09 --> This is not encrypted

Yup. A ~ makes the difference.

Received encrypted messaged look like this:
05-02 16:12 <~= encryption the other way




2c. E-mail

Evolution
Evolution supports integration with gnupg out of the box, but each email address needs to be configured separately. Start evolution, click on Edit, select Preferences, Mail Accounts, highlight the email address you want to configure, click on Edit. Select the Security tab in the Account Editor and type in the key ID.
When you're composing, this is what meets you:


You will have problems encrypting to people who's keys haven't been associated properly with the email address you're composing to.



Thunderbird
Thunderbird isn't as well-supported for PGP/GPG as evolution but there's an add-on, Enigmail 1.4.1 (you might have to download it manually from http://enigmail.mozdev.org/download/index.php.html), which is compatible with Earlybird/Thunderbird 11. The downside on using an add-on is that compatibility sometimes breaks.
The key here is the 'GnuPG was found...' bit. To  gain access the tabs below you can click on Display Expert Settings.

Once you've installed enigmail via the add-on menu and restarted, you can set the preferences:
Most options are straight-forward
You may need to set the key manually if the email address isn't explicitly associated with an address.




Go to Edit, Account Settings, and uncheck use html under Composition and Addressing for each address. Partly because signing will work better, but mainly because you have no reason to use html. Ever.

 And this is how it looks when you are composing emails:
You can choose to sign and/or encrypt emails from simple menu.




Mutt
The key ID is C1XXXX6B. Edit your  .mutt/muttrc file and add (the field which need to be edited are given in red below):
# GPG stuff - autosign
set pgp_decode_command="gpg %?p?--passphrase-fd 0? --no-verbose --batch --output - %f"
set pgp_verify_command="gpg --no-verbose --batch --output - --verify %s %f"
set pgp_decrypt_command="gpg --passphrase-fd 0 --no-verbose --batch --output - %f"
set pgp_sign_command="gpg --no-verbose --batch --output - --passphrase-fd 0 --armor --detach-sign --textmode %?a?-u %a? %f"
set pgp_clearsign_command="gpg --no-verbose --batch --output - --passphrase-fd 0 --armor --textmode --clearsign %?a?-u %a? %f"
set pgp_encrypt_only_command="pgpewrap gpg --batch --quiet --no-verbose --output - --encrypt --textmode --armor --always-trust --encrypt-to 0xC1XXXX6B -- -r %r -- %f"
set pgp_encrypt_sign_command="pgpewrap gpg --passphrase-fd 0 --batch --quiet --no-verbose --textmode --output - --encrypt --sign %?a?-u %a? --armor --always-trust --encrypt-to 0xC1XXXX6B -- -r %r -- %f"
set pgp_import_command="gpg --no-verbose --import -v %f"
set pgp_export_command="gpg --no-verbose --export --armor %r"
set pgp_verify_key_command="gpg --no-verbose --batch --fingerprint --check-sigs %r"
set pgp_list_pubring_command="gpg --no-verbose --batch --with-colons --list-keys %r"
set pgp_list_secring_command="gpg --no-verbose --batch --with-colons --list-secret-keys %r"
set pgp_autosign=yes
set pgp_sign_as=0xC1XXXX6Bset pgp_replyencrypt=yes
set pgp_timeout=1800
set pgp_good_sign="^gpg: Good signature from"
In mutt, p is associated with gpg/pgp:
 In mutt, write your email in vim or nano, then exit the editor and hit p. Select e to encrypt:
And it now shows 'Security: Encrypt', and you can send.







Encrypted VOIP
While skype encrypts by default, skype isn't 'open', and you are not in control.

For twinkle (below), you need a sip address. You sometimes have one via your ISP, but you can also get one for free from e.g. https://www.ekiga.net/index.php?page=register

Twinkle and ccRTPp are available in the debian repos.
sudo apt-get install twinkle
pulls in everything you need

Next, start twinkle and configure it:




The only interesting step is this one:
Select ZRTP/SRTP
Next log in:


 My guess is that you need to include the country code. Don't forget to drop any leading 0s off the area code (the scatter brained cause of the failed call listed in the log below)