Comments on: How to: Keep your e-correspondence private

By: Mackenzie

Mackenzie — Wed, 25 Jun 2008 20:08:30 +0000

Thanks kjcole…figures I mention it on the LUG list and you pop up to prove me wrong ;)

By: Kevin Cole

Kevin Cole — Wed, 25 Jun 2008 20:03:53 +0000

Both mutt and pine (and others I’m sure) make it fairly easy. Pine often comes with a bash script or three to do the dirty work:

/usr/bin/pinegpg-install /usr/bin/pinegpg -> /usr/bin/pinepgpgpg-install

The first alters your ~/.pinerc file adding in the necessary magic. I’m not even certain that the second one is still used…

For Mutt, on one of my older systems I had to add:

# Import GNU Privacy Guard/Pretty Good Privacy (GPG/PGP) handlers source /usr/share/doc/mutt-1.4.1/gpg.rc

to ~/.muttrc. (Ubuntu places gpg.rc in /etc/Muttrc.d/ which leads me to suspect that perhaps it’s included automatically. I’ve never used it from that system.)

By: Rick

Rick — Sat, 19 Apr 2008 18:04:59 +0000

The “truly paranoid” will go beyond encrypting their messages with PGP. They will also ensure that their mail client communicates with their mail server over an encrypted link, usually TLS, to be sure a listener cannot see the mail headers. They will also ensure they are using a secure email service such as Sub Rosa from novo-ordo.com so their email cannot be stolen by hacking into the server (another layer of encryption there) or subpoenaed by the US government (hosted outside their jurisdiction).

By: Mackenzie

Mackenzie — Thu, 17 Apr 2008 17:10:50 +0000

That’s the only reason to use signing. Encryption certainly has other uses.

By: Adam

Adam — Thu, 17 Apr 2008 17:05:50 +0000

I used to use PGP all the time but stopped mostly because everyone I email 1) doesn’t use it and 2) was freaked by all the random text at the bottom of the e-mail.

Other than proving an e-mail came from me, is there really any other good reason to use PGP?

-Adam

By: Mackenzie

Mackenzie — Thu, 17 Apr 2008 16:58:36 +0000

Really? I honestly didn’t look into mutt because I figure if you use mutt, you’re already a command line nut anyway. Web browsers and mail clients are the two things where I really prefer GUI over CLI.

By: mmb

mmb — Thu, 17 Apr 2008 16:48:17 +0000

Actually mutt integrates with GPG nicely. There are a number of howtos on it.

By: Mackenzie

Mackenzie — Thu, 17 Apr 2008 16:12:29 +0000

Then it’s the same basic idea except you need to find a certificate authority, and I think a lot of them charge money (probably some free ones though). GPG is just a more decentralized approach.

By: cldellow

cldellow — Thu, 17 Apr 2008 16:07:29 +0000

‘However you will be getting your “private” key from an out side source.’

No, this is not how public key certificates work. You present them with your public key and proof-of-possession of the private part of the key (i.e., by signing a challenge message). If they can verify the message successfully using your public key, they will in turn sign your public key.

By: Red Nikon

Red Nikon — Thu, 17 Apr 2008 15:05:24 +0000

First off, the above method is free (as in free beer, and free speech.) The technology is essentially the same. So you aren’t losing any functionality, nor does one have an advantage over the other.

However if you are willing to pay the price, it will be easier for you to implement. However you will be getting your “private” key from an out side source. With the above method, the OpenPGP Standard allows for totally in house creation of your “private” key. And if you want to go the extra mile you could encrypt your own hard drive, protecting the data stored on it to include your stored “private” key.

But, it all boils down to how far are you willing to go to truly protect your data, how much are you willing to spend, and how trusted it the source?

By: JohnS

JohnS — Thu, 17 Apr 2008 12:37:11 +0000

Hmmmm, or you could use a personal email certificate… what would be the difference between your solution and a certificate coming from a trusted authority?

By: ElfineP

ElfineP — Thu, 17 Apr 2008 04:06:26 +0000

Useful how to. Ever wonder why I still keep that pgp sourcecode…