Using Mutt and GPG for E-Mail
Jana Jaeger
Table of Contents
This article should provide a HOWTO for using GPG combined with Mutt for e-mail. SUSE LINUX 7.2 ships with Mutt version 1.3.16i and GPG version 1.0.5. Please note that there is an update package for GPG as was announced in a recent Security-Announcement.
GPG - Getting Started!
Installing and Configuring GPG
The GPG packages (gpg and gpgaddon) are included in all SUSE LINUX packages (version 6.3 and newer). They can be found in the series sec (security) and can be directly installed using YaST. When started for the first time, a warning like this
gpg: Warning: using insecure memory!
gpg: /home/tux/.gnupg: directory created
gpg: /home/tux/.gnupg/options: new options file created
gpg: you have to start GnuPG again, so it can read the new options file
may appear. It can be disabled by adding no-secmem-warning to your ~/.gnupg/options file and will not appear the next time gpg is started.
Generating a Key
The following lines of code are self-explanatory:
tux@earth:~ > gpg --gen-key
gpg (GnuPG) 1.0.1e-SUSE; Copyright (C) 2000 Free Software Foundation, Inc.
This program comes with ABSOLUTELY NO WARRANTY.
This is free software, and you are welcome to redistribute it
under certain conditions. See the file COPYING for details.
Please select what kind of key you want:
(1) DSA and ElGamal (default)
(2) DSA (sign only)
(4) ElGamal (sign and encrypt)
Your selection? 1
DSA keypair will have 1024 bits.
About to generate a new ELG-E keypair.
minimum keysize is 768 bits
default keysize is 1024 bits
highest suggested keysize is 2048 bits
What keysize do you want? (1024) 1024
Requested keysize is 1024 bits
Of course, you can choose a keysize higher than 1024 bits. But presently, 1024 seems to be a quite reasonable compromise between performance and security.
Please specify how long the key should be valid.
0 = key does not expire
<n> = key expires in n days
<n>w = key expires in n weeks
<n>m = key expires in n months
<n>y = key expires in n years
Key is valid for? (0) 0
Key does not expire at all
Is this correct (y/n)? y
After having specified the expiry date of your key, you are asked for your name, e-mail address, and a comment (optional) to identify the key. Finally, you have to protect the secret key by means of a passphrase.
You need a User-ID to identify your key; the software constructs the user id
from Real Name, Comment and Email Address in this form:
"Heinrich Heine (Der Dichter) <heinrichh@duesseldorf.de>"
Real name: Tux Penguin
Email address: tux@earth.org
Comment: The world's most famous penguin
You selected this USER-ID:
"Tux Penguin (The world's most famous penguin) <tux@earth.org>"
Change (N)ame, (C)omment, (E)mail or (O)kay/(Q)uit? o
You need a Passphrase to protect your secret key.
Enter passphrase:
Repeat passphrase:
public and secret key created and signed.
You've done it :-)
Exporting a Key
In order to be able to distribute the public key, you have to export it. If you use the --armor (or -a) option the output of this command will be an ASCII file. This will be stdout unless you specify the filename with -o [filename].
tux@earth:~ > gpg --export -a -o Key
tux@earth:~ > gpg --list-keys
/home/tux/.gnupg/pubring.gpg
---------------------------
pub 1024D/21DB9489 2000-11-01 Tux Penguin <tux@earth.org>
sub 1024g/D7D59598 2000-11-01
pub 1024D/C272A126 1999-10-13 Geeko Green <geeko@moon.org>
uid Geeko Green <geeko@earth.org>
sub 1024g/D8024B4C 1999-10-13
Importing Keys
In case you want to add other people's public keys to your key-ring or to reintegrate your own public keys that have been signed by someone else, you have to import them.
tux@earth:~ > gpg --import /tmp/geekokey
gpg: key 21DB9489: 1 new signature
gpg: Total number processed: 1
gpg: new signatures: 1
In this example, Tux (re)imports his own public key that has been signed by Geeko. The output of the --import command also shows the number and kind of changes that have been made to this certain key. In this case, it is Tux' <tux@earth.org> key that has been modified.
Signatures and Ownertrust
GPG is able to evaluate the trustworthiness of another user's key. You have to specify the number of signatures needed to call a key trustworthy and you have to evaluate how much trust is to be put in the other signers of this key (ownertrust). In the following example, the gpg -list-sigs command was executed to show the keys in question and the signatures already made to them.
tux@earth:~ > gpg --list-sigs
/home/tux/.gnupg/pubring.gpg
---------------------------
pub 1024D/21DB9489 2000-11-01 Tux Penguin <tux@earth.org>
sig 21DB9489 2000-11-01 Tux Penguin <tux@earth.org>
sig C272A126 2000-11-01 Geeko Green <geeko@moon.org>
sub 1024g/D7D59598 2000-11-01
sig 21DB9489 2000-11-01 Tux Penguin <tux@earth.org>
pub 1024D/C272A126 1999-10-13 Geeko Green <geeko@moon.org>
sig C272A126 1999-10-13 Geeko Green <geeko@moon.org>
sig 1C98774E 1999-10-13 [User id not found]
sig 21DB9489 2000-11-01 Tux Penguin <tux@earth.org>
uid Geeko Green <geeko@earth.org>
sig C272A126 1999-10-13 Geeko Green <geeko@moon.org>
sig 1C98774E 1999-10-13 [User id not found]
sig 21DB9489 2000-11-01 Tux Penguin <tux@earth.org>
uid Geeko Green <geeko@earth.org>
sig C272A126 2000-11-01 Geeko Green <geeko@moon.org>
sub 1024g/D8024B4C 1999-10-13
sig C272A126 1999-10-13 Geeko Green <geeko@moon.org>
After having checked the signatures of Geeko's <geeko@moon.org> key, Tux has decided both to assign an ownertrust value to it and to sign it.
tux@earth:~ > gpg --edit-key <geeko@moon.org>
gpg (GnuPG) 1.0.1e-SUSE; Copyright (C) 2000 Free Software Foundation, Inc.
This program comes with ABSOLUTELY NO WARRANTY.
This is free software, and you are welcome to redistribute it
under certain conditions. See the file COPYING for details.
pub 1024D/C272A126 created: 1999-10-13 expires: never trust: m/q
sub 1024g/D8024B4C created: 1999-10-13 expires: never
(1) Geeko Green <geeko@moon.org>
(2) Geeko Green <geeko@earth.org>
Command> trust
pub 1024D/C272A126 created: 1999-10-13 expires: never trust: -/q
sub 1024g/D8024B4C created: 1999-10-13 expires: never
(1) Geeko Green <geeko@moon.org>
(2) Geeko Green <geeko@earth.org>
Please decide how far you trust this user to correctly
verify other users' keys (by looking at passports,
checking fingerprints from different sources...)?
1 = Don't know
2 = I do NOT trust
3 = I trust marginally
4 = I trust fully
s = please show me more information
m = back to the main menu
Your decision? 3
Tux has decided to trust Geeko marginally which means he is not completely sure whether Geeko verified other users' keys correctly. Nevertheless, he has decided to sign Geeko's key.
pub 1024D/C272A126 created: 1999-10-13 expires: never trust: m/q
sub 1024g/D8024B4C created: 1999-10-13 expires: never
(1) Geeko Green <geeko@moon.org>
(2) Geeko Green <geeko@earth.org>
Command> sign
Really sign all user IDs? y
pub 1024D/C272A126 created: 1999-10-13 expires: never trust: m/q
Fingerprint: 93A3 365E CE47 B889 DF7F FED1 389A 563C C272 A126
Geeko Green <geeko@moon.org>
Geeko Green <geeko@earth.org>
Are you really sure that you want to sign this key
with your key: "Tux Penguin <tux@earth.org>"
Really sign? y
You need a passphrase to unlock the secret key for
user: "Tux Penguin <tux@earth.org>"
1024-bit DSA key, ID C1DD5956, created 2000-11-01
Command> save
Fingerprints
If you are willing to use another user's public key and there is no way to meet each other to verify the other's identity, it is very smart and comfortable to generate a fingerprint of the key in question and compare it on a phone line. The hash value (checksum) computed over this key will only be the same if the key is authentic.
tux@earth:~ > gpg --fingerprint
/home/tux/.gnupg/pubring.gpg
---------------------------
pub 1024D/21DB9489 2000-11-01 Tux Penguin <tux@earth.org>
Key fingerprint = A4F8 7499 83E8 72D9 0901 3025 FE6E DBDC 21DB 9489
sub 1024g/D7D59598 2000-11-01
pub 1024D/C272A126 1999-10-13 Geeko Green <geeko@moon.org>
Key fingerprint = 93A3 365E CE47 B889 DF7F FED1 389A 563C C272 A126
uid Geeko Green <geeko@earth.org>
sub 1024g/D8024B4C 1999-10-13
In this example, Tux has used the --fingerprint command to generate fingerprints of his whole key-ring. After verifying the fingerprint (via phone), Tux and Geeko can trust each other and exchange encrypted e-mail. Now he is sure that he can trust Geeko and exchange encrypted e-mail.
Mutt
Preparing Mutt for GPG/PGP
Before you can send and receive encrypted e-mail, there are some minor changes to be made in your .muttrc. Just add a source ~/gpg.rc there.
You will also have to activate the set pgp_sign_as= option. Add 0x[hex number of your public key] here.
Sending Encrypted E-Mails
When you have finished composing your e-mail, enter the PGP menu (type p). If you choose to encrypt or sign (or to do both), you are offered all public keys that belong to your partner. Choose one and send the e-mail.
Receiving and Decrypting Them
Mutt asks you for the passphrase of your secret key. After it has been successfully entered, the message is decrypted and displayed in plain text format.
Further Information
Details concerning the configuration of Mutt can be found in Kurt Garloff's "How to use GnuPG for E-Mail" and at the home page of the Mutt project. The home page of the GnuPG project may also provide some very useful information.
|
International
Contact 
