• Tip Jar

Reset the Internet – Securing Mutt with GPG

With all the privacy issues these days, it is important to encrypt pretty much everything you can. This includes email. So, I went to set up Mutt with encryption. I’m one of those people who likes a “Do this, then do this, then” … etc style how-to. Most things have those readily available, but I haven’t yet been able to find one for mut with encryption. There are a lot of good tutorials out there, but they all seem to assume you have knowledge of what to put where. So, this is a “do this, then do that” … style tutorial.
If you’re interested in why you do the following steps, this is probably not for you.

Mutt Setup

First, install mut and gnupg. In Arch you do:

pacman -S --needed mutt gnupg

Next, set up your muttrc file with your email information. If you’re not sure how, there are a lot of good tutorials to help. Most of them recommend you put your muttrc in ~/.mutt/muttrc, and this is where I will assume yours is. Since w’re focusing on security, I will also include directions for encrypting your password so it’s not stored in plain text.
Add the following lines to your ~/.mutt/muttrc:

source ~/.mutt/gpg.rc
source "gpg -d ~/.mutt/passwd.gpg|"

Next, to get the gpg.rc file:

cp /usr/share/doc/mutt/samples/gpg.rc ~/.mutt/

Finally, add the following to the end of ~/.mutt/gpg.rc:

set pgp_sign_as=KEYNAME
set pgp_autosign=yes
set crypt_autosign=yes
set pgp_replyencrypt=yes
set pgp_timeout=1800

Later, after we have set up a gpg key, we’ll come back and change KEYNAME to its propper value.

GPG Setup

Edit the file ~/.gnupg/gpg.conf and add the following:

charset utf-8
personal-digest-preferences SHA512
cert-digest-algo SHA512
default-preference-list SHA512 SHA384 SHA256 SHA224 AES256 AES192 AES CAST5 ZLIB BZIP2 ZIP Uncompressed
keyserver wwwkeys.pgp.net
keyserver hkp://pool.sks-keyservers.net
keyserver pgp.zdv.uni-mainz.de

Edit the file ~/.gnupg/gpg-agent.conf, create it if necessary, and add the following:

default-cache-ttl 300
max-cache-ttl 999999

Create a key:

gpg --gen-key

Press enter to select the first default. RSA keys may be between 1024 and 4096 bits long. You can select the default of 2048, but of course 4096 will be harder to break. Next, select how long the key is valid.
Enter your name, email, and a comment, e.g., email encryption key. You will be given the chance to change anything you think is wrong. If you are happy with everything the way it is, press o and enter. You will be asked for a password. You need to make a good, strong password. Make sure it has a mix of upper and lower case letters as well as numbers. Don’t lose the password, it will make all this work useless, and you won’t be able to view messages sent to you that are encrypted.
The key will be generated, it takes a while, and while it is being made, try to do some tasks that require you to use the keyboard, mouse, and the disk drives. I am writing this while generating a key, so I’m getting lots of keyboard usage.
When it is finished, you will get a line that reads something like:

gpg: key DFE7A865 marked as ultimately trusted

The name of the key is DFE7A865. Take this number, and edit ~/.mutt/gpg.rc. Change the word KEYNAME to the name of your key. In the case of our example:

set pgp_sign_as=DFE7A865

If you want to publish your public key to a server:

gpg --send-key DFE7A865

To get the password info encrypted, create the file ~/.mutt/passwd with your favorite text editor. Add the following information:

set imap_pass="IMAPPASSWORD"
set smtp_pass="SMTPPASSWORD"

Now, to encrypt it:

gpg -r EMAIL@DOMAIN.EXT -e ~/.mutt/passwd

replace EMAIL@DOMAIN.EXT with the email address you used to create your gpg key. this will create your encrypted password, and now we need to get rid of the unencrypted version. This is easily done with srm, which is part of the secure-delete package:

srm ~/.mutt/passwd

That should do it. You should be able to send mail that is automatically signed using your key. To bring up the gpg menu in mut, after composing a message, press p and you will get encryption options. I hope this has been useful, and that all your data remains safe.

Bookmark the permalink.

Comments are closed.

  • Tip Jar