Need help with GPG/Enigmail/Torbirdy

14 réponses [Dernière contribution]
GNUser
Hors ligne
A rejoint: 07/17/2013

Hello everyone,

Ok, so, I need to make sure that I don't screw up with my "anonymous encrypted email".
Basically, from what I understand one could install thunderbird/icedove, install enigmail and torbirdy, and use an email on Tor hidden service (like mailtor) to send and receive GPG encrypted and signed emails. Problem is, apparently torbirdy has still a few leaks, and so I would like to do something "different". I would like to use icedove to write and encrypt the emails in my computer and after that copy+paste the encrypted email in the webmail interface. Same for receiving emails, I would receive it encrypted, copy+paste inside thunderbird, and it would allow me to read the plain text.
However, I have not been able to find anywhere HOW to do it, because it would involve having the keys (both mine and the person I want to contact) in the computer but preventing the thunderbird/icedove from accessing the web.
Does anyone here with experience with GPG and Torbirdy can give me a hand? I know some people here (like lloydsmart) use GPG even here in the forum, can you guys teach me how to do it? Everything that I found so far is about using a direct connection. Or maybe that is actually the best way... I don't know.

THANKS IN ADVANCE =)

jxself
Hors ligne
A rejoint: 09/13/2010

Why not use GPG on the command line to encrypt & decrypt message text? Should be easy to copy & paste stuff between terminal & web browser.

onpon4
Hors ligne
A rejoint: 05/30/2012

For PGP, try this:

https://www.enigmail.net/documentation/quickstart.php

That's how I learned to do it.

GNUser
Hors ligne
A rejoint: 07/17/2013

Thanks for the comments. I am reading the handbook on the enigmail website and it really looks like a easy thing to do IF I was to use a personal email, instead of a Tor based one (or one that I wanted to access through Tor to protect my identity).

After reading a little bit more on Tor project homepage, it seems like mixing GPG and Torbirdy is not a good idea (it will not work most of the time, unless curl is also installed, and the version on the reps is not the recommended one).
So, I guess my plan of using Icedove GUI will not be the best solution.... =S
Is there any other GUI for GPG in GNU/Linux? I understand using the command line would also work, but I would prefer something with a GUI if possible.
Anyway, how would it work through the command line? I mean:

1. How would I tell the system "encrypt this text with that particular key so I can send it to that person" (without ever connecting to the internet even if a connection is present);
2. How would I say "Take this text here and unencrypt it for me, using this particular key" (in case I had two keys for different email accounts);

Thanks!

GNUser
Hors ligne
A rejoint: 07/17/2013

After doing some more reading it seems that Seahorse will be the tool for the job. At least from what I have seen so far :)
One thing that "bothers" me is the fact that to create a new PGP key, it will always ask for the email address... Since I don't want to connect to the internet, and do everything locally, why is it trying to "connect the key to the email"??
Anyway, I will probably use this, since it even has a gedit plugin (which means it will save me some time). Does anyone knows which ports are used to connect to the internet (like to keyservers and such)? I would like to make sure Seahorse cannot connect to the internet...
THANKS =)

GNUser
Hors ligne
A rejoint: 07/17/2013

Guess I'm back at square one -.-
So, after lots of testing...

seahorse: is useless, for some reason the window that I get is totally different from the ones that I saw at the tutorials online, so most actions are not there. For some reason I can barely do anything at all with this one.

gpa: installed it and honestly I pretty much like it, but I always get an error "general assuan error" that prevents me from doing basically anything with it.

pyrite: a little software that I found in this site https://github.com/ryran/pyrite
looks good, and apparently does what I want but given the fact that is not a part of the repositories, I would rather not use it, even because it (from times to times) gives unexpected errors and bugs. Which is normal it was a one man project... Still, I don't think I feel very confortable with this one.

kgpg: basically too many broken dependencies for some reason. Gave it up.

I am thinking about using command line and maybe create a few scripts for nautilus. But I have some questions, hope someone will be able to clarify it for me:

1. Since I want to use GPG to encrypt text emails that I will be sending from an anonymous email, I feel uncertain about using the real email on "key generating" process. I think that if I by mistake upload the key to a server, it will reveal that my IP was the person behind the email all the time.

2. Could problem 1 be solved by not putting the email on "key generating" process? Would that still allow me to sign the messages, as in "be able to prove that it was I who sent the message"?

3. If I have imported 3 different keys from different persons/emails, how to I tell the system (in command line) that it must "use key1 for email1 and keyX for emailX"? Also, I will need to "save and store" the emails and keys of people who I want to connect to... That means that if an attacker can look at what keys are in my computer, it will be possible to "find out" who I am by seeing who I have been communicating with... right??

Sorry to make such a long post with so many questions, but PGP was always a part of computers that "puzzled me" a little. I a trying to overcome my initial fears and use it for better security :)
THANKS

quiliro@congresolibre.org
Hors ligne
A rejoint: 10/28/2010

I really don't understand what your problem is. But what I did was:

- install thunderbird, thunderbird-locale-es enigmail
- OpenPGP -> Configuration Wizard

And followed the steps. (Perhaps the names of the menus are not the same
in English.)

GNUser
Hors ligne
A rejoint: 07/17/2013

My "problem" is that I am trying to use it through Tor :)
And Torbirdy and Enigmail apparently don't work very well together, also, there is the problem that since I am not using Tails, I am afraid that by accident I might leak the keys of my contacts, thus revealing my real IP behind the tor mail service.
If it was a matter of using Enigmail, I would be doing so by now :)

quiliro@congresolibre.org
Hors ligne
A rejoint: 10/28/2010

El 04/01/14 08:46, name at domain escribió:
> My "problem" is that I am trying to use it through Tor :)
> And Torbirdy and Enigmail apparently don't work very well together,
> also, there is the problem that since I am not using Tails, I am
> afraid that by accident I might leak the keys of my contacts, thus
> revealing my real IP behind the tor mail service.
> If it was a matter of using Enigmail, I would be doing so by now :)
>

Perhaps the people at torproject.org IRC will know what the problem is.

GNUser
Hors ligne
A rejoint: 07/17/2013

Indeed, I have been trying to search for answers in the Tor Project website. But my questions here deal directly with something else (though I admit I got a little sidetracked at a point).

I need to know if I can use a program to:

Import a public key file, without connecting to the web;
Choose to encrypt a text with a different key;
Export my own keys (again never connecting to the web);
Make the whole encryption/unencryption process in my computer;
Protect/hide the keys that I have in my computer;
Preferably with a GUI;

I have investigated some alternatives (seahorse, GNU Shell, GPA, etc) but all of them have been giving me some headache.

So, I am inclined to use the combination of Tor+Thunderbird/Icedove+Enigmail+Torbirdy, but I know that can be insecure at some times.

jxself
Hors ligne
A rejoint: 09/13/2010

"I need to know if I can use a program to:"

Sure - It's called GPG. :)

"Import a public key file, without connecting to the web"

Sure - gpg --import /path/to/public/key (How that key gets on your file system is out of scope - Maybe you got it from someone over the internet or maybe they gave you their key in person or whatever. Either way, once it exists in your file system go import it.)

"Choose to encrypt a text with a different key;"

Sure - You can encrypt to whatever arbitrary key you want. Use the -u option when invoking GPG to specify which to use.

"Export my own keys (again never connecting to the web);"

Again, sure. Just like GPG has --import I mentioned earlier, it also has --export. An example would be gpg --export -a "GNUuser" > /path/to/save/public/key and you'll then have your ASCII-encoded public key at that point in your file system. Want to export your secrety key instead? Replace --export with --export-secret-key. Ta Da!

"Make the whole encryption/unencryption process in my computer"

Yeah - Use GPG to encrypt & decrypt messages. It has -e and -d options for encrypting and decrypting.

"Protect/hide the keys that I have in my computer;"

Use full-disk encryption?

"Preferably with a GUI;"

There are a number of GUI frontends listed at http://www.gnupg.org/related_software/frontends.html

So, as you can see, it's all about reading the documentation of GPG, from which you could have arrived at these same answers instead of me copying & pasting them for you. :)

GNUser
Hors ligne
A rejoint: 07/17/2013

First, thanks for your reply, it was very clear and informative. I was aware of most of it, but some key elements were new, thanks!

However, my main 2 problems are still standing which are:

- can we be 100% sure that GPG will never connect to the internet (by an accident or bug) thus revealing my identity?
I assume we can take that as a "no", there seems to be no indication of such "vulnerability"

- The front ends you mentioned, I already tried all of them. As you can see above, I state that all of them gave me problems. Seahorse for example gives me a much different window than what I see when I go to online tutorials and such... -.-

Thanks again, I see that it might not be so complicated to do it in the command line as I was initially afraid, I still prefer to use a GUI, but I will have to find one that actually works :S

jxself
Hors ligne
A rejoint: 09/13/2010

GPG will only be doing stuff online when you tell it to, like searching a key server for a key or sending a key to a keyserver. There isn't much more left to do in GPG though, so, I expect you'll know if you're doing something that requires a network connection. :)

Sim
Sim
Hors ligne
A rejoint: 09/29/2013

Hi,

I read that using the tor network for mail can cause problems with your mail provider. It is because you receive (and send) your mails periodically from total different locations and as a result of this your provider may think your account has been hacked.

GNUser
Hors ligne
A rejoint: 07/17/2013

Well, all doubts have been solved finally. After taking advice from quiliro and jxself, I have done some tests with GPG (everything works fine in command line and no errors happen, unlike with the GUIs I mentioned, and I see no internet connection happening whatsoever) and I asked around in Tor IRC.
Here is a simple view of things for people with some similar doubts:

Torbirdy changes settings in Thunderbird to force it to use the appropriate proxy and the appropriate privacy settings. These are enforced in each boot of Thunderbird, so even if you mess with something you can restart and everything will be safe again. There is a "leak" of the actual time you sent the email (the person who receives it can see, presumably the email service provider as well) but not of the time zone (Torbirdy forces Thunderbird time zone to UTC). So, the receiver can see what time was it that you sent the email, they are working on a patch for it.
As for using Enigmail, it is safe. It works correctly, you can encrypt and import keys and such, the only "issue" is that if the Engimail plugin tries to connect to the internet key server without using proxy settings, Torbirdy will deny it. That's what "safe close" means. In other words, there is no chance of revealing your identity through there. You might find some problems in using a key server, but again, Torbirdy uses a tor hidden service as key server, to make it safer.
So, all in all, I believe this thread might be useful for other people (even because different aspects of GPG and email were discussed here), and I hope the explanation I provide here is also clear enough.
I thank everyone who tried to help. The thread is now ended.