Introduction
Encrypted communications are necessary to protect our privacy. There are many ways to achieve the desired privacy. One of those ways are securing our email communications.
There are two methods for securing email communications. The first is using "Pretty Good Privacy" software, such as gnupg or openpgp. The second is using S/MIME, which is based on Public Key Infrastructure, by using certificate issued by trusted certificate authority instead of self-generated gpg key.
No matter which method to use, as long as the desired privacy level is achieved, it is no problem. PGP is good to build trust between community. S/MIME, which is based on public key infrastructure, has its advantage of a trusted certificate authority. An encryption choice is a matter of preference and compatibility between clients. On Unix/Linux based systems, PGP is easy to set up, whereas on Windows based system, S/MIME has its advantage of easy to use. It's possible to use both encryption method on every platform, so that PGP and S/MIME should be compatible for most platform.
Another advantage of using S/MIME to sign and encrypt messages is no need to worry about signature exchange. As long as your S/MIME certificate is issued by a trusted certificate authority, you are trusted. No need to worry about gpg signing exchange party. Your level of trust is the same as the certificate authority that issued your certificate.
Here, I'll focus on setting up a curses-based mail user agent (MUA). It's Mutt, a simple text-based interface mail client. It's resource friendly and available for most platform, including Linux and Windows (via Cygwin), although I focus on Linux - which is the main OS on the Blinkenshell.
Setting Up Client Certificate
It's possible to generate self-signed certificate for use with encrypting mails, although there will be some problems such as untrusted certificates. I don't talk much about self generated certificates. Instead, I'll use a Comodo-generated personal certificate, which is free for personal usage and trusted by many mail clients.
Go to Comodo free email certificate sign up. Fill in the available forms. Check your inbox and follow the given instruction. I recommend using Firefox browser to retrieve the generated certificate.
When the certificate has been retrieved, export it. Go to Firefox menu, hit preferences button. Navigate to advanced tab, and click on certificates. Navigate to personal certificates and click export. Choose a strong password and save the pkcs12 key on a safe location, which is readable only by yourself.
Transferring PKCS12 to server
Now, transfer the pkcs12 key to your remote server. You may skip this step if you have mutt installed locally. Launch a terminal emulator and type the following command to transfer the key to your server, in this case is Blinkenshell server.
rsync -e 'ssh -p443' -chavP ~/mycert.p12 user@ssh.blinkenshell.org:~/
Enter your ssh login credentials if prompted
S/MIME Configuration
Congratulations. You have a pkcs12 available on your home directory. Now, prepare SMIME setup to store the certificate so that Mutt can make use of the certificate.
Preparation
Make sure you have installed mutt with ssl-enabled. If you don't have installed, read my previous post about compiling mutt. Launch the following command to initiate SMIME working directory.
smime_keys init
This command will create two files.
~/.smime/keys/.index ~/.smime/certificates/.index
Configuring Mutt for S/MIME encryption
Create ~/.mutt directory if it does'n exist
if [ -d ~/.mutt ]; then echo '.mutt is available'; else mkdir ~/.mutt fi
Copy S/MIME configuration example from your shared documents. If you followed my previous guide and installed mutt on your home directory, you should be able to find S/MIME configuration on ~/share/doc/mutt/samples/smime.rc.
cp ~/share/doc/mutt/samples/smime.rc ~/.mutt
If you use mutt installed from your distribution package/port manager, you should find smime.rc file on /usr/share/doc/mutt/samples or /usr/share/doc/mutt/examples directory. Make necessary changes according to the example file location.
Edit ~/.muttrc file with your favorite text editor, for example with vim or nano. Add the following lines to refer to S/MIME database path.
set smime_certificates=~/.smime/certificates set smime_keys=~/.smime/keys set smime_ca_file_path=/etc/ssl/certs/ca-certificates.crt source ~/.mutt/smime.rc
Save the file and quit the editor. Then you are ready to import your private key and certificate to S/MIME database.
Importing the certificate to SMIME database
Now, it's time to import the pkcs12 certificate to SMIME database. Mutt uses this database for SMIME function, such as signing, encrypting, and decrypting messages. Launch the following command to achieve the goal.
smime_keys add_p12 ~/mycert.p12
Insert your backup password when asked and create a new password for storing pem certificate on the database. You may use your backup passphrase if you wish. Give it a label indicating that it's a mail certificate, for example whirlpool_at_blinkenshell to show that the certificate is used for s/mime cryptography with my email address at Blinkenshell.
Configuring default signature for use with S/MIME
This step is not really necessary. You'll be asked for which signature to use if you skip this step.
Check your secret key id for use with S/MIME
smime_keys list
You should be able to find your key id in format 123456789.0. Make a note for this key id as it will be added to smime.rc configuration later.
Edit your ~/.mutt/smime.rc file. Replace the default_key with correct key id
set smime_default_key=123456789.0
Add sign as your default key to smime.rc configuration
set sign_as=123456789.0
Save the file and quit the editor. Now, you are ready to test mutt to send and receive S/MIME messages
Testing mutt for working S/MIME configuration
Launch mutt. Compose mail to yourself, by pressing 'm'. Specify the recipient address as yourself. When you've finished editing the mail, press 'S' to show the S/MIME preferences. Choose 'b' to sign and encrypt the mail. Type your S/MIME passphrase when you're asked to do. Type your smtp password when asked.
Wait a few minutes and check your inbox for new message. You should be able to decrypt and verify your own mail. Openssl output should say 'verification finished'. Now you are ready to send a S/MIME signed message
Sending your first s/mime signed message
If you have sent your mail successfully, why don't you send me an S/MIME encrypted mail? Some setup is necessary, but it's okay.
You need to import my public key. First, download my smime public key. Save it as ~/whirlpool.crt or whatever name you choose. Remember to do this on your server.
wget -O ~/whirlpool.crt 'http://whirlpool.blinkenshell.org/pages/mycertificate.crt'
Now, import my public key to S/MIME database.
smime_keys add_cert ~/whirlpool.crt
Give it a label, for example whirlpool_blinkenshell_pubkey to make it easier to remember my email address.
Now, launch mutt. Compose a new mail, by pressing 'm'. Specify my email address whirlpool at blinkenshell.org as the recipient. Feel free to choose your own subject.
When you are finished editing, save and quit the editor. Press 'S' to show S/MIME preferences. Select 'b' to both sign and encrypting the mail. Select 'w' to choose an encryption algorithm. I recommend using aes256, although other encryption method will be fine.
Send your message by pressing 'y' button. Enter your secret key passphrase when asked. If you entered wrong passphrase, just press 'ctrl + f' to make mutt forget the passphrase. Enter your smtp credential if asked.
Congratulations. Your S/MIME encrypted message has been sent. Wait for my reply then.
Importing public key from S/MIME signed messages
If you receive an S/MIME encrypted message and you want to encrypt your reply, you need to extract S/MIME signature from the message part. The signature usually found as smime.p7s. Press 'v' to view the attached files. Select the digital signature part. Press 's' to save the attachment to your home directory.
Now, try to identify the smime.p7s file.
file ~/smime.p7s
If the output says "data", it's a DER-encoded PKCS7 public key. If the output says "ASCII text", it's a PEM-encoded PKCS7 public key. You need to convert DER-encoded key to PEM encoded key before you can import it.
openssl pkcs7 -in ~/smime.p7s -print_certs > ~/smime.crt
After the certificate has been extracted, import the resulting smime.crt
smime_keys add_cert ~/smime.crt
Give it a good label indicating the person who own the key. Now, you can send an S/MIME encrypted mail to the person by choosing the right S/MIME public key.
Congratulations. You are ready for S/MIME encrypted communications.
Another way? Using gpgsm is possible!
gpgsm
is GnuPG tool for doing S/MIME. You can import the certificate extraced into gpgsm
database in case mutt
doesn't use smime_keys
database as I encountered recently.
gpgsm --import ~/smime.crt
You may go to this page to find my experience with gpgsm
recently.