GnuPG + mutt + OSX + GMail

published

A little over two years ago I generated a new GnuPG key. I had been using a 1024-bit key created in 2004, so I created a new 4096-bit key. I’ve used this new key only a handful of times since it’s creation.

In early 2014 I joined Keybase with high hopes of seeing an increase in GnuPG adoption. A few folks I know use the service, and we’ve cross-validated one another; but none of them have sent me any encrypted messages. Of course, Keybase’s larger utility is as much in “proving” my various online identities as it is in facilitating encryption.

At the 2015 Ohio LinuxFest, one of the birds-of-a-feather sessions was a keysigning party. There were about a dozen of us in attendance, some complete novices and some GnuPG experts. It was a great opportunity to meet a few new folks, as well as pick up a few GnuPG best practices.

All of this took place shortly after I declared my intention to learn mutt for my day-to-day email usage. Mutt has great support for GnuPG, and I was hopeful that this support would encourage me to use GnuPG as much as mutt.

I’ve learned rather a lot in the last couple of weeks, and this post is an effort to record and share some of that information for others. Aside from a few OSX specific bits, most of what follows should be generally applicable to Linux users as well.

All of what follows is my own opinion. You likely don’t know me, so you should not trust my opinion. Do your own research, and figure out what settings make sense for you! If you find any factual inaccuracies in my suggestions, please contact me and let me know!

GnuPG

I've been using OSX exclusively for my day-to-day desktop computer use. (My employer has a few compliance requirements not yet easily satisfied by Linux, so this is as close as I can get to a POSIX-based system.) There are two ways to install GnuPG onto an OSX system: Homebrew or GPG Suite. I chose the latter, because it provides good Finder and Mail.app integration, but these are conveniences only.

The default options for GnuPG are okay, but not great. Depending on your level of paranoia, the defaults may be downright disastrous. One of the more interesting documents I found was Operational PGP, which was chock full of usefully paranoid suggestions. That, combined with OpenPGP Best Practices provided the bulk of my ~/.gnupg/gpg.conf settings.

In particular, ensure that you’re not using old and insecure algorithms:

cert-digest-algo SHA512
default-preference-list SHA512 SHA384 SHA256 SHA224 AES256 AES192 AES CAST5 ZLIB BZIP2 ZIP Uncompressed
personal-cipher-preferences AES256 AES192 AES
personal-digest-preferences SHA512 SHA384 SHA256 SHA224

Also ensure that you’re not leaking information unnecessarily:

no-greeting
no-comments
no-emit-version
throw-keyids

When using GPG Suite on OSX, be sure to make use of the GPG agent:

use-agent

The agent makes it much less hassle to use GnuPG. And it will come in particularly handy with mutt, too!

There was some interesting disagreement after the Ohio LinuxFest keysigning party with respect to proper next steps. Do you encrypt the signed key that you send? Do you individually sign each user ID on a public key? Do you push to keyservers? Each keysigning party may have different norms, so be sure to get answers to these questions before taking any actions! The Debian keysigning instructions may be useful as a reference for possible best practices.

GNU/Linux users are encouraged to use caff, which handles much of the tedium of signing and sending signatures to the folks at a keysigning party. Unfortunately, caff doesn’t work on OSX (despite being in homebrew). Additionally, caff sends mail directly from the host on which it is invoked, which may not work for laptops connected to residential ISPs. You may need to correctly configure a relay host in order to make the most of caff.

Aside: pass

Once you have GnuPG configured, take a look at pass, a GnuPG based password management system for Linux and OSX. pass works well for individuals as well as groups. We use it at work, and it's proven extremely helpful.

mutt

Installing mutt on OSX is best accomplished with Homebrew: brew install mutt was my first attempt, and this does work well enough. But this default incantation leaves out a newer feature of mutt's GnuPG support: GPG Made Easy (GPGME). GPGME allows you to drastically simplify your mutt config file with respect to GnuPG. In order to get mutt to use GPGME, you need to manually compile it: brew install mutt --build-from-source --with-gpgme --with-slang

With GPGME, the relevant section of my .muttrc file is this:

set pgp_autosign=no
set pgp_auto_decode=yes
set pgp_sign_as="0xD8F2E57BED0F2C0A"
set pgp_replysign=yes
set pgp_replyencrypt=yes
set pgp_timeout=1800
set pgp_use_gpg_agent=yes
set crypt_use_gpgme=yes
set crypt_replyencrypt=yes
set crypt_replysignencrypted=yes
set crypt_verify_sig=yes

I realize that looks like a lot, but compare it with the recommendations from the mutt wiki.

GMail

If you're a GMail user, you can use something like the following to get mutt to connect: 
set imap_user = "skippy@skippy.net"
set imap_keepalive=60
set imap_passive=no
set imap_check_subscribed=yes
set imap_idle=yes
set mail_check=60
set smtp_url = "smtp://skippy@skippy.net@smtp.gmail.com:587/"
set from = "skippy@skippy.net"
set smtp_authenticators = 'login'
set folder = "imaps://imap.gmail.com:993"
set spoolfile = "+INBOX"
set postponed ="+[Gmail]/Drafts"
set record="+[Gmail]/Sent Mail"
OSX users: take particular note of the set smtp_authenticators directive. This resolves a bug with the homebrew formula for mutt. I was unable to login without this.

I don’t want to type in my GMail password every time I connect, and I don’t really want to leave a plaintext copy of my GMail password in my .muttrc. Since I’m using GPG and the GPG agent, I can encrypt my password and decrypt that on the fly when mutt starts!

source "gpg -d ~/.mutt/passwords.gpg |"

For lots of other great suggestions about dealing with GMail, check out GPG / Mutt / Gmail by Ben Nagy. I particularly liked the recommendations for SSL hardening, and not blindly trusting SSL certs presented by IMAP and SMTP servers.

Conclusion

It's been a fun adventure learning some of the intricacies around GnuPG, mutt, and GMail. The fact that I'm using OSX does tend to complicate things, since so many howtos online are written for GNU/Linux users.

I still use the GMail web interface with depressing frequency, despite all the effort to configure and learn mutt. I’m trying hard to use mutt exclusively, but that’s quite an uphill battle.

One of the interesting things that all of the above work does not address is shared access to my Inbox from my laptop and my mobile phone. I will not install my GnuPG private key onto my mobile phone, so any encrypted emails I may receive will need to lie unread until I can access them on my laptop. Similarly, I won’t install my private key onto my VPS server, or a Raspberry Pi at home, or any other device I’m not likely to have in my immediate possession at most times.

UPDATE: I discuss private key security in a subsequent post.

So far this hasn’t been an issue, given the paucity of encrypted emails I receive. If encrypted emails were to become more commonplace for me, I might need to revisit my policy against my private key on my phone, since my phone is where I read the surprising majority of my emails these days.

References

home / about / archive / RSS