name: default class: middle, center layout: true --- # Email Privacy w/ Enigmail ## CryptoParty like it's 1984!
.nobullets[ * Felix C. Stegerman `
` * Maurice Verheesen `
` * Donné Brok `
` ]
> "CryptoParty is a decentralized, global initiative to introduce basic cryptography tools to the general public."
.small[2014-01-13] .small[(press space for next slide, ? for help)] --- name: welcome layout: false # Welcome ## You'll learn: * How email works * Why encryption is important * How to use Enigmail and Thunderbird to send and receive encrypted email: - Configure e.g. Gmail - Install Enigmail - Setup Enigmail - Send and receive encrypted email - Key management ## About us: ### Who are we? ... ### Why are we here? ... --- name: toc # Table of Contents .medium-small[ * [Welcome](#welcome) * [Privacy](#privacy) * [How Email Works](#how): - [Types of Email](#email-types) - [A Message's Journey](#email-journey) - [Email Connections](#email-conns) - [Anatomy of a Message](#email-anatomy) * [Why Should I Care About Encryption? and What Is Public Key Cryptography?](#crypto) * [Using Encryption w/ Thunderbird & Enigmail](#using): - [What's Enigmail/Thunderbird/OpenPGP/GnuPG?](#what) - [Prerequisites](#prereq) - [Warnings](#warnings) - [Gmail Settings](#gmail) - [Thunderbird & Enigmail](#tb-enig): * [Setup Thunderbird w/ Gmail](#tb-setup) * [Install Enigmail](#enigmail-install) * [Configure Enigmail](#enigmail-config) - [Mail](#mail): * [Write Mail](#write-mail) * [Read Mail](#read-mail) * [Mail Source](#mail-source) * [Attachments](#attach) * [Signatures](#sigs) - [Keys](#keys): * [Key Management](#key-mgmt) * [Export Key](#export-key) * [Import Key](#import-key) * [Receive Key](#recv-key) * [Refresh Key](#refresh-key) * [Sign Key](#sign-key) - [Advanced](#adv): * [Miscellaneous](#misc) * [Rules](#rules) * [Generate Key Manually](#gen-key) * [Links](#links) ] --- template: default layout: true --- name: privacy # Privacy → Privacy: [Why Privacy Matters](../privacy/index.html#why), [Basic Tips](../privacy/index.html#basic-tips) & [Warnings](../privacy/index.html#warnings) --- name: how # How Email Works .nobullets[ * [Types of Email](#email-types) * [A Message's Journey](#email-journey) * [Email Connections](#email-conns) * [Anatomy of a Message](#email-anatomy) ] --- name: email-types layout: false # Types of Email ## How is it Accessed? * **Webmail** (e.g. Gmail): read/write mail in **browser**. * **IMAP**: read/write mail with a mail **client**. * **POP3**: **download** and read/write mail with a mail **client**. * **SMTP**: **send** mail. ## Where is it stored? * **Webmail**: on the mail **server** of your mail provider. * **IMAP**: also on mail **server**, often with local **cache**. * **POP3**: **local** (after **download** from mail **server**). Encrypting webmail is still rather difficult, so we will show you how to send and receive encrypted email using the Thunderbird mail client. --- template: default layout: true --- name: email-journey # A Message's Journey ![images/howmailworks.png](images/howmailworks.png) .medium[How Email Works] --- name: email-conns layout: false # Email Connections * Encrypted (POP3/IMAP/SMTP w/ SSL/TLS, HTTPS) * Unencrypted (POP3/IMAP/SMTP, HTTP) --- name: pop3 # POP3 Anatomy .medium[ ``` S: +OK POP3 server ready C: USER alice S: +OK User accepted C: PASS secret S: +OK Pass accepted C: STAT S: +OK 2 320 C: LIST S: +OK 2 messages (320 octets) S: 1 120 S: 2 200 S: . C: RETR 1 S: +OK 120 octets {The server sends message 1} S: . C: DELE 1 S: +OK message 1 deleted C: RETR 2 S: +OK 200 octets {The server sends message 2} S: . C: DELE 2 S: +OK message 2 deleted C: QUIT S: +OK POP3 server signing off (maildrop empty) {The server closes the connection} ``` ] --- name: smtp # SMTP Anatomy .medium[ ``` S: 220 smtp.example.com ESMTP Postfix C: HELO relay.example.org S: 250 Hello relay.example.org, I am glad to meet you C: MAIL FROM:
S: 250 Ok C: RCPT TO:
S: 250 Ok C: RCPT TO:
S: 250 Ok C: DATA S: 354 End data with
.
C: From: "Bob Example"
C: To: "Alice Example"
C: Cc: theboss@example.com C: Date: Tue, 15 January 2008 16:02:43 -0500 C: Subject: Test message C: C: Hello Alice. C: This is a test message with 5 header fields and 4 lines in the C: message body. C: Your friend, C: Bob C: . S: 250 Ok: queued as 12345 C: QUIT S: 221 Bye {The server closes the connection} ``` ] --- name: email-anatomy # Anatomy of a Message .medium[ ``` Return-Path:
Received: ... Message-ID: <...@gmail.com> Date: Sun, 08 Dec 2013 22:53:28 +0100 From: Test User
User-Agent: ... Thunderbird/24.1.1 MIME-Version: 1.0 To: obfusktest@gmail.com Subject: email message X-Enigmail-Version: 1.6 Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: 7bit Hi, This is what an email message looks like. ``` ] --- template: default layout: true --- name: crypto # Why Should I Care About Encryption? → [Encryption: Why Use (Email) Encryption?](../encryption/index.html#why) # What Is Public Key Cryptography? → [Encryption: Public Key Cryptography](../encryption/index.html#pubkey-dia) --- name: using # Using Encryption w/ Thunderbird & Enigmail .nobullets[ * [What's Enigmail/Thunderbird/OpenPGP/GnuPG?](#what) * [Prerequisites](#prereq) * [Warnings](#warnings) * [Gmail Settings](#gmail) * [Thunderbird & Enigmail](#tb-enig) * [Mail](#mail) * [Keys](#keys) * [Advanced](#adv) ] --- name: what layout: false # What's Enigmail? > Enigmail is a security **extension** to Mozilla **Thunderbird** (and Seamonkey) that enables you to write and receive **email** messages **signed** and/or **encrypted** with the **OpenPGP** standard (using GnuPG). # What's Thunderbird? > Mozilla Thunderbird is a **free software** cross-platform **email**, news, and chat **client** developed by the Mozilla Foundation. # What are OpenPGP and GnuPG? > OpenPGP is a **standard** protocol for **encrypting** email using public key cryptography. It is based on PGP as originally developed by Phil Zimmermann. > GnuPG is a **free software** implementation of the **OpenPGP** standard. --- name: prereq # Prerequisites * Email Account (e.g. Gmail*) * Thunderbird * GnuPG ## Linux You'll need **thunderbird** and **gnupg** -- see the [links](#links). Most distributions' repositories provide both; Ubuntu: .medium[ ``` apt-get install thunderbird gnupg ``` ] ## OS X** You'll need **thunderbird** and **gpgtools** -- see the [links](#links). ## Windows** You'll need **thunderbird** and **gpg4win** -- see the [links](#links). .small[ \* although a more privacy-respecting provider (e.g. MyKolab) is preferable \** although a more privacy-respecting OS is preferable ] --- name: warnings # Warnings * You have **no control** over what the **recipient** does with the message you sent him/her. * Email **headers**, e.g. **Subject** and attachment **filenames** will **not** be encrypted. → [Encryption: What Can't Encryption Do?](../encryption/index.html#what-not) --- template: default layout: true --- name: gmail # Gmail Settings ![screens/gmail_imap.png](screens/gmail_imap.png) .medium[Activate IMAP for Gmail] --- name: tb-enig # Thunderbird & Enigmail .nobullets[ * [Setup Thunderbird w/ Gmail](#tb-setup) * [Install Enigmail](#enigmail-install) * [Configure Enigmail](#enigmail-config) ] --- name: tb-setup # Setup Thunderbird w/ Gmail You may want to use a local drafts folder. --- ![screens/tb_welcome.png](screens/tb_welcome.png) .medium[Welcome to Thunderbird] --- ![screens/tb_setup_account.png](screens/tb_setup_account.png) .medium[Thunderbird Account Setup - Step #1] --- ![screens/tb_setup_gmail.png](screens/tb_setup_gmail.png) .medium[Thunderbird Account Setup - Step #2] --- ![screens/tb_main.png](screens/tb_main.png) .medium[Thunderbird Main Window] --- name: enigmail-install # Install Enigmail --- ![screens/tb_addons.png](screens/tb_addons.png) .medium[Install Enigmail with Thunderbird Add-ons Manager] --- ![screens/tb_restart_now.png](screens/tb_restart_now.png) .medium[Restart Thunderbird after Enigmail Install] --- name: enigmail-config # Configure Enigmail If you want more control over key generation, see [Generate Key Manually](#gen-key). .nobullets[ * Use the Wizard * Create a Key Pair * Create a Revocation Certificate ] --- ![screens/wizard_step_1.png](screens/wizard_step_1.png) .medium[Enigmail Wizard - Step #1] --- ![screens/wizard_step_2.png](screens/wizard_step_2.png) .medium[Enigmail Wizard - Step #2] --- ![screens/wizard_step_3.png](screens/wizard_step_3.png) .medium[Enigmail Wizard - Step #3] --- ![screens/wizard_step_4.png](screens/wizard_step_4.png) .medium[Enigmail Wizard - Step #4] --- ![screens/wizard_step_5.png](screens/wizard_step_5.png) .medium[Enigmail Wizard - Step #5] --- ![screens/wizard_step_6.png](screens/wizard_step_6.png) .medium[Enigmail Wizard - Step #6] --- ![screens/wizard_step_7.png](screens/wizard_step_7.png) .medium[Enigmail Wizard - Step #7] --- ![screens/wizard_step_8.png](screens/wizard_step_8.png) .medium[Enigmail Wizard - Step #8] --- ![screens/wizard_q_revoke.png](screens/wizard_q_revoke.png) .medium[Enigmail Wizard - Generate Revocation Certificate?] Keep it safe! And be careful with file and directory permissions! --- ![screens/enter_pass.png](screens/enter_pass.png) .medium[Enter Passphrase] YMMV. --- ![screens/wizard_save_revoke.png](screens/wizard_save_revoke.png) .medium[Enigmail Wizard - Save Revocation Certificate] --- ![screens/wizard_revoke_saved.png](screens/wizard_revoke_saved.png) .medium[Enigmail Wizard - Revocation Certificate Saved] --- ![screens/wizard_done.png](screens/wizard_done.png) .medium[Enigmail Wizard - Done] --- name: mail # Mail .nobullets[ * [Write Mail](#write-mail) * [Read Mail](#read-mail) * [Mail Source](#mail-source) * [Attachments](#attach) * [Signatures](#sigs) ] --- name: write-mail # Write Mail .nobullets[ * Signed * Signed & Encrypted * Unsigned & Unencrypted (Normal) ] --- ![screens/tb_write.png](screens/tb_write.png) .medium[Thunderbird Write] --- ![screens/tb_write_1.png](screens/tb_write_1.png) .medium[Thunderbird Write - Signed] --- ![screens/tb_write_2.png](screens/tb_write_2.png) .medium[Thunderbird Write - Signed & Encrypted] --- ![screens/tb_write_3.png](screens/tb_write_3.png) .medium[Thunderbird Write - Unsigned & Unencrypted (Normal)] --- name: read-mail # Read Mail .nobullets[ * Signed * Signed & Encrypted * Unsigned & Unencrypted (Normal) ] --- ![screens/tb_mail_1.png](screens/tb_mail_1.png) .medium[Thunderbird Read - Signed] --- ![screens/tb_mail_2.png](screens/tb_mail_2.png) .medium[Thunderbird Read - Signed & Encrypted] --- ![screens/tb_mail_3.png](screens/tb_mail_3.png) .medium[Thunderbird Read - Unsigned & Unencrypted (Normal)] --- name: mail-source # Mail Source .nobullets[ * Signed * Signed & Encrypted * Unsigned & Unencrypted (Normal) ] --- layout: false Signed Mail Source: .medium[ ``` Return-Path:
Received: ... Message-ID: <...@gmail.com> Date: Sun, 08 Dec 2013 22:51:25 +0100 From: Test User
User-Agent: ... Thunderbird/24.1.1 MIME-Version: 1.0 To: obfusktest@gmail.com Subject: test #1 - sign X-Enigmail-Version: 1.6 Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: 7bit -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 a signed message -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.11 (GNU/Linux) Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/ iQEcBAEBAgAGBQJSpOndAAoJEDwvV/C2euNIg8AH/0yOJIyu1721Q0+9FQF1p/Dq 4Zs4/g8M16zTdVSb7AUvJFimhWEaFRKiVtEc2kr3EOIV96hO4hzTBRB4Y/APNyJr YtmCxE7mKJ+3ZDpwmB5KRabCOSDmTFQyGTyW/OZr51GN/Zd7lDdlSrK95QN9rxzY yo0oImQDLCeyciEZi9431TTdGQi6+9t+uzlo6xaxTCiB5TdbMKDg4mCkZu+obtwQ J8Q1reuSegAczcNiu21k96hYdcxcxpDa8veMCg8HdYo/+QmyRBKijLoDsyhojZX8 65lBqvMEGveuqUTTIeU/0ZQvg8TcwjftEHF3wpAfOzfVwPpDpCoa4AGUwB5MvkE= =1Fp1 -----END PGP SIGNATURE----- ``` ] --- Signed & Encrypted Mail Source: .medium-small[ ``` Return-Path:
Received: ... Message-ID: <...@gmail.com> Date: Sun, 08 Dec 2013 22:52:02 +0100 From: Test User
User-Agent: ... Thunderbird/24.1.1 MIME-Version: 1.0 To: obfusktest@gmail.com Subject: test #2 - sign + encrypt X-Enigmail-Version: 1.6 Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: 8bit -----BEGIN PGP MESSAGE----- Charset: ISO-8859-1 Version: GnuPG v1.4.11 (GNU/Linux) Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/ hQEMA7cQS3ayLdgbAQgAkcbyScDEdrb2f2CB/HNlEESFAzQ9vC0xBxo2Zg1P5YoO hlaUNbMj6zc3H+yM+XjlOJuxAKWAevICOTbWvBSjD7pI267D3BGcpPwSpCvppK3o z/aR6onAzOqesjK/IJ3y7yHWN4sFvwghjeENU/KOMxsOmnapJokvzpN8KBoxK4/C a/4vVJ/2z1EgFEj9pgtaQ3PHb7pY+Kz19BbXfFlS4I7BwQAic8X9SnS9cQTexiU7 jzQUyTZTERuLoyVDd1QnM1GZdgkzugqTz9tlItr9P+7MRNH92fxdLYYXztt1eQYV eun1vyp18TbaWiGawNfDN3Qq/Z72zd48AWkyh5Edh9LAzAHSBUeTRYqHxxs/t2zt zgjNI8zztrxLLLxUDIuq2Zgcljja3yjo61GkdAFDzFX57uakV95xAUkrA7qwkwr3 610caXyQDvoksy49tgutJHMcr3iyl4oYadFwIflvNt+N70gFxYplx1IO+Tiw32b8 gpwoZVtEyUYr5Z71DGPrz9D6UzGUT6jvLtjnc53UTT5R7T7OZO1rtLzIpZ/Kzwsq CR0z57/kfkRme0wWWw2V4BzE+Fk4lNwoZbT71hsRKWwO3/Ljeb5GpwFF67LSiZme zXi4JKpf/NDHwNf60KmKZubKwcdIsK2X+I2CKNTVwb34xbV+kaLDc5bPrq8aKchV ToWiCatR6tVh8g3+OtVqkuGp52OZB3zoRorsAm64/P33HTNuELpTjq+0/HneBtaZ YMxeNDZ7Va9zXXRmrXNj5reudSFrCxRK9n5FM0OaFmWgTertxf6jwx40eZWIzaDc cgJiIKdFUDWxnRPMyjCQ6UDfml7rzWp1NgD75gRyZG4hSfhDKpBnBFrZvXTd5A== =oZHe -----END PGP MESSAGE----- ``` ] --- Unsigned & Unencrypted (Normal) Mail Source: .medium[ ``` Return-Path:
Received: ... Message-ID: <...@gmail.com> Date: Sun, 08 Dec 2013 22:53:28 +0100 From: Test User
User-Agent: ... Thunderbird/24.1.1 MIME-Version: 1.0 To: obfusktest@gmail.com Subject: test #3 - unsigned + unencrypted X-Enigmail-Version: 1.6 Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: 7bit a normal message ``` ] --- template: default layout: true --- name: attach # Attachments ![screens/enigmail_attachments.png](screens/enigmail_attachments.png) .medium[Sending Encrypted Attachements] --- name: sigs # Signatures .nobullets[ * Unverified (Unknown Key) * Untrusted (Known Key, Not Trusted) * Good (Known Key, Trusted) ] --- ![screens/tb_mail_4_unknown.png](screens/tb_mail_4_unknown.png) .medium[Unverified Signature (Unknown Key)] --- ![screens/tb_mail_4_untrusted.png](screens/tb_mail_4_untrusted.png) .medium[Untrusted Signature (Known Key, Not Trusted)] --- ![screens/tb_mail_4_signed_key.png](screens/tb_mail_4_signed_key.png) .medium[Good Signature (Known Key, Trusted)] --- name: keys # Keys .nobullets[ * [Key Management](#key-mgmt) * [Export Key](#export-key) * [Import Key](#import-key) * [Receive Key](#recv-key) * [Refresh Key](#refresh-key) * [Sign Key](#sign-key) ] --- name: key-mgmt # Key Management .nobullets[ * Key Management Interface * Key Properties * Key Actions * Key Menu ] --- ![screens/enigmail_key_management.png](screens/enigmail_key_management.png) .medium[Enigmail Key Management] --- ![screens/enigmail_key_management_all.png](screens/enigmail_key_management_all.png) .medium[Enigmail Key Management - Show All] --- ![screens/enigmail_key_props.png](screens/enigmail_key_props.png) .medium[Enigmail Key Management - Key Properties] --- ![screens/enigmail_key_actions.png](screens/enigmail_key_actions.png) .medium[Enigmail Key Management - Key Actions] --- ![screens/enigmail_key_management_menu.png](screens/enigmail_key_management_menu.png) .medium[Enigmail Key Management - Key Menu] --- name: export-key # Export Key You'll need to export your public key to be able send it to someone else. Or you can publish it on a key server. .nobullets[ * Export * Save * Send ] --- ![screens/enigmail_key_management_export.png](screens/enigmail_key_management_export.png) .medium[Enigmail Key Management - Export] --- ![screens/enigmail_key_management_export_save.png](screens/enigmail_key_management_export_save.png) .medium[Enigmail Key Management - Export - Save] --- ![screens/tb_write_send_key.png](screens/tb_write_send_key.png) .medium[Enigmail Key Management - Export & Send] --- name: import-key # Import Key If someone's sent you a public key, you'll need to import it to use it. --- ![screens/enigmail_key_management_import_step_1.png](screens/enigmail_key_management_import_step_1.png) .medium[Enigmail Key Management - Import - Step #1] --- ![screens/enigmail_key_management_import_step_2.png](screens/enigmail_key_management_import_step_2.png) .medium[Enigmail Key Management - Import - Step #2] --- name: recv-key # Receive Key If someone has published their public key on a key server, you can receive it from there. --- ![screens/enigmail_recv_key_step_1.png](screens/enigmail_recv_key_step_1.png) .medium[Enigmail Key Management - Receive Key - Step #1] --- ![screens/enigmail_recv_key_step_2.png](screens/enigmail_recv_key_step_2.png) .medium[Enigmail Key Management - Receive Key - Step #2] --- ![screens/enigmail_recv_key_step_3.png](screens/enigmail_recv_key_step_3.png) .medium[Enigmail Key Management - Receive Key - Step #3] --- ![screens/enigmail_key_management_w_obfusk.png](screens/enigmail_key_management_w_obfusk.png) .medium[Enigmail Key Management - With Received Key] --- name: refresh-key # Refresh Key You should refresh keys to get up-to-date signatures, expirations, and revocations. --- ![screens/enigmail_key_management_refreshed.png](screens/enigmail_key_management_refreshed.png) .medium[Enigmail Key Management - Refresh Key] --- name: sign-key # Sign Key Sign a key when you have **checked** and **verified** that a certain public key belongs to a certain person (who is in control of the accompanying private key). .nobullets[ * Check the **fingerprint** to make sure you have the right key. * Make sure the **person** is who he says he is. ] You can keep your signatures **local** or participate in the **web of trust**. --- ![screens/enigmail_key_management_sign.png](screens/enigmail_key_management_sign.png) .medium[Enigmail Key Management - Choose to Sign Key] --- ![screens/enigmail_sign_sender_key.png](screens/enigmail_sign_sender_key.png) .medium[Thunderbird Read - Choose to Sign Sender's Key] --- ![screens/enigmail_sign_key_local.png](screens/enigmail_sign_key_local.png) .medium[Enigmail Key Management - Sign Key (Locally)] Make sure to check the fingerprint! --- ![screens/enigmail_sigs.png](screens/enigmail_sigs.png) .medium[Enigmail Key Management - Signatures] --- name: adv # Advanced .nobullets[ * [Miscellaneous](#misc) * [Rules](#rules) * [Generate Key Manually](#gen-key) ] --- name: misc # Miscellaneous .nobullets[ * Encrypt to Unknown Recipient * Expert Settings * Always Trust & Always Confirm ] --- ![screens/enigmail_unknown_recipient.png](screens/enigmail_unknown_recipient.png) .medium[Enigmail - Encrypt to Unknown Recipient] --- ![screens/enigmail_prefs_expert.png](screens/enigmail_prefs_expert.png) .medium[Enigmail Preferences - Expert] --- ![screens/enigmail_prefs_alwaystrust.png](screens/enigmail_prefs_alwaystrust.png) .medium[Enigmail Preferences - Always Trust & Always Confirm] .nobullets[ * **Always Trust** allows you to encrypt messages to untrusted keys (i.e. keys that are not in your web of trust). * **Always Confirm** makes Enigmail confirm encryption and signing before sending. ] --- name: rules # Rules You can define rules for setting encryption and signing for every recipient and to define what key(s) to use. .nobullets[ * Key Selection * Rules * Add Rule ] --- ![screens/enigmail_prefs_key_sel.png](screens/enigmail_prefs_key_sel.png) .medium[Enigmail Preferences - Key Selection] --- ![screens/enigmail_prefs_rules.png](screens/enigmail_prefs_rules.png) .medium[Enigmail Preferences - Rules] --- ![screens/enigmail_prefs_add_rule.png](screens/enigmail_prefs_add_rule.png) .medium[Enigmail Preferences - Add Rule] --- name: gen-key # Generate Key Manually If you want more control over key generation (e.g. expiration and key size): .nobullets[ * Cancel the Wizard * Generate a Key Manually * Run the Wizard and Use Your Existing Key ] --- ![screens/enigmail_gen_tab_1.png](screens/enigmail_gen_tab_1.png) .medium[Enigmail Generate Key - Tab #1] --- ![screens/enigmail_gen_tab_2.png](screens/enigmail_gen_tab_2.png) .medium[Enigmail Generate Key - Tab #2] --- ![screens/enigmail_use_existing_key.png](screens/enigmail_use_existing_key.png) .medium[Enigmail Wizard - Use Existing Key] --- name: links layout: false # Links * https://github.com/obfusk/keep-it-private * http://obfusk.github.io/keep-it-private * https://www.enigmail.net * https://www.mozilla.org/thunderbird * https://www.gnupg.org * https://gpgtools.org (OS X) * http://www.gpg4win.org (Windows) * https://www.cryptoparty.in * https://fsfe.org * https://www.gnu.org/philosophy/free-sw.html