Get best of the week

How to sign email correspondence with a GPG key using PKCS # 11 tokens



Modern mail services improve their security system from year to year. First, authentication mechanisms appeared via SMS, now machine learning mechanisms for analyzing suspicious activity in the mailbox are already being improved.

But what if someone received the coveted password from your mail and began to read all your secret correspondence, as well as write some rubbish right and left. How to add an additional level of protection in this case? GPG and smart cards come to the rescue.


GPG is a free, open-source program that provides the necessary technology for secure messaging. It works very simply: it is a database with all the public keys of network participants with whom you want to communicate. You can manage these keys: add them if you have made a new acquaintance, or delete if you decide to add someone to your “black list”. GPG also stores public and private keys. Each key is associated with a specific mailbox and a specific user in the system.


! GPG . : ; , , . .


: GPG -. , , . “ ! ”, — - . — , . , , . , , (PIN-) .


GPG -, OpenPGP SmartCard. -, PKCS#11, , PKCS#11 -. -, PKCS#11 , OpenPGP. , , , , PKI 2.0. PKI , .. RSA.




Instructions for integrating GPG into popular email clients such as Thunderbird, KMail, Outlook, and the standard mail client Mail on macOS will also be presented below. This integration will help people who have received a letter from you to understand that the letter was really sent by you.

Interested in? Then let's go! Windows users who want to go the way of shamans and collect a demon from scratch, it is advisable to be patient ...


Install GPG and gnupg-pkcs11-scd


Linux


Install the necessary packages (use the line depending on the system you are working on, the first for Debian, the second for Red Hat):


sudo apt-get install gpg opensc libpkcs11-helper1-dev openssl libgpg-error-dev libassuan-dev libgcrypt20-dev autoconf pkg-config # Debian
sudo yum instal gnupg2 gnupg-pkcs11-scd opensc # Red Hat

Make sure the version is:


gpg >= 2.1.19
gnupg-pkcs11-scd > 0.9.2

For debian, you may need to download and install the latest release of the gnupg-pkcs11-scd smart card pkcs11 daemon from the repository .


You can install it using the following command:


autoreconf -i && ./configure --prefix /usr && make -j 4 && sudo make install

librtpkcs11ecp.so , .


~/.gnupg/gpg-agent.conf :


scdaemon-program /usr/bin/gnupg-pkcs11-scd

~/.gnupg/gnupg-pkcs11-scd.conf :


providers rutoken
provider-rutoken-library /usr/lib64/librtpkcs11ecp.so

Windows


, , . , gnupg-pkcs11-scd , libgnupg-error, libassuan, openssl, pkcs11-helper, libgcrypt. Linux ( ), windows , .


, , . . , . , .



, Gpg4Win .


.


, .


, %APPDATA%/gnupg. gpg-agent.conf :


scdaemon-program C:/HERE_IS_PATH_TO/gnupg-pkcs11-scd.exe

— gnupg-pkcs11-scd.conf :


providers rutoken
provider-rutoken-library C:/Windows/System32/rtPKCS11ECP.dll


Welcome to the club, buddy!

. pkcs11 - Windows. , , . , .


Gpg4Win msys2, .


msys2.


, , . , gnupg-pkcs11-scd , . Linux macOS , . , - , :


pacman -Syuu

.


pacman -S --needed git base-devel mingw-w64-i686-toolchain man2html pkg-config openssl-devel

(libgpg-error)


libgpg-error .


:


./configure --with-cygwin-native
make
make install

VoilĂ ! !


(libassuan)


libassuan , :


./configure --with-cygwin-native
make
make install

(pkcs11-helper)


pkcs11-helper .


pkcs11-helper:


autoreconf --install
./configure --with-cygwin-native
make
make install

(libgcrypt)


libgcrypt , :


./configure --with-cygwin-native
make
make install

, (gnupg-pkcs11-scd)


? ! , .


:


autoreconf --install
./configure --with-cygwin-native
make
make install

Fatality


.


, %APPDATA%/gnupg. gpg-agent.conf :


scdaemon-program C:/msys32/mingw32/bin/gnupg-pkcs11-scd.exe

— gnupg-pkcs11-scd.conf :


providers rutoken
provider-rutoken-library C:/Windows/System32/rtPKCS11ECP.dll

macOS


brew .
, , gpg gnupg-pkcs11-scd:



brew install gpg gnupg-pkcs11-scd

librtpkcs11ecp .


~/.gnupg/gpg-agent.conf :


scdaemon-program /usr/local/lib/gnupg-pkcs11-scd

~/.gnupg/gnupg-pkcs11-scd.conf :


providers rutoken
provider-rutoken-library /usr/local/lib/librtpkcs11ecp.so


! ! , .


, RSA-, - . RSA- ( ).


, , - , SDK pkcs11-tool


gpg-agent. gpgconf. : Linux macOS gpg, Windows Gpg4Win. :


gpgconf --kill gpg-agent

, :


gpg --card-status

:


[lo1ol@localhost .gnupg]$ gpg --card-status
Application ID ...: D2760001240111503131CAE8D55A1111
Version ..........: 11.50
Manufacturer .....: unknown
Serial number ....: CAE8D55A
Name of cardholder: [not set]
Language prefs ...: [not set]
Sex ..............: unspecified
URL of public key : [not set]
Login data .......: [not set]
Signature PIN ....: forced
Key attributes ...: 1R 1R 1R
Max. PIN lengths .: 0 0 0
PIN retry counter : 0 0 0
Signature counter : 0
Signature key ....: [none]
Encryption key....: [none]
Authentication key: [none]
General key info..: [none]

, gpg-agent. gpg-agent :


gpg-agent --server
SCD LEARN

Bad certificate, , , GPG. :


[lo1ol@localhost .gnupg]$ gpg-agent --server
OK Pleased to meet you
SCD LEARN
....
S KEYPAIRINFO 892E053AE031FC23F3E7CCC73BC60859F11F6B90 Aktiv\x20Co\x2E/Rutoken\x20ECP/3ac67ae9/Rutoken\x20ECP\x20\x3Cno\x20label\x3E/45
OK

GPG


-, :


gpg-agent --server
SCD LEARN

, S KEYPAIRINFO. , :


S KEYPAIRINFO 892E053AE031FC23F3E7CCC73BC60859F11F6B90 Aktiv\x20Co\x2E/Rutoken\x20ECP/3ac67ae9/Rutoken\x20ECP\x20\x3Cno\x20label\x3E/45

892E053AE031FC23F3E7CCC73BC60859F11F6B90. , GPG. :


gpg --expert --full-generate-key

, . RSA (13 ):


lo1ol@lo1ol-VirtualBox:~$ gpg --expert --full-generate-key
gpg (GnuPG) 2.2.4; Copyright (C) 2017 Free Software Foundation, Inc.
This is free software: you are free to change and redistribute it.
There is NO WARRANTY, to the extent permitted by law.

Please select what kind of key you want:
(1) RSA and RSA (default)
(2) DSA and Elgamal
(3) DSA (sign only)
(4) RSA (sign only)
(7) DSA (set your own capabilities)
(8) RSA (set your own capabilities)
(9) ECC and ECC
(10) ECC (sign only)
(11) ECC (set your own capabilities)
(13) Existing key
Your selection? 13

:


Enter the keygrip: 892E053AE031FC23F3E7CCC73BC60859F11F6B90

, e-mail . , . e-mail, :


Possible actions for a RSA key: Sign Certify Encrypt Authenticate
Current allowed actions: Sign Certify Encrypt

(S) Toggle the sign capability
(E) Toggle the encrypt capability
(A) Toggle the authenticate capability
(Q) Finished

Your selection?
Please specify how long the key should be valid.
0 = key does not expire
<n> = key expires in n days
<n>w = key expires in n weeks
<n>m = key expires in n months
<n>y = key expires in n years
Key is valid for? (0)
Key does not expire at all
Is this correct? (y/N) y

GnuPG needs to construct a user ID to identify your key.

Real name: lo1ol
Email address: lo1ol@mail.ru
Comment:
You selected this USER-ID:
"lo1ol <lo1ol@mail.ru>"

Change (N)ame, (C)omment, (E)mail or (O)kay/(Q)uit? O

. :


gpg: /home/lo1ol/.gnupg/trustdb.gpg: trustdb created
gpg: key 676E42AAAFBCF227 marked as ultimately trusted
gpg: directory '/home/lo1ol/.gnupg/openpgp-revocs.d' created
gpg: revocation certificate stored as '/home/lo1ol/.gnupg/openpgp-revocs.d/0CD2B9CEE398990609D6C164676E42AAAFBCF227.rev'
public and secret key created and signed.

pub rsa2048 2019-10-25 [SCE]
0CD2B9CEE398990609D6C164676E42AAAFBCF227
uid lo1ol <lo1ol@mail.ru>

, , — .


, , , , GPG — . GPG ( X.509), : , , .. , , GPG.


GPG , , Kleopatra, , . , , X.509.



Thunderbird


, GPG Thunderbird. , , Linux, Windows macOS. ( ).



, . Linux macOS :


sudo apt-get install thunderbird # Debian
sudo yum install thunderbird # Red Hat
brew cask install thunderbird #

Windows macOS c . , Thunderbird, .


After we installed Thunderbird, we need to add the mailbox that we want to use, and for which we added the keys and certificate in GPG.


Adding a GPG
plugin It's time to add an Enigmail plugin to integrate Thunderbird with GPG. To do this, install the ENIGMAIL plugin . Go to the Add-ons tab and click on them:





In the search, look for the Enigmail plugin and click on the “Add to Thunderbird” button:





When the plugin is installed, it will offer to add existing keys. We agree with him and click on the “Apply my Keys” button.





Almost everything is ready. It remains only to bind the keys to the mail accounts.

Key binding to accounts
Let's go to account setup:





In the pop-up window, select the “OpenPGP Protection” tab and select the key that we want to use for this mail. You can also configure default options.





Everything is ready, and everything is assembled!
You are missing, you are missing ...
Old man, let's go on a picnic!

Health Check
The moment of truth has come. Check that the whole system is working correctly. Reboot Thunderbird and try to send a message to some user whose public key is registered in GPG. To do this, I added another account to check the result. Create a new letter:





Make sure that the encryption option for the letter (if necessary) and the signature option are enabled. Also, during the sending process, we will probably be asked to enter a token password.

Check that the sent letter has arrived and is successfully decrypted, and the signature is being verified.





As you can see, everything works successfully!

Kmail setup


To get started, download kmail from the repository:


sudo apt-get install kmail # Debian
sudo yum install kmail # Red Hat

Launch KMail. Enter your mail account information and click “Add Account”.





In the pop-up window, select “Use GPG”.





We select the key that we want to use for this mailbox:





Configure the identity identifier in the settings:





Set the keys for signing and encryption:





Set the email:





Let's try to send an email. Make sure the signature and encryption options are set.





Check that the received letter successfully passes the signature verification and decrypts:





As you can see, everything worked out successfully!

Outlook setup


Everything is simple here, because everything you need to work you already have and configured: the GPGol plugin was contained in Gpg4Win and configured automatically. Let's just try to send a message, indicating in the options that it needs to be encrypted and add a signature.





Let's look at the letter that came. You can see that the signature passed the verification and the letter was decrypted.





Mail Client Configuration


Pay Tim Cook,
Minted coin ...
Minted coin ...

This method, traditionally for Apple, is paid, and is suitable if you are willing to spend your honestly acquired shekels on the GPG Suite plugin. If you value your gold, then you can use the free option - Thunderbird.


Go to the GPG Suite website and download the latest version of this package.


After installation, you will need to activate the GPGMail plugin. To do this, go to Mail> Preferences> General> Manage Plug-Ins settings and activate GPGMailLoader.mailbundle.





The plugin is activated. Let's try to send a test letter. Note that we have set the option to sign the message and encrypt it.





And we will verify that the decryption and verification of the signature were successful.





Hooray, we did it!

Jobs at Kleopatra


Kleopatra provides the user with a convenient graphical interface for working with GPG, such as: signature, encryption, signature verification, decryption, etc. On Windows, it is installed with Gpg4Win, and on Linux it can be installed through the package manager:


sudo apt-get install kleopatra # Debian
sudo yum install kleopatra # Red Hat

Run it and see that the work in the program is intuitive)


Total


GPG , -, , . , , .


, GPG .

More articles:


All Articles