Using GPG/PGP with Ubuntu and Thunderbird
When transmitting sensitive information, we never want to send unencrypted e-mails, but use GPG/PGP encryption.
Before starting, create a new entry in KeePass for your GPG key and create a new password. See the Security Guidelines for password policies.
Start generating a key by running the following command in your terminalCopy
- Select the default key type (RSA/RSA)
- Choose at least 4096 bits for key length.
- Make your key valid for 5-10 years; do not choose an infinitely valid key.
- Fill in the remaining info but don't confirm, yet.
- Copy your password from KeePass to the clipboard, confirm in the Terminal and then paste your password into the popup dialog.
You may check which keys you will be exporting for your e-mail address (we use
firstname.lastname@example.org, change accordingly). If you have old/expired keys in there, delete them.Copy
gpg --list-keys email@example.com
Export your public key to the current folder, in which the terminal is operating (remember to use your e-mail address as an argument for the
gpg -a --output firstname.lastname.asc --export firstname.lastname@example.org
Distribute your public key part using a secure medium to prevent Man-in-the-middle attacks.
- Use Gnome's integration (open the context menu on a key file)
- or call
gpg --import someone.asc
allows using GPG/PGP transparently.
- To install, run
sudo apt-get install enigmailon Ubuntu.
- As a makandra employee, this has been preinstalled for you.
- To install, run
- Configure Enigmail
- Add keyserver.ubuntu.com as primary key server.
- Publish your key to at least
- In Thunderbird, you can use menu "Enigmail" → "Key Management". Right-click on your key and chose "Upload public keys to keyserver".
- In a terminal, you can use
gpg --keyserver keyserver.ubuntu.com --send-keys email@example.com(optionally repeat for other hosts)
- You may download the public keys of your colleagues (if you don't, you can download missing keys later): Menu "Enigmail" → "Key Management" → Menu "Keyserver" → "Search for keys" → Search for "makandra.de" → Ok → Pick any fitting results and press "Ok"
- Make sure to disable automatic encryption for all outgoing e-mails. You can opt in to send encrypted e-mails.
Eventually, your key will expire. In that case, you can extend your key's expiry and push an update to the key servers.
We have a separate card on how to do this.
If you use a notebook in addition to your desktop PC, you will want to transfer your key pair.
We have a card for that as well.