LinuxQuestions.org
Share your knowledge at the LQ Wiki.
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Software
User Name
Password
Linux - Software This forum is for Software issues.
Having a problem installing a new program? Want to know which application is best for the job? Post your question in this forum.

Notices


Reply
  Search this Thread
Old 06-21-2010, 04:46 PM   #1
taylorkh
Senior Member
 
Registered: Jul 2006
Location: North Carolina
Distribution: CentOS 6, CentOS 7 (with Mate), Ubuntu 16.04 Mate
Posts: 2,127

Rep: Reputation: 174Reputation: 174
Need a little (in)sanity check re. Enigmail and public key encryption


I have Thunderbird/Enigmail/GPG installed and working on a Ubuntu 10.04 VM and a Windows 7 VM under VMWare. On the Ubuntu VM I have an account called "George" setup as the only email account. On the Win 7 VM I have a test account called "Zorro" as the only email account in Thunderbird. Both accounts point to actual email accounts on my ISP's email server. I will use these names in my examples below for brevity.

I created a key pair for each account on its respective VM and uploaded the public keys to pool.sks-keyservers.net.

From the Win 7 VM Zorro sent an email from Zorro to George. Zorro signed the email.

On the Ubuntu VM George received the email from Zorro and downloaded Zorro's public key to George's keyring.

George then composed an email to Zorro using Zorro's public key, signed and encrypted the email.

Back on Zorro's VM the second email was received and decrypted using Zorro's private key. So it looks like everything works as intended.
--------------------
Now for the sanity check... I recall reading that an email encrypted with a public key can be decrypted ONLY by the recipient holding the corresponding private key. I found that when I looked at the encrypted email in George's Sent folder I was offered the opportunity to decrypt it - and yes I was able to decrypt it. Is this not contrary to the concepts of public key encryption? or does Enigmail perhaps encrypt the sent email using the sender's public key so that the sender can always view what they have sent?

Second concern... before I put this in place on my production PC for my real email accounts... Suppose I have created my public/private key pair, published it to the key server and used the pair to exchange emails for a period of time. Thus I might have a number of emails in Thunderbird which are (were?) encrypted using my public key. I then have a need to generate a new key pair (say the original one was compromised). I revoke my original keys and begin to use the new ones. Will I still be able to read the old emails which I still have saved in Thunderbird?

TIA,

Ken
 
Old 06-22-2010, 08:10 AM   #2
tsg
Member
 
Registered: Mar 2008
Posts: 155

Rep: Reputation: 30
Quote:
Originally Posted by taylorkh View Post
Now for the sanity check... I recall reading that an email encrypted with a public key can be decrypted ONLY by the recipient holding the corresponding private key. I found that when I looked at the encrypted email in George's Sent folder I was offered the opportunity to decrypt it - and yes I was able to decrypt it. Is this not contrary to the concepts of public key encryption? or does Enigmail perhaps encrypt the sent email using the sender's public key so that the sender can always view what they have sent?
I believe this is the default for Enigmail. You can turn it off on the Sending tab in preferences ("Add my own key to the recipients list") but it would mean you wouldn't be able to read anything you've encrypted to someone else.

Quote:
Second concern... before I put this in place on my production PC for my real email accounts... Suppose I have created my public/private key pair, published it to the key server and used the pair to exchange emails for a period of time. Thus I might have a number of emails in Thunderbird which are (were?) encrypted using my public key. I then have a need to generate a new key pair (say the original one was compromised). I revoke my original keys and begin to use the new ones. Will I still be able to read the old emails which I still have saved in Thunderbird?
Yes. Enigmail should warn you that the key has been revoked, but it will still decrypt the message.

Last edited by tsg; 06-22-2010 at 08:14 AM.
 
1 members found this post helpful.
Old 06-22-2010, 09:20 AM   #3
taylorkh
Senior Member
 
Registered: Jul 2006
Location: North Carolina
Distribution: CentOS 6, CentOS 7 (with Mate), Ubuntu 16.04 Mate
Posts: 2,127

Original Poster
Rep: Reputation: 174Reputation: 174
Thanks tsg, I see the "Add my own key..." setting. Makes sense. As to "My own key(s)" - it looks like I need to keep any keys I have ever used in perpetuity - if I have received email with them. I have email files dating back to Netscape Communicator on Win NT 3.51 - I sort of never throw anything away Obviously I have a lot more to learn about Enigmail before I begin to use it for real.

I need to look for a way to decrypt an email which I receive and save it on the PC in plain text. I think that would make things easier. I could store the email files in Truecrypt if I was really paranoid. At the moment I am more concerned with the email while in transit.

Thanks again,

Ken

p.s. I started on this encrypted email thing about 20 years ago. I encrypted a text file with pgp on DOS 3.11, copied the result into Banyan Vines mail, sent it to my co-worker in the next cube. He then extracted the cypher-text, put it in a text file, decrypted it with pgp and read the message. That was too much like work so I have sort of taken a hiatus over all these years
 
Old 06-22-2010, 09:58 AM   #4
tsg
Member
 
Registered: Mar 2008
Posts: 155

Rep: Reputation: 30
Quote:
Originally Posted by taylorkh View Post
Thanks tsg, I see the "Add my own key..." setting. Makes sense. As to "My own key(s)" - it looks like I need to keep any keys I have ever used in perpetuity - if I have received email with them. I have email files dating back to Netscape Communicator on Win NT 3.51 - I sort of never throw anything away Obviously I have a lot more to learn about Enigmail before I begin to use it for real.
That comes under the heading of data retention policy. If you're keeping the emails, obviously you need to keep the keys to read them with. The PGP keyring is largely transparent, so it really isn't too much of an inconvenience to hang on to old keys.

Quote:
I need to look for a way to decrypt an email which I receive and save it on the PC in plain text. I think that would make things easier. I could store the email files in Truecrypt if I was really paranoid. At the moment I am more concerned with the email while in transit.
Enigmail has a "Save decrypted message" function in the menu. From there you can re-encrypt it with your new key if you don't want to save it as plaintext. Or you could get rid of your old email ;^)


Quote:
p.s. I started on this encrypted email thing about 20 years ago. I encrypted a text file with pgp on DOS 3.11, copied the result into Banyan Vines mail, sent it to my co-worker in the next cube. He then extracted the cypher-text, put it in a text file, decrypted it with pgp and read the message. That was too much like work so I have sort of taken a hiatus over all these years
Not quite as long, but I generated my first key pair in 1995 to sign posts to usenet(!) because someone was impersonating me. I still have it. I'm trying to get PGP working in the office more for being able to verify the sender rather than for security, but once I have one the rest will follow. What I am currently dealing with is making sure that any encrypted emails sent out are also encrypted with the company key so that we can read them.
 
Old 06-22-2010, 11:09 AM   #5
taylorkh
Senior Member
 
Registered: Jul 2006
Location: North Carolina
Distribution: CentOS 6, CentOS 7 (with Mate), Ubuntu 16.04 Mate
Posts: 2,127

Original Poster
Rep: Reputation: 174Reputation: 174
Thanks again tsg,

Not only would I need to keep the keys (historical an otherwise) but move them from OS version to version and machine to machine. I actually still have some dBase II files which were generated on my Osborne Executive running CP/M+. They have been migrated to DOS and are readable with a Windows VM using Visual FoxPro. If I type it in once, I DESPISE having to type it again!

Quote:
Save decrypted message
sound like what I want. I will poke around and see if that can be made the default.

I have used PGP to create encrypted files which can be mounted as drive letters in Windows for many years. Accessing archived data in this format is the main reason I have an XP VM setup on my Ubuntu 10.04 host.

Before taking the opportunity for an EARLY early retirement from a Fortune 250 company in 2005 I was involved in some discussions re. setting up a public key server system for the purpose of signing engineering design documents. As I recall they were looking at some sort of Microsoft product. Microsoft - Security the ultimate oxymoron. Regardless of the product, corporate key management is something which needs a lot of thought before implementing. Especially if encryption is available to the users. Otherwise when an unhappy employee leaves... Best of luck with your implementation.

Ken
 
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off



Similar Threads
Thread Thread Starter Forum Replies Last Post
Can someone logically explain public/private key asymmetric encryption? abefroman Linux - Security 6 09-02-2009 06:52 AM
Public Key Encryption Support carlosinfl Linux - Server 4 05-23-2008 10:47 AM
SSH Public Key Encryption Mechanism mmn357157 Linux - Software 6 05-29-2007 07:02 PM
public key encryption dsids Linux - Security 8 08-01-2006 01:48 AM
RSA public key encryption/private key decription koningshoed Linux - Security 1 08-08-2002 07:25 AM

LinuxQuestions.org > Forums > Linux Forums > Linux - Software

All times are GMT -5. The time now is 12:21 PM.

Main Menu
Advertisement
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
Open Source Consulting | Domain Registration