Setting up encrypted mails with gpg and mutt

Hi everybody, especially folks at blinkenshell.

I want to explain how to set up blinkenshell mutt to use gpg encryption for sending and receiving encrypted mails. Here are steps necessary for encrypted messaging.

Having a gpg key secret

First, you need to generate your gpg key for use with blinkenshell mail. You may skip this step if you already have a gpg key.

Issue this command on your desktop computer to generate your key.

gpg --gen-key

Follow the instruction. I suggest you to use your blinkenshell mail address.

Make a note on your gpg passphrase. Never forget the passphrase or your key will be unusable.

You may generate your gpg key on the blinkenshell, but I don't recommend it as blinkenshell doesn't have enough entropy. Use your desktop to generate gpg keys.

Congratulations. Your first gpg key is generated.

Publishing gpg public key to keyserver

Let's move to the next step to export this key to your blinkenshell. On your desktop, issue the following command.

gpg --list-keys

Make a note on your key id associated with your blinkenshell mail address. As a real example, my key id is D21D8761.

pub   4096R/D21D8761 2014-06-27 [expires: 2019-06-26]
uid  The Fuzzy Whirlpool Thunderstorm (My new 4096bit RSA key)

Your key id is always different from mine.

Export your public key to a keyserver for easier access. Replace D21D8761 with your key id.

# Here you'll export the public key to keys.gnupg.net
# There are a lot of keyservers available,
# for example pgp.mit.edu and keyserver.ubuntu.com
gpg --keyserver keys.gnupg.net --send-keys D21D8761

Importing secret key to Blinkenshell

Export the secret key to file. Replace the key id with yours

gpg --output ~/mysecretkey.gpg --export-secret-keys D21D8761

Your secret key is now exported to file mysecretkey.gpg on your home directory. Now, transfer the secret key to blinkenshell via scp.

scp -P443 ~/mysecretkey.gpg yourname@ssh.blinkenshell.org:~/

Your secret key is now available on your home directory on blinkenshell.

Now, connect via ssh to blinkenshell and import the secret key for use with blinkenshell mail.

ssh -p 443 yourname@ssh.blinkenshell.org

Issue the command to import the secret key

gpg --import ~/mysecretkey.gpg

Make sure the key is imported correctly.

gpg --list-secret-keys

Congratulations, you have successfully imported your secret key for use with blinkenshell mail address.

Compiling mutt with support for tls, sasl, imap, and gpgme

Now let's move to mutt configuration. Issue all these commands on your blinkenshell via ssh.

Download mutt source code and signature from bitbucket.

wget -O mutt-1.5.23.tar.gz "https://bitbucket.org/mutt/mutt/downloads/mutt-1.5.23.tar.gz"
wget -O mutt-1.5.23.tar.gz.asc "https://bitbucket.org/mutt/mutt/downloads/mutt-1.5.23.tar.gz.asc"

Make gpg to automatically retrieve keys when needed.

echo 'keyserver-options auto-key-retrieve' | tee -a ~/.gnupg/gpg.conf

Verify the integrity of the downloaded mutt source code.

gpg --verify mutt-1.5.23.tar.gz.asc mutt-1.5.23.tar.gz

Make sure the output says "Good signature from...". If it says "Bad signature...", repeat the download process.

Congratulations. You have verified the downloaded source code.

Now is time for mutt compilation and installation. Get yourself an access to buildserver.

Note: buildserver is not available anymore. You can use the installed version instead of compiling your own program.

ssh buildserver

Type your shell password when asked.

Launch tmux to prevent build interuption

tmux

Extract the downloaded mutt source code

tar zxf mutt-1.5.23.tar.gz

Now, let's begin the compilation process.

Change working directory into mutt directory

cd mutt-1.5.23/

Define compilation options.

./configure --prefix=$HOME '--with-mailpath=~/Maildir' \
'--with-domain=blinkenshell.org' '--with-gnutls' '--with-sasl' \
'--with-included-gettext' '--with-regex' \
'--enable-pop' '--enable-imap' '--enable-smtp' \
'--enable-gpgme' '--enable-hcache'

Begin compilation process.

time make V=s

When compilation process is finished, install the compiled binary to your home directory.

make install

Exit tmux and close connection to buildserver.

exit
[exited]
exit
Connection to buildserver closed

Now, add $HOME/bin to your environment path

export PATH='$HOME/bin:$PATH'

You can make this environment variable persistent by adding the command to your .bashrc or .zshrc

If you are using bash as login shell

echo "export PATH='\$HOME/bin:\$PATH'" | tee -a ~/.bashrc

If you are using zsh as login shell

echo "export PATH='\$HOME/bin:\$PATH'" | tee -a ~/.zshrc

Congratulations, you have a working mutt installed on your home directory.

Mutt configuration

Let's configure mutt for sending and receiving encrypted mails. Create .muttrc file in your home directory.

touch ~/.muttrc

Create .muttrc/tmp directory for use with mutt.

mkdir -p .muttrc/tmp

Edit the content of .muttrc as follows.

# replace vim with your favorite text editor, for example nano or ed
set editor=vim
set hostname="blinkenshell.org"
# replace with your realname as you used on your gpg key
set realname="The Fuzzy Whirlpool Thunderstorm"
set folder=imap://despina:143/
# replace with your blinkenshell username
set imap_user=whirlpool
set spoolfile=+INBOX
mailboxes =INBOX =family
set header_cache=~/.cache/mutt
set imap_keepalive=300
set mail_check=60
set record=+Sent
set smtp_url=smtp://$imap_user@despina/
set ssl_force_tls=yes
set ssl_starttls=yes
set crypt_autosign=yes
set crypt_replysign=yes
set crypt_replysignencrypted=yes
set crypt_replyencrypt=yes
set pgp_use_gpg_agent=yes
set crypt_use_gpgme=yes
# replace D21D8761 with your gpg key id
set pgp_sign_as=D21D8761
set pgp_timeout=300
set tmpdir=~/.mutt/tmp

Accessing mailserver with mutt

Log in to your blinkenshell account. In the ssh shell, launch mutt by typing:

mutt

You'll be asked for certificate verification twice. Accept all ssl certificate verification by pressing 'a' button.

Mutt will ask a password to login with mailserver. Just type your shell password to access mailserver.

Password for whirlpool@despina:

Congratulations. You've successfully set up mutt on your blinkenshell. Exit mutt by pressing 'q' button.

Verifying mutt configuration for encrypted messaging

Here you will send me an encrypted mail to verify mutt configuration. Get my public key by issuing the following command.

gpg --keyserver keys.gnupg.net --recv-keys D21D8761

Now, time to test the power of mutt. Launch mutt and compose a mail to me, by pressing 'm' button. Specify recipient by typing my email address.

whirlpool [at] blinkenshell [dot] org

When you're done typing, exit the text editor. Press 'p' for encryption options, choose both signing and encrypting by pressing 'b'. Finally, send your mail by pressing 'y'. Type your gpg passphrase when asked to encrypt and sign the message. If mutt asks for your password again, type your shell password. If mail is successfully sent, mutt will say 'Mail sent'.

That's all.