GnuPG in mutt

ubuntu security

Warning! This post is quite old, and it might not apply anymore, or maybe there's a better way to do the same thing nowadays. Take with a big grain of salt!

As part of my efforts to contribute to ubuntu, I set up a new GPG key a few weeks ago. I set it up in kmail on my laptop, which works well, but now I need to read the same messages from mutt on my server. It's not quite so simple when working without the ubuntu safety net, but it's still not all that bad.

Update (2013-07-15): It looks like recent events have led to a bit of interest in this rather old post, so I've made a few updates to make it more clear. Notably, it now contains all of the relevant pgp settings to use.

Firstly, I copied my secret key (already generated) to the server.

on the laptop with mutt

gpg --export-secret-key -a > secret.key
scp secret.key myserver.example.com
## make sure to clean up the temp file
rm secret.key

on the mail server

gpg --import secret.key
## make sure to clean up the temp file
rm secret.key

The next step was to add various pgp_* lines in my .muttrc. Here's the relevant section, which use the standard ubuntu gpg (Gnu Privacy Guard) packages. Change the key ID from DEADBEEF to the ID for your signing key in 3 places.

You can find your key ID by running gpg --list-keys.

# PGP #####################################################################
set pgp_decode_command="gpg %?p?--passphrase-fd 0? --no-verbose --batch --output - %f"
set pgp_verify_command="gpg --no-verbose --batch --output - --verify %s %f"
set pgp_decrypt_command="gpg --passphrase-fd 0 --no-verbose --batch --output - %f"
set pgp_sign_command="gpg --no-verbose --batch --output - --passphrase-fd 0 --armor --detach-sign --textmode %?a?-u %a? %f"
set pgp_clearsign_command="gpg --no-verbose --batch --output - --passphrase-fd 0 --armor --textmode --clearsign %?a?-u %a? %f"
set pgp_encrypt_only_command="/usr/lib/mutt/pgpewrap gpg --batch --quiet --no-verbose --output - --encrypt --textmode --armor --always-trust --encrypt-to 0xDEADBEEF -- -r %r -- %f"
set pgp_encrypt_sign_command="/usr/lib/mutt/pgpewrap gpg --passphrase-fd 0 --batch --quiet --no-verbose --textmode --output - --encrypt --sign %?a?-u %a? --armor --always-trust --encrypt-to 0xDEADBEEF -- -r %r -- %f"
set pgp_import_command="pgpk -z -a %f"  # was "gpg --no-verbose --import -v %f"
set pgp_export_command="pgpk -z -x %r"  # was "gpg --no-verbose --export --armor %r"
set pgp_verify_key_command="gpg --no-verbose --batch --fingerprint --check-sigs %r"
set pgp_list_pubring_command="gpg --no-verbose --batch --with-colons --list-keys %r"
set pgp_list_secring_command="gpg --no-verbose --batch --with-colons --list-secret-keys %r"
#set pgp_autosign=yes
set pgp_sign_as=0xDEADBEEF
set pgp_timeout=1800
set pgp_good_sign="`gettext -d gnupg -s 'Good signature from "' | tr -d '"'`"
set certificate_file = "~/.mutt/certificates"

That's enough to be able to encrypt, read, and sign messages. I'm currently getting a "PGP Signature could NOT be verified" message when viewing my own messages, which I believe is because the ubuntu key I generated was self-signed. I would likely need to go to a keysigning party and get into a few webs of trust to get rid of that particular message.

References

Mutt/PGP notes