Encryption

To protect and encode your e-mail transmitions, Evolution offers two encryption methods:

Evolution helps you protect your privacy by using GNU Privacy Guard (GPG), an implementation of strong Public Key Encryption.

GPG uses two keys: public and private. You can give your public key to anyone you want to receive encrypted messages, or put it on a public key server so that people can look it up before contacting you. Your private key lets you decrypt any message encrypted with your public key. Never give your private key to anyone.

Using encryption takes a bit of forethought. When you send a message that is encrypted, you must encrypt it using your intended recipient's public key. To receive an encrypted message, you must make sure that the sender has your public key in advance. For signing messages, you encrypt the signature with your private key, so only your public key can unlock it. When you send the message, the recipient gets your public key and unlocks the signature, verifying your identity.

Evolution does not support older versions of PGP, such as OpenPGP and Inline PGP.

You can use encryption in two different ways:

For example, suppose that Kevin wants to send an encrypted message to his friend Rachel. He looks up her public key on a general key server, and then tells Evolution to encrypt the message. The message now reads "@#$23ui7yr87#@!48970fsd." When the information gets to Rachel, she decrypts it using her private key, and it appears as plain text for her to read.


Making a GPG Encryption Key

Before you can get or send encrypted mail, you need to generate your public and private keys with GPG. This procedure covers version 1.2.4 of GPG. If your version is different, these steps might vary slightly. You can find out your version number by entering gpg --version.

  1. Open a terminal and enter gpg --gen-key.

  2. Select an algorithm, then press Enter.

    or

    To accept the default algorithm of DSA and ElGamal, press Enter (recommended).

  3. Select a key length, then press Enter. To accept the default, 1024 bits, press Enter.

  4. Enter how long your key should be valid for.

    or

    To accept the default of no expiration, press Enter, then press Y when you are prompted to verify the selection.

  5. Type your real name, then press Enter.

  6. Type your e-mail address, then press Enter.

  7. (Optional) Type a comment, then press Enter.

  8. Review your selected user ID. If it is correct, press O.

  9. Type a passphrase, then press Enter.

  10. Move your mouse randomly to generate the keys.

After the keys are generated, you can view your key information by entering gpg --list-keys. You should see something similar to this: /home/you/.gnupg/pubring.gpg ---------------------------- pub 1024D/32j38dk2 2001-06-20 you <you@your-address.com> sub 1024g/289sklj3 2001-06-20 [expires: 2002-11-14]

GPG creates one list, or keyring, for your public keys and one for your private keys. All the public keys you know are stored in the file ~/.gnupg/pubring.gpg. If you want to give other people your key, send them that file.

If you want, you can upload your keys to a key server.

  1. Check your public key ID with gpg--list-keys. It will be the string after 1024D on the line beginning with pub. In the example above, it is 32j38dk2.

  2. Enter the command gpg --send-keys --keyserver wwwkeys.pgp.net 32j38dk2. Substitute your key ID for 32j38dk2. You need your password to do this.

Key servers store your public keys for you so that your friends can decrypt your messages. If you choose not to use a key server, you can manually send your public key, include it in your signature file, or put it on your own Web page. However, it's easier to publish a key once, and then let people download it from a central place when they want.

If you don't have a key to unlock or encrypt a message, you can set your encryption tool to look it up automatically. If it can't find the key, an error message appears.


Getting and Using GPG Public Keys

To send an encrypted message, you need to use the recipient's public key in combination with your private key. Evolution handles the encryption, but you need to get the public key and add it to your keyring.

To get public keys from a public key server, enter the command gpg --recv-keys --keyserver wwwkeys.pgp.net keyid, substituting keyid for your recipient's ID. You need to enter your password, and the ID is automatically added to your keyring..

If someone sends you a public key directly, save it as a plain text file and enter the command gpg filename to add it to your keyring.


Setting up GPG Encryption

  1. Click Tools > Settings, then click Mail Accounts.

  2. Select the account you want to use securely, then click Edit.

  3. Click the Security tab.

  4. Specify your key ID in the PGP/GPG Key ID field.

  5. Click OK.

  6. Click Close.

Evolution requires that you know your key ID. If you don't remember it, you can find it by typing gpg --list-keys in a console window. Your key ID is an eight-character string with random numbers and letters.


Encrypting Messages

To encrypt a single message:

  1. Open a Compose a Message window.

  2. Click Security > PGP Encrypt.

  3. Compose your message, then click Send.

You can set Evolution to always sign your e-mail messages:

  1. Click Tools > Settings, then select Mail Accounts.

  2. Select the mail account to encrypt, then click Edit.

  3. Click the Security tab.

  4. Select Always Sign Outgoing Messages When Using This Account.

  5. Click OK.

  6. Click Close.


Unencrypting a Received Message

If you receive an encrypted message, you need to decrypt it before you read it. Remember, the sender must have your public key before they can send you an encrypted message.

When you view the message, Evolution prompts you for your PGP password. Enter it, and the unencrypted message is displayed.


S/MIME Encryption

S/MIME encryption also uses a key-based approach, but it has some significant advantages in convenience and security. S/MIME uses certificates, which are similar to keys. The public portion of each certificate is held by the sender of a message and by one of several certificate authorities, who are paid to guarantee the identity of the sender and the security of the message. Evolution already recognizes a large number of certificate authorities, so when you get a message with an S/MIME certificate, your system automatically receives the public portion of the certificate and decrypts or verifies the message.

S/MIME is used most often in corporate settings. In these cases, administrators supply certificates that they have purchased from a certificate authority. In some cases, an organization can act as its own certificate authority, with or without a guarantee from a dedicated authority such as Verisign or Thawte*. In either case, the system administrator provides you with a certificate file.

If you want to use S/MIME independently, you can extract an identification certificate from your Mozilla or Netscape Web browser. See the Mozilla help for more information on security certificates.

The certificate file is a password-protected file on your computer. To use it in Evolution:


Adding a Signing Certificate

  1. Click Tools > Settings, then click Certificate Tool.

  2. Click Import.

  3. Select the file to import, then click OK.

  4. Click Close.

Similarly, you can add certificates that are sent to you independently of any authority by clicking the Contact Certificates tab and using the same Import tool. You can also add new certificate authorities, which have their own certificate files, in the same way.


Signing or Encrypting Every Message

After you have added your certificate, you can sign or encrypt a message by clicking Security > S/MIME Sign or S/MIMe Encrypt in the message composer.

To have every message signed or encrypted:

  1. Click Tools > Options, then select the account to encrypt the messages in.

  2. Click Edit, then click Security.

  3. Click Select next to Signing Certificate and specify the path to your signing certificate.

    or

    Click Select next to Encryption Certificate and specify the path to your encryption certificate.

  4. Select the appropriate options.

  5. Click OK.

  6. Click Close.