Episode: 1557
Title: HPR1557: Encrypting E-mail on Android; Importing Keys
Source: https://hub.hackerpublicradio.org/ccdn.php?filename=/eps/hpr1557/hpr1557.mp3
Transcribed: 2025-10-18 05:05:48

---

Music
Hi, this is Ahuka, welcoming you to Hacker Public Radio, and the next in our exciting
security and privacy series.
And I think this is one where we wrap up our discussion of encryption and email.
It's been good, we've spent a number of episodes talking about it, but you know, at some
point you got to wrap this topic up and move on to other things.
So what I want to do is this time talk about encrypting email on Android and give you a method
for doing that.
And also want to talk about importing keys, which is an important topic when you're working
with this kind of security stuff.
You need to know how to import keys in order to communicate with people.
So there'll be the two topics we'll cover today.
So first let's take a look at encrypting email on Android.
We've already looked at Thunderbird and Gmail, that's all good.
But these days a lot of people use mobile phones and tablets for their email, so it does
make sense that we can take a look at all of that.
I'm going to explore a solution that I use on Android.
One of the things I want to make clear is that I only am discussing the things that I
myself have done and am currently using.
I'm not making any pretense to have covered everything possible out there.
If you use an iPhone, I don't know what you do on iPhones.
Maybe the same software is available, maybe not.
Maybe someone who has an iPhone wants to record a show.
I'm pretty sure Ken Fallon would be OK with that.
So what I'm going to do is I'm going to take a look at Android.
And the stuff that I do, I'm going to take a look at two components.
First is a mail client called K9.
Now I don't know if this is the best mail client on Android, but it's pretty darn good
one.
And it's one that I've been using ever since I got my first Android phone.
Now I use this the way I would use Thunderbird on a desktop.
In other words, this is not a web client.
It is a legitimate mail client.
I point it to my domain to the mail servers that my domain has and that sort of thing.
Now to go with that, just as with Thunderbird, we had a plug-in that we could or an add-on
called Enigmail.
In this one, I'm going to use something called Android Privacy Guard.
And it's usually seen by its initials APG.
So those are the two pieces that I use.
Now both of these are available in the Google Play Store.
So you could just download and install them in a way you would go.
Now one of the questions that I think these days we've started to become a little more
sensitive to is how do I know if this program is any good?
And I'm going to tell you, I am not aware that anyone has done an audit on any of this
stuff.
The checking that I have done online, looking at websites, I've seen a fair number of people
recommending it.
It's probably okay.
But I don't know that anyone, any security team has actually gone over this with a fine-toothed
comb and said, yeah, we've looked it all over and it's wonderful.
So the problem is, I'm not aware of anything available on Android that a security team has
done that for.
So this is probably as good as any of the options you have.
So installing, just go to the Google Play Store, find each of these canine mail and APG.
You click the install button.
Once they've been installed, you need to configure them.
So start by using the usual configuration of your mail account in canine.
Now I'm not going to go into any particular depth here on that.
I mean, it's just the usual account type, login name, password, name of the SMTP server
for sending out mail, and either an iMap or a pop three server for incoming.
All right.
So I'm just going to assume you understand all of that.
Not go find a website on how to configure mail clients.
Now make sure that this is correct once you've configured it by connecting your mail server,
sending a test email and that sort of thing.
Now the next thing you have to do, verify that you have a public and private key available.
Now in our Gmail tutorial, we looked at how to export these keys from your desktop computer.
Review that information if necessary.
You will need to have both of these keys in ASCII form before you can make this work.
So you need to copy these keys from your computer to your phone.
There are different ways to do this.
But I'm going to do it using a program called AirDroid, which is also available in the
play store that lets you connect via Wi-Fi.
Again, I'm not going to go into big detail about this.
But AirDroid essentially creates a web server on your phone.
And then you connect to that web server via your browser.
So install AirDroid as usual from the play store.
On some newer Android phones, an icon will automatically be placed on your screen.
But if not, go to your apps drawer and open it and open the app from there.
It will give you an address.
It picks up from your Wi-Fi router.
So usually your Wi-Fi router will assign addresses from a non-routable range of IPv4 addresses,
such as the 192.168.x.x.
And AirDroid will pick one of those and tell you to open it in your browser.
It will also specify port 8888, entered after the address and separated by a colon.
So the address to put in your browser will be something like 192.168.x.x.x.x.x.x.x.x.x.
This will be sent to your phone.
And then you will be asked to approve the connection by pressing a button on your phone.
So the phone will tell you here's the address to use.
You'll open the browser on your desktop.
You'll put in that address to go there and then go back to your phone and say,
yeah, I approve this connection.
Now once you do that, you can, from your browser, download and upload files back and forth
to your phone.
It's very convenient.
It's not the only way to do it.
I know it's possible to use an USB cable and mount your phone as a USB storage device.
This is how I do it.
All right.
I use the upload function on the right of the browser page to upload your keys.
If you exported both the public and private key as one operation, which you can do, remember
go back and take a look at exporting.
But you can export this one file that has both your public and private key in it.
So you have a single file and that's what I did.
So this will go to the Android uploads directory.
Now I ran into a little problem in that APG did not see the Android uploads directory.
So it wasn't a place I could go to.
So what I did is I installed the Astro file manager tool on my phone.
And as soon as I did that, it integrated with APG and let me see the upload directory
and a bunch of other directories.
So then I could see the file and in APG, I clicked the import button and my keys were
imported.
Now you need to do it one at a time, once for public, once for private.
But once you have imported them, you should be able to send and receive encrypted emails.
Now important, danger, will Robinson.
You just added your private key to as an easily readable ASCII file to your phone.
Anyone who can get your phone can get your key.
I would delete this file as soon as you have things working.
Depending on your jurisdiction and its laws, you may not have any right to privacy in
the contents of your phone.
And the authorities will probably be overjoyed to get this kind of information.
You have been warned.
There's one of the things about public key encryption.
There are ways to move these keys around from one device to another, but you've got to
be careful you don't leave the back door unlocked as you do it.
Now with your keys in APG, you should find that K9 has added a few things.
Open the compose window and you will now see two checkboxes right under the two field
and above the subject field.
One for sign and another for encrypt.
You can sign your emails right away, just put in a checkmark, compose your email as usual,
and when you click send, you will be asked for your passphrase.
Enter your passphrase and your digitally signed email is on its way.
Now, I've done this.
I wouldn't do it a lot on my phone because that thing about entering your passphrase,
which I so glibly slid right by you.
If your passphrase has any security at all, it will be at least three times as annoying
doing it on your phone as it is on your desktop, or at least it is for me, maybe you're
much better with these things than I am.
But I find it enough of a pain in the butt when I'm on a regular keyboard.
On a phone keyboard, where I've got mixes of letters and special characters and numbers
and on my phone, that means I've got to switch to different screens each time I have to change
character sets.
So just mentioning that.
I said, this is what you do to sign an email.
When you want to send an email, that means important keys.
Remember that when you send encrypted email, you are using the public key of the person
to whom you are sending the email.
So I have to get some public keys of some people into my K9 mail before I can do that.
Or whatever, in fact, this is a general discussion for any mail client that doesn't have to be
on a phone, could be a desktop or a tablet or anything.
Generally the issue is you have to import public keys of people.
So I have some public keys, including some of the hacker public radio folks like Ken
Fallon and Dave Morris.
So how do you do this?
Now you can search for keys to import from the public key servers and you can do it from
within APG.
So if you're doing it on your Android phone, you just click on the hamburger icon in APG.
It's on the upper left next to the key icon.
It's called hamburger for reasons that I think I understand.
It's the three horizontal lines.
So I suppose that represents a hamburger patty between two buns or something.
But it's really just three horizontal lines.
So anyway, you click the hamburger icon and you see a menu that says import keys.
This will bring up a search window where you can search for keys.
Now the default key server is pools.sks-key-servers.net.
But if you click the drop down, it will let you choose among several others like
sobqs.pgp.net or pgp.mit.edu.
And I tend to use themit.edu one a lot, but whatever floats your boat.
Given that all of these servers sync with each other, there's probably no strong reason
to prefer one over the other, I've not run across anything yet.
In any case, you want to type in a name in the search box and click the button.
And then when you get the result you like, you can import her public key into your key
ring and start sending encrypted email to her.
Now one thing you need to keep in mind is that each device has its own key ring.
So if you commonly correspond with people from your laptop, your desktop, your smartphone,
your tablet, you're going to have to import the key separately to each one of those devices.
Now on any device, whether a phone laptop, tablet, desktop, you have this thing which I've
called a key ring, simply a database of the keys that you know about that you have imported.
Now in Linux, this is usually provided by the operating system as a standard service.
In Windows, it is more often provided by the PGP software.
But it will be there.
So your own key pair will be stored there as well as the public keys of all of your correspondence.
Now generally a key is given a short eight character identifier.
For example, if I go to HTTP colon slash slash pgp.mit.edu, I can type in my own name, which
is Kevin O'Brien, and get back a list of results.
At the top of the list is this entry and it says pub space 2048 are, and that tells me
about the 2048 bit key slash e50b64e.
Now that is the 8 bit identifier, e50b64e.
And after that it says 2013-11-02, that was the date that I created it.
Then my name Kevin O'Brien, and then in parentheses, the comment that I had put in that says encryption
is great.
So if you look that up, that is my public key, and you can send me encrypted email.
So this tells me I can download the public key.
It's a 2048 bit key blah, blah, blah.
If I click on my name, I get a little more information.
It tells me for instance, who signed the key.
We talked about that in the show that I did with my friend Tony Beamus, who oddly enough
has signed my key.
Looking back to the search results screen, if I click on the 8 character key ID, I get
the actual public key.
And that is something that says dash dash dash dash, begin pgp public key block, dash
dash dash dash dash.
And under that version, SKS 1.1.4, then under that comment, host name pgp.mit.edu.
And then under that is about 30 or 40 lines of a gobbledygook, it really, it looks like
base 64.
And I think that's probably a pretty good description of what it actually is.
And then under that, it says at the very end, it's got a long dash and an end pgp public
key block and another long dash.
So it started with that dash dash dash dash dash, begin pgp public key block.
And then it ends with long dash and pgp public key block.
So if you highlight all of that text, including the beginning and end, that's the public key.
Now what you can do then is to copy all of this text and paste it into a window on your
software.
Now I think there are some that will let you just put in the 8 character ID, but not
all software is going to allow that.
So this is the general thing you can always use, is that you just paste it in.
Now I remember this is supposed to be public.
The MIT server very happily displays that to anyone who goes there looking.
I have it on the about page of all of my websites, because if you've been paying close
attention, you might have noticed, gee, he has more than one.
Yeah, I do.
It's just one way that I organize stuff.
So I just put it there and it's like, okay, here's my public key.
And that's the intended use.
For instance, I went to Bruce Schneier's contact page of his website.
And there is his public key and he's got a couple of different things there.
But that's what you're supposed to do with this.
So it just makes it easier for people to get your key and send you email.
Now if you go back to our discussion of key signing and all of that, we have talked about
how to make sure that the key you get really is the legitimate one.
So I can paste this in for any software.
For instance, if I open MaleValope and go to the import page, there's a text box where
I can just paste in all of this key and then send email.
So how do we deal with the trust?
Tony and I talked about a little bit, but I want to go over this because it is important.
People who use encryption, well, they tend to be careful about using these keys.
For the most part, I think using public key encryption is just a bit of a pain in the
ass.
Why do it badly?
It's like annoying yourself for no good reason.
So it's worth taking a little time to understand how this works and do it the right way.
So if you're importing keys, how much do you trust them?
If it was just something you found on a website, then the question is, do I trust this website?
I've used my website for a while.
I have a lot of stuff up there.
You may think, OK, well, that's pretty good.
But it never hurts to verify.
Because it's very simple for me to create a key.
And for example, I could create a key and say, hi, my name is Bruce Schneier.
And attempt to divert his correspondence to me.
Because if I could get someone to use that public key that I created, I'm the only one with
the private key to read it.
And that's the trust issue.
That's an example, by the way, of a, I guess you call that a man in the middle attack.
I can get in the middle of this correspondence between two people if I can get one of them
to use the key that I created.
And it's a very simple thing to do.
So the answer we've come up with is something called the Web of Trust.
It's not 100% foolproof, but reasonably secure if you take care.
Now for instance, I mentioned one of the people I've corresponded with from time to time
is Tony Beamas from the Sunday morning Linux review.
How do I know that the key I'm using for him is really his key?
Well, a number of things here.
I know Tony personally.
I've been in the same room with him.
I know his voice.
So I can pick up the phone, call him, and say, hey, Tony is DB471CEE, really your key.
And he would say, well, yes, Kevin, as a matter of fact, it is.
This is also a good thing to bear in mind in case of a name collision.
I happen to know there's a lot of people out there named Kevin O'Brien.
It's not a terribly unique name.
And some of them also have keys.
And I've seen that on key servers.
Now the next layer in this model is key signing.
I mentioned that my key was signed by Tony.
So let's say his partner on the Sunday morning Linux review podcast, Mary Tomich, was looking
for my key.
Well, she could go to this key server and do a search.
And then if she saw that Tony signed it, you would probably give her a higher level of trust
as she already trusts Tony.
And if you looked at a key that claimed to be Bruce Schneier and saw that no one had ever
signed it, you would be suspicious since Bruce is very well known in the security space.
But note that qualification.
Now, if someone is known to sign anything without checking, it would be prudent to discount
that trust on anything they have signed.
So if you've got your drinking buddy Joe, and Joe's a swell guy to hang out with in bars
and all of that, but you know that he's got the judgment of a carrot, and he'll sign
any key without ever thinking about it, seeing that he signed a key does not give you any
kind of warm fuzzy that this key is any good.
Now one of the ways that keys get assigned is that key signing parties, which often take
place as part of techy conventions and such.
The way these generally work is you come with your eight character ID and some good identification,
passport, driver's license, you know, something that has your photo included.
And other people there take a look at your identification, and if they decide they like
the look of it, they can take your eight character key and sign it.
That's a good idea to have this on slips of paper you can give out, because often people
do not sign it right there, but take it home and sign it in the next few days.
The more signatures you get and the more trustworthy the signers are, generally the more your
key would be trusted.
Now there's different levels of trust, and when someone signs your key, they indicate
just how much trust they are putting into it.
The GNU Privacy Handbook lays this out.
The very lowest level is unknown, all right?
Nothing is known about the owner's judgment and key signing, keys in your public key ring
you do not own initially have this trust level.
So that's just saying, I don't know, all right, might be good, might not, there's just
no way of knowing.
One is the level of trust, because the owner is known to improperly sign other keys,
all right?
This is a known bad guy.
Marginal, okay, marginal is the owner understands the implications of key signing, and properly
validates keys before signing them.
Now bear in mind, it's just marginal, because all that that means is that someone took
the trouble of looking at a good form of ID with a picture attached and all of that.
Now that's a good practice, it doesn't prove that they're blood brothers, so to speak,
okay?
Then fall would be the owner has an excellent understanding of key signing, and his
signature on a key would be as good as your own.
Now, that's what it says in the GNU Privacy Handbook.
I've seen software out there that uses slightly different terminology, so take a look at that.
Now, would I ever trust anyone's key as much as I do my own?
Probably not.
Now in the software that I use, there's a level called Ultimate Trust, and the only thing
I ultimately trust is my own key.
One else's key is going to be one notch below that at best, so if I were at a key signing
event and someone I don't personally know, I would just put unknown, all right?
I'm going to say, yeah, I saw your key, but I don't really know you, and all you're
testing to when you do this, bear in mind, is that you are attesting to the fact that
you are pretty reasonably certain that the person using this key is who they say they
are, okay?
So that's how you import keys and indicate an appropriate level of trust, and that wraps
up our description of encryption and email.
I don't think I'm going to come back to it unless an interesting issue comes up, and
there's so much more.
So for next time, we're going to move on to a general model for understanding security,
which comes courtesy of Bruce Neier, and I hope is going to lay some groundwork for
then getting into future topics such as password security and authentication and tour networks
and home fire, you know, there's a ton of stuff yet to come.
So this is Ahuka reminding you, as I always do, to support free software, signing off
for Hacker Public Radio.
Bye-bye.
You have been listening to Hacker Public Radio, and Hacker Public Radio does all right.
We are a community podcast network that releases shows every weekday and Monday through Friday.
Today's show, like all our shows, was contributed by a HPR listener like yourself.
If you ever consider recording a podcast, then visit our website to find out how easy
it really is.
Hacker Public Radio was founded by the digital dog pound and the infonomicum computer
cloud.
HPR is funded by the binary revolution at binref.com, all binref projects are crowd- Exponsored
by linear pages.
For shared hosting to custom private clouds, go to lunarpages.com for all your hosting
needs.
Unless otherwise stasis, today's show is released under a creative commons, attribution, share
a line, free those own license.