Re: How do you manage encrypted mail?

2013-07-10 Thread Andrei POPESCU 
On Ma, 02 iul 13, 15:18:54, Rob Owens wrote:
> > 
> On my system, Mutt doesn't re-ask me for my GPG passphrase until some
> timeout has been reached.  5 minutes, I think.  I didn't set it like 
> that.  It was the default.  I'm not sure if that's a Mutt setting or a
> GPG setting.

It's a mutt setting (gpg_timeout)

Kind regards,
Andrei
-- 
http://wiki.debian.org/FAQsFromDebianUser
Offtopic discussions among Debian users and developers:
http://lists.alioth.debian.org/mailman/listinfo/d-community-offtopic


signature.asc
Description: Digital signature

Re: How do you manage encrypted mail?

2013-07-10 Thread Rob Owens 
- Original Message -
> From: "Rob Owens" 

> In my experience, email encryption is has been pretty easy with the
> exception of getting it to work with webmail.  The other tricky thing
> is
> getting people to understand the concepts of how/why to trust a key
> --
> things like verifying the fingerprint, etc.
> 

I just found a pretty easy way to deal with encryption of webmail.  GPA (GNU 
Privacy Assistant) has a "clipboard" button that will let you type in a message 
and then hit the "encrypt" and/or "sign" button.  You can then copy and paste 
the output into an email.  Similarly, you can copy and paste an 
encrypted/signed email into the clipboard and "verify" and/or "decrypt" it.

-Rob


-- 
To UNSUBSCRIBE, email to debian-user-requ...@lists.debian.org 
with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org
Archive: 
http://lists.debian.org/1063377572.46550711.1373464079653.javamail.r...@ptd.net

Re: How do you manage encrypted mail?

2013-07-04 Thread Richard Lawrence 
green  writes:

> Rob Owens wrote at 2013-07-04 18:05 -0500:
>> On Thu, Jul 04, 2013 at 01:19:37PM -0700, Richard Lawrence wrote:
>> > Thanks!  Alas, it didn't turn out to be quite this simple.  I had to
>> > invoke gpg-agent from my .bash_profile:
>>
>> I didn't have to go through all that, but I have used seahorse in the
>> past -- perhaps that automatically set up a gpg agent for me?
>
> Simply adding use-agent to gpg.conf worked for me, if I remember
> correctly.  I looked for a reference to GPG in those places but found
> nothing.
>
> I too have used seahorse in the past, but… probably not related?

It didn't work for me.  I didn't have any gpg-agent process running.

Perhaps this is related to Seahorse: I don't use GNOME, or any other
desktop.  (I just start X manually and use a tiling window manager.)  

-- 
Best,
Richard


-- 
To UNSUBSCRIBE, email to debian-user-requ...@lists.debian.org 
with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org
Archive: http://lists.debian.org/87li5ld8ft@berkeley.edu

Re: How do you manage encrypted mail?

2013-07-04 Thread green 
Rob Owens wrote at 2013-07-04 18:05 -0500:
> On Thu, Jul 04, 2013 at 01:19:37PM -0700, Richard Lawrence wrote:
> > Thanks!  Alas, it didn't turn out to be quite this simple.  I had to
> > invoke gpg-agent from my .bash_profile:
>
> I didn't have to go through all that, but I have used seahorse in the
> past -- perhaps that automatically set up a gpg agent for me?

Simply adding use-agent to gpg.conf worked for me, if I remember
correctly.  I looked for a reference to GPG in those places but found
nothing.

I too have used seahorse in the past, but… probably not related?


signature.asc
Description: Digital signature

Re: How do you manage encrypted mail?

2013-07-04 Thread Rob Owens 
On Thu, Jul 04, 2013 at 01:19:37PM -0700, Richard Lawrence wrote:
> On Tue, Jul 02, 2013 at 01:39:36PM -0400, Joey Hess wrote:
> > Richard Lawrence wrote:
> > > Good to know, thanks.  When I try this, Mutt asks me to enter my GPG
> > > passphrase for every encrypted message in the folder I'm limiting,
> > > though!  (So it's not a good option for my "sent" folder, for example.)
> > > Any way to avoid that?
> > 
> > Yes, use a gpg agent. Installing gnupg-agent and logging out and back in
> > will probably do.
> 
> Thanks!  Alas, it didn't turn out to be quite this simple.  I had to
> invoke gpg-agent from my .bash_profile:
> 
I didn't have to go through all that, but I have used seahorse in the
past -- perhaps that automatically set up a gpg agent for me?

-Rob


-- 
To UNSUBSCRIBE, email to debian-user-requ...@lists.debian.org 
with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org
Archive: http://lists.debian.org/20130704230504.gb17...@aurora.owens.net

Re: How do you manage encrypted mail?

2013-07-04 Thread Richard Lawrence 
On Tue, Jul 02, 2013 at 01:39:36PM -0400, Joey Hess wrote:
> Richard Lawrence wrote:
> > Good to know, thanks.  When I try this, Mutt asks me to enter my GPG
> > passphrase for every encrypted message in the folder I'm limiting,
> > though!  (So it's not a good option for my "sent" folder, for example.)
> > Any way to avoid that?
> 
> Yes, use a gpg agent. Installing gnupg-agent and logging out and back in
> will probably do.

Thanks!  Alas, it didn't turn out to be quite this simple.  I had to
invoke gpg-agent from my .bash_profile:

# start gpg-agent on login
gpg-agent --daemon --write-env-file "${HOME}/.gpg-agent-info"

And add the following to my .bashrc:

# gpg-agent is started in .bash_profile; this config should be read for
# every new shell
if [ -f "${HOME}/.gpg-agent-info" ]; then
 . "${HOME}/.gpg-agent-info"
 export GPG_AGENT_INFO
# don't need this unless using gpg-agent as ssh-agent
# export SSH_AUTH_SOCK
fi

export GPG_TTY=$(tty)

But now gpg-agent seems to be up, and accessible from mutt.

Thanks everyone for your help in this thread!

Best,
Richard




signature.asc
Description: Digital signature

Re: How do you manage encrypted mail?

2013-07-04 Thread Jochen Spieker 
Rob Owens:
> On Thu, Jul 04, 2013 at 06:48:52PM +0200, Jochen Spieker wrote:
>> Rob Owens:
>>> 
>>> I just verified that I can search the contents of emails in Mutt and
>>> only enter my GPG passphrase once.  There were multiple encrypted emails
>>> in my inbox when I tested this.  
>> 
>> The problem is that mutt's search doesn't use an index. Searching
>> message bodies is painfully slow this way. I usually do server-side
>> search via IMAP, but that doesn't work for encrypted mails at all.
>> 
> I have all my messages on my ISP's IMAP server.  I don't have anything
> but headers cached locally.  I was able to search with Mutt.  But it was
> kind of slow.  I assume that behind the scenes it downloads each message
> to a temporary file (or RAM) and searches it that way.

Exactly. I guess mutt is smart enough to perform local header checks
first and only downloads the remaining messages to search their bodies,
but that's still a problem if those messages have attachments.

J.
-- 
People talking a foreign language are romantic and mysterious.
[Agree]   [Disagree]
 


signature.asc
Description: Digital signature

Re: How do you manage encrypted mail?

2013-07-04 Thread Rob Owens 
On Thu, Jul 04, 2013 at 06:48:52PM +0200, Jochen Spieker wrote:
> Rob Owens:
> > 
> > I just verified that I can search the contents of emails in Mutt and
> > only enter my GPG passphrase once.  There were multiple encrypted emails
> > in my inbox when I tested this.  
> 
> The problem is that mutt's search doesn't use an index. Searching
> message bodies is painfully slow this way. I usually do server-side
> search via IMAP, but that doesn't work for encrypted mails at all.
> 
I have all my messages on my ISP's IMAP server.  I don't have anything
but headers cached locally.  I was able to search with Mutt.  But it was
kind of slow.  I assume that behind the scenes it downloads each message
to a temporary file (or RAM) and searches it that way.

-Rob


-- 
To UNSUBSCRIBE, email to debian-user-requ...@lists.debian.org 
with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org
Archive: http://lists.debian.org/20130704175100.ga15...@aurora.owens.net

Re: How do you manage encrypted mail?

2013-07-04 Thread Jochen Spieker 
Rob Owens:
> 
> I just verified that I can search the contents of emails in Mutt and
> only enter my GPG passphrase once.  There were multiple encrypted emails
> in my inbox when I tested this.  

The problem is that mutt's search doesn't use an index. Searching
message bodies is painfully slow this way. I usually do server-side
search via IMAP, but that doesn't work for encrypted mails at all.

J.
-- 
I hate myself but have no clear idea why.
[Agree]   [Disagree]
 


signature.asc
Description: Digital signature

Re: How do you manage encrypted mail?

2013-07-04 Thread Rob Owens 
On Tue, Jul 02, 2013 at 03:18:54PM -0400, Rob Owens wrote:
> - Original Message -
> > From: "Richard Lawrence" 
> > 
> > Joey Hess  writes:
> > 
> > >
> > > Typically, gpg is configured to encrypt mail to multiple
> > > recipients,
> > > which includes everyone the mail is sent to, as well as the sender.
> > >
> > > For example, I have in my gpg.conf:
> > >
> > > # Encrypt stuff to my key too.
> > > encrypt-to 2512E3C7
> > >
> > 
> > Ah, this is what I was missing.  Thanks!
> > 
> > >> 2) Search. The more serious issue is that I can't search encrypted
> > >> email, whether I sent it or received it...
> > >
> > > Mutt will use gpg to decrypt encrypted mail when searching in the
> > > body
> > > (ie, when limiting to ~bsomething). It can get slow, indeed.
> > 
> > Good to know, thanks.  When I try this, Mutt asks me to enter my GPG
> > passphrase for every encrypted message in the folder I'm limiting,
> > though!  (So it's not a good option for my "sent" folder, for
> > example.)
> > Any way to avoid that?
> > 
> On my system, Mutt doesn't re-ask me for my GPG passphrase until some
> timeout has been reached.  5 minutes, I think.  I didn't set it like 
> that.  It was the default.  I'm not sure if that's a Mutt setting or a
> GPG setting.
> 
I just verified that I can search the contents of emails in Mutt and
only enter my GPG passphrase once.  There were multiple encrypted emails
in my inbox when I tested this.  

Here is the GPG section of my .muttrc, in case you find it useful:

# GPG / PGP rules

set pgp_encrypt_only_command="/usr/lib/mutt/pgpewrap gpg --batch --quiet 
--no-verbose --output - --encrypt-to 70952D9D --encrypt --textmode --armor 
--always-trust -- -r %r -- %f"
set pgp_encrypt_sign_command="/usr/lib/mutt/pgpewrap gpg %?p?--passphrase-fd 0? 
--batch --quiet --no-verbose --textmode --output - --encrypt-to 70952D9D 
--encrypt --sign %?a?-u %a? --armor --always-trust -- -r %r -- %f"

# no encryption or signature by default:
send-hook . 'set pgp_autosign=no; set pgp_autoencrypt=no'
# turn off inline by default:
send-hook . 'set pgp_autoinline=no'
# always encrypt and sign to some recipients:
send-hook '~t "(someb...@server.com)"''set pgp_autosign=yes; set 
pgp_autoencrypt=yes; set pgp_autoinline=yes'
send-hook '~t "(m...@address.com|fri...@server.com|per...@server.com)"''set 
pgp_autosign=yes; set pgp_autoencrypt=yes'


Note that "someb...@server.com" can only accept inline encrypted emails.
The other recipients get smime encrypted emails.

In .gnupg/gpg.conf, I have a default-key defined.  I also have use-agent
specified.

-Rob


-- 
To UNSUBSCRIBE, email to debian-user-requ...@lists.debian.org 
with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org
Archive: http://lists.debian.org/20130704164030.ga15...@aurora.owens.net

Re: How do you manage encrypted mail?

2013-07-04 Thread Lars Noodén 
On 07/04/2013 03:00 AM, Richard Lawrence wrote:
> On Tue, Jul 02, 2013 at 03:18:54PM -0400, Rob Owens wrote:
>> Icedove/Thunderbird has the Enigmail extension to handle encryption.  
>> You might want to give that a try as well, particularly since you are
>> trying to encourage others to use encryption and Thunderbird is available
>> for both Linux and Windows (and Mac?).
> 
> Yes, I used to use Thunderbird/Enigmail, and it is what I recommend to
> non-technical people, though I haven't used it recently myself (I
> don't much like GUI mail clients).  Does Thunderbird/Enigmail have a
> way to search through encrypted mail?  I don't remember this being
> available last time I used it.
[snip]

Searching like that is a sorely needed function.  It is unfortunately
missing.  I guess the way to go about it would be to have one index per
key and to use the key to encrypt the index.

The need has been out there for a long time.  See  points 29 - 33 from 2001:
 
http://www.europarl.europa.eu/sides/getDoc.do?type=TA&reference=P5-TA-2001-0441&format=XML&language=EN

Regards,
/Lars


-- 
To UNSUBSCRIBE, email to debian-user-requ...@lists.debian.org 
with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org
Archive: http://lists.debian.org/51d59658.7060...@gmail.com

Re: How do you manage encrypted mail?

2013-07-03 Thread Richard Lawrence 
On Tue, Jul 02, 2013 at 03:18:54PM -0400, Rob Owens wrote:
> Icedove/Thunderbird has the Enigmail extension to handle encryption.  
> You might want to give that a try as well, particularly since you are
> trying to encourage others to use encryption and Thunderbird is available
> for both Linux and Windows (and Mac?).

Yes, I used to use Thunderbird/Enigmail, and it is what I recommend to
non-technical people, though I haven't used it recently myself (I
don't much like GUI mail clients).  Does Thunderbird/Enigmail have a
way to search through encrypted mail?  I don't remember this being
available last time I used it.

> In my experience, email encryption is has been pretty easy with the
> exception of getting it to work with webmail.

It's pretty easy to get up *sending and reading* encrypted mail, and
there are lots of guides out there about how to do that much.  But as
I'm learning now, some of the other features of mail that people rely
on become a lot harder or even impossible when their messages are
encrypted.  The big ones are searching, and accessing mail from a
machine you don't control (part of the webmail problem).

> The other tricky thing is getting people to understand the concepts
> of how/why to trust a key -- things like verifying the fingerprint,
> etc.

Mm, yes, I haven't even thought about that much myself.  I'm still
pretty much the only PGP user among people I communicate with
regularly, so I haven't come across anybody who is wondering whether
to trust my key.  Guess I'll cross that bridge when I come to it...

Thanks again for your input!

Best,
Richard



-- 
To UNSUBSCRIBE, email to debian-user-requ...@lists.debian.org 
with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org
Archive: http://lists.debian.org/2013070436.GC3749@aristotle

Re: How do you manage encrypted mail?

2013-07-02 Thread Joel Rees 
(Top-posting seems more natural on this one, since my response is a general
response, but we seem to have list participants who prefer rules to reason
((8-*)), so I'll pick random places to insert my comments. Hope I don't
lose focus.)

On Wed, Jul 3, 2013 at 3:22 AM, Richard Lawrence <
richard.lawre...@berkeley.edu> wrote:

> John Hasler  writes:
>
> > Do you really need to archive each message in individually encrypted
> > form?  If you are concerned about the security of local copies I would
> > think you would already be using disk or file system encryption.
>
> No, I am OK with keeping unencrypted local copies, at least on my home
> machine.  I only expect "pretty good" privacy over the pipes, not
> "protection from an FBI home raid" privacy for local copies of my email.
> (I don't use disk encryption but probably should.)
>
> The issue is simply: what's the best way to do this?


Ain't no such thing.


> My setup uses
> offlineimap to sync a Gmail account (berkeley.edu's institutional
> choice...) to a local Maildir.  Mutt only temporarily decrypts messages
> when I read them, unless I manually store an unencrypted copy somewhere.
>

Definitely one way to do it.


> So to accomplish the suggested setup conveniently with the programs I
> currently use, I think I would need to:
>
> 1) Tell Mutt to automatically save messages somewhere when I decrypt
> them.  (Is there an option for this?  I only see fcc_clear, which is for
> outgoing messages.  Should I call decrypt-save from message-hook?)
>

Sounds workable, except then you have to


> 2) Tell offlineimap *not* to sync the decrypted messages folder back to
> Gmail. (Easy enough with offlineimap filters.)
>

which points out one part of the reasons we haven't seen enough standard
practices showing up yet.


> 3) Tell notmuch to index the decrypted messages folder.  (Again, should
> be easy enough.)
>
> Does that sound reasonable?  Do others have similar setups?
>
> I find it sort of telling that I didn't come across recommendations for
> setting things up this way when I was configuring these programs.


What does it tell you?

It tells me that there sure are a lot of different ways people are doing
this. Why do you think that would be?


>  I'm a
> bit surprised that there doesn't seem to be a "standard" solution for
> reading and searching archived mail that arrived encrypted.  (I'm also a
> bit dismayed, since part of my concern is to find a solution that
> doesn't just work for me, but to which I can point non-technical users
> when I ask them to send me encrypted messages.)  It still feels very
> much like email encryption is possible for the dedicated, but
> inconvenient enough for the average user -- and even for fairly
> technical users -- that most will avoid it.
>

You're looking at the reason, can you see it? (I'm not being rude, I'm
asking a question.)


> I guess I'll try to write up a blog post about how I solve these
> problems, once I get a working configuration.  A more comprehensive
> solution will have to await someone more talented than me.
>

The standard solution is going to require charisma more than talent.

Which might point you to the biggest problem when trying to establish
"secure" communication lines.

Speaking of blogs, maybe I should, but nobody reads my blogs except my
students and my nieces and nephews. And I really have stuff I need to do
today, and this is one of those topics that even randomly ranting about is
going to consume the whole day. (Not that my rantings ever exceed the
random level.)

Anyway, it gets back to the primary on-going sins of Microsoft. And Apple
and Oracle and whoever else is currently contending for the charismatic
leader position.

The platitude: if you establish a standard practice or pattern for
security, everyone has the same back door.

Or, backing up even further, one man's secured fortress is another man's
free swim beach. But backing out that far that doesn't point to answers.

HTH

--
Joel Rees

Re: How do you manage encrypted mail?

2013-07-02 Thread Rob Owens 
- Original Message -
> From: "Richard Lawrence" 
> 
> Joey Hess  writes:
> 
> > Richard Lawrence wrote:
> >> I've recently (re-)decided to make an effort to use PGP, and to
> >> convince
> >> others to use it too. (My effort to do so:
> >> http://www.ocf.berkeley.edu/~rwl/encryption.html, linked from my
> >> .signature.  Comments welcome.) But I've run into a couple of
> >> problems
> >> fairly quickly. If you use PGP regularly, how do you solve them?
> >> 
> >> 1) Reading encrypted mail that I sent...
> >
> > Typically, gpg is configured to encrypt mail to multiple
> > recipients,
> > which includes everyone the mail is sent to, as well as the sender.
> >
> > For example, I have in my gpg.conf:
> >
> > # Encrypt stuff to my key too.
> > encrypt-to 2512E3C7
> >
> 
> Ah, this is what I was missing.  Thanks!
> 
> >> 2) Search. The more serious issue is that I can't search encrypted
> >> email, whether I sent it or received it...
> >
> > Mutt will use gpg to decrypt encrypted mail when searching in the
> > body
> > (ie, when limiting to ~bsomething). It can get slow, indeed.
> 
> Good to know, thanks.  When I try this, Mutt asks me to enter my GPG
> passphrase for every encrypted message in the folder I'm limiting,
> though!  (So it's not a good option for my "sent" folder, for
> example.)
> Any way to avoid that?
> 
On my system, Mutt doesn't re-ask me for my GPG passphrase until some
timeout has been reached.  5 minutes, I think.  I didn't set it like 
that.  It was the default.  I'm not sure if that's a Mutt setting or a
GPG setting.

Icedove/Thunderbird has the Enigmail extension to handle encryption.  
You might want to give that a try as well, particularly since you are
trying to encourage others to use encryption and Thunderbird is available
for both Linux and Windows (and Mac?).

In my experience, email encryption is has been pretty easy with the
exception of getting it to work with webmail.  The other tricky thing is
getting people to understand the concepts of how/why to trust a key -- 
things like verifying the fingerprint, etc.

-Rob


-- 
To UNSUBSCRIBE, email to debian-user-requ...@lists.debian.org 
with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org
Archive: 
http://lists.debian.org/1233394087.42268205.1372792734521.javamail.r...@ptd.net

Re: How do you manage encrypted mail?

2013-07-02 Thread Richard Lawrence 
John Hasler  writes:

> Do you really need to archive each message in individually encrypted
> form?  If you are concerned about the security of local copies I would
> think you would already be using disk or file system encryption.

No, I am OK with keeping unencrypted local copies, at least on my home
machine.  I only expect "pretty good" privacy over the pipes, not
"protection from an FBI home raid" privacy for local copies of my email.
(I don't use disk encryption but probably should.)

The issue is simply: what's the best way to do this? My setup uses
offlineimap to sync a Gmail account (berkeley.edu's institutional
choice...) to a local Maildir.  Mutt only temporarily decrypts messages
when I read them, unless I manually store an unencrypted copy somewhere.

So to accomplish the suggested setup conveniently with the programs I
currently use, I think I would need to:

1) Tell Mutt to automatically save messages somewhere when I decrypt
them.  (Is there an option for this?  I only see fcc_clear, which is for
outgoing messages.  Should I call decrypt-save from message-hook?)

2) Tell offlineimap *not* to sync the decrypted messages folder back to
Gmail. (Easy enough with offlineimap filters.)

3) Tell notmuch to index the decrypted messages folder.  (Again, should
be easy enough.)

Does that sound reasonable?  Do others have similar setups?

I find it sort of telling that I didn't come across recommendations for
setting things up this way when I was configuring these programs.  I'm a
bit surprised that there doesn't seem to be a "standard" solution for
reading and searching archived mail that arrived encrypted.  (I'm also a
bit dismayed, since part of my concern is to find a solution that
doesn't just work for me, but to which I can point non-technical users
when I ask them to send me encrypted messages.)  It still feels very
much like email encryption is possible for the dedicated, but
inconvenient enough for the average user -- and even for fairly
technical users -- that most will avoid it.

I guess I'll try to write up a blog post about how I solve these
problems, once I get a working configuration.  A more comprehensive
solution will have to await someone more talented than me.

-- 
Best,
Richard



-- 
To UNSUBSCRIBE, email to debian-user-requ...@lists.debian.org 
with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org
Archive: http://lists.debian.org/87k3l8ddol@berkeley.edu

Re: How do you manage encrypted mail?

2013-07-02 Thread Joey Hess 
Richard Lawrence wrote:
> Good to know, thanks.  When I try this, Mutt asks me to enter my GPG
> passphrase for every encrypted message in the folder I'm limiting,
> though!  (So it's not a good option for my "sent" folder, for example.)
> Any way to avoid that?

Yes, use a gpg agent. Installing gnupg-agent and logging out and back in
will probably do.

-- 
see shy jo


signature.asc
Description: Digital signature

Re: How do you manage encrypted mail?

2013-07-02 Thread Richard Lawrence 
Joey Hess  writes:

> Richard Lawrence wrote:
>> I've recently (re-)decided to make an effort to use PGP, and to convince
>> others to use it too. (My effort to do so:
>> http://www.ocf.berkeley.edu/~rwl/encryption.html, linked from my
>> .signature.  Comments welcome.) But I've run into a couple of problems
>> fairly quickly. If you use PGP regularly, how do you solve them?
>> 
>> 1) Reading encrypted mail that I sent...
>
> Typically, gpg is configured to encrypt mail to multiple recipients,
> which includes everyone the mail is sent to, as well as the sender.
>
> For example, I have in my gpg.conf:
>
> # Encrypt stuff to my key too.
> encrypt-to 2512E3C7
>

Ah, this is what I was missing.  Thanks!

>> 2) Search. The more serious issue is that I can't search encrypted
>> email, whether I sent it or received it...
>
> Mutt will use gpg to decrypt encrypted mail when searching in the body
> (ie, when limiting to ~bsomething). It can get slow, indeed.

Good to know, thanks.  When I try this, Mutt asks me to enter my GPG
passphrase for every encrypted message in the folder I'm limiting,
though!  (So it's not a good option for my "sent" folder, for example.)
Any way to avoid that?

> I rarely find the need to search in bodies of mail after it's a month
> old, and use mairix to index and search subject and other headers,
> which are not encrypted. Then if necessary I can load the resulting
> mbox full of search results into mutt and do a body search to further
> refine it down to what I was looking for.

This is more or less what I'm doing now with notmuch.  I think it will
work fine for me personally, but I'm a bit concerned that this will not
sound convincing to someone else.  ("You should encrypt all your
messages.  But full disclosure: you won't be able to search the message
contents easily, just headers.  Sorry!")

One possibility I can see here is to store and index unencrypted copies
of messages locally, but only sync encrypted messages with the mail
server.  I imagine I could rig something up to accomplish this, using
the scripting features of offlineimap, etc.  Is there an existing
solution for a setup like that?

Thanks!

-- 
Best,
Richard


-- 
To UNSUBSCRIBE, email to debian-user-requ...@lists.debian.org 
with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org
Archive: http://lists.debian.org/87obakdgjc@berkeley.edu

Re: How do you manage encrypted mail?

2013-07-02 Thread John Hasler 
Do you really need to archive each message in individually encrypted
form?  If you are concerned about the security of local copies I would
think you would already be using disk or file system encryption.
-- 
John Hasler 
jhas...@newsguy.com
Elmwood, WI USA


-- 
To UNSUBSCRIBE, email to debian-user-requ...@lists.debian.org 
with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org
Archive: http://lists.debian.org/8761ws28am@thumper.dhh.gt.org

Re: How do you manage encrypted mail?

2013-07-02 Thread Joey Hess 
Richard Lawrence wrote:
> I've recently (re-)decided to make an effort to use PGP, and to convince
> others to use it too. (My effort to do so:
> http://www.ocf.berkeley.edu/~rwl/encryption.html, linked from my
> .signature.  Comments welcome.) But I've run into a couple of problems
> fairly quickly. If you use PGP regularly, how do you solve them?
> 
> 1) Reading encrypted mail that I sent. If I need to remind myself what I
> said to someone, or recover an attachment, etc., I can't, because the
> only copy of my message is encrypted with the recipient's public key. I
> could work around this by Bcc'ing myself on every message, but that
> would have the mildly annoying effect of duplicating all my outgoing
> messages; every time I were to look for a message I sent to Mr. X, I'd
> get two results, and I'd have to figure out which one was encrypted with
> my key to read it.

Typically, gpg is configured to encrypt mail to multiple recipients,
which includes everyone the mail is sent to, as well as the sender.

For example, I have in my gpg.conf:

# Encrypt stuff to my key too.
encrypt-to 2512E3C7

> 2) Search. The more serious issue is that I can't search encrypted
> email, whether I sent it or received it. It is conceivably possible to
> search mail encrypted with my public key by decrypting it before running
> the search (though not encrypted mail that I sent, pending a good
> solution to problem 1). However, that seems like it would be extremely
> slow in practice, and I am not aware of any software that would make
> this simple or practical.

Mutt will use gpg to decrypt encrypted mail when searching in the body
(ie, when limiting to ~bsomething). It can get slow, indeed. I rarely
find the need to search in bodies of mail after it's a month old, and
use mairix to index and search subject and other headers, which are not
encrypted. Then if necessary I can load the resulting mbox full of
search results into mutt and do a body search to further refine it down
to what I was looking for.

-- 
see shy jo


signature.asc
Description: Digital signature