(M)  s i s t e m a   o p e r a c i o n a l   m a g n u x   l i n u x ~/ · documentação · suporte · sobre

  Next Previous Contents

6. PGP and Mutt integration

The operation to carry out in the outgoing messages (sign, encrypt or both) is chosen exactly before presing "y" to send the message, inside the option menu that is visible with the "p" option. Once you have choosen the operation to carry out, only the line PGP in the message header showed in the screen will change, but until you send the message with "y" you won't be asked to insert the pass phrase to activate the sign of the message or the public keys to use to encrypt in the case that no receptors were found in our public keys ring.

NOTE: In the case that the pass phrase was mistyped when it was asked for, Mutt seems to be "hung", but that's not true, it is waiting for it to be retyped. To do this, push the <Enter> key and delete the pass phrase from memory with <Ctrl>F. Next we repeat the message sending with ("y") and retype the pass phrase.

Through this procedure, Mutt will use PGP/MIME to send the message, and one more file will appear in the list of files to be sent with the sign (if we only select to sign) or it will encrypt the complete message (all its MIME parts) and it will only leave two MIME parts, the first with the PGP/MIME version and the second with the encrypted message (with all its MIME parts inside) and signed (if we selected to do it).

Note: By some reasons, if the receptor mail user agent can not use MIME, we may need that the sign will be included inside the message body. See section about application/pgp with PGP5 and with GnuPG.

Mutt will try to verify the sign or decrypt automatically the incoming messages that use PGP/MIME. See section Procmail notes and tips, in which it is commented how to change the MIME type automatically to the incoming messages that do not set its MIME type correctly.

6.1 Optional configuration files

In the next sections you can find modifications to the Mutt configuration file to use PGP2, PGP5, and GnuPG easily.

To do that, a new configuration file that we called .gnupgp.mutt (that's our name, you can call it any other name setting the name of this file into the main configuration file ~/.muttrc).

This can be done including the complete path (its location) of the configuration file .gnupgp.mutt, in a line at the end of the ~/.muttrc file. The directory in which we put this and other optional configuration files can be anywhere, if we have correct permissions (in a previous section we included it inside the ~/Mail/) directory, or any other inside our home directory, with any name:

~$ mkdir mutt.varios

in which we copy (or create) the optional configuration file .gnupgp.mutt, and next we set the origin of this file in the .muttrc file with the source command, like the following:

source ~/mutt.varios/.gnupgp.mutt

Now Mutt will accept configuration variables in .gnupgp.mutt as if it were in .muttrc directly.

This method is a good way to avoid having a very big, unsorted configuration file, and can be used to set any other group of configuration variables in other separate file. For example, as before, if we use vim as the default editor in Mutt, we can tell to .muttrc to use a different configuration file .vimrc that we use when using vim from the command line. First, copy ~/.vimrc to our optional configuration files directory ~/mutt.varios/ and set it with other name (ex. vim.mutt):

$ cd /home/user ~$ cp .vimrc mutt.varios/vim.mutt

next change the configuration variables that we want to be different in vim as the Mutt editor, and finally modify .muttrc to reflect this change:

set editor="/usr/bin/vim -u ~/mutt.varios/vim.mutt"

With this last line we are setting Mutt to use an external editor, Vim, with the needed configuration options.

6.2 General Configuration Variables

There are some variables that we will use globally with the three public key encrypt programs with Mutt. These variables are boolean, and can be set (activated) or unset (deactivated).

In the configuration file (~/.muttrc, or ~/mutt.varios/.gnupgp.mutt, or whatever you use), the sign (#) is a comment and will be ignored. So, we will use it from here in advance to comment each variable:

unset pgp_autosign

# if this variables is set, Mutt will ask to sign all the
# outbound messages. (1)

unset pgp_autoencrypt

# if this variable is set, Mutt will ask to encrypt all the
# outbound messages. (1)

set pgp_encryptself

# save an encrypted copy of all sent messages that we want to encrypt
# (need the general configuration variable set copy=yes).

set pgp_replysign

# when you answer a signed message, the response message will be
# signed too.

set pgp_replyencrypt

# when you answer an encrypted message, the response message
# will be encrypted too.

set pgp_verify_sig=yes

# Do you want to automatically verify incoming signed messages?
# Of course!

set pgp_timeout=<n>

# delete pass phrase from the memory cache <n> seconds
# after typing it. (2)

set pgp_sign_as="0xABC123D4"

# what key do you want to use to sign outgoing messages?
# Note: it is posible to set it to the user id, but
# this can be confuse if you have the same user id with different keys.

set pgp_strict_enc

# use "quoted-printable" when PGP requires it.

unset pgp_long_ids

# Do not use 64 bits key ids, use 32 bits key ids.

set pgp_sign_micalg=<some>

# message integrity check algorithm, where
# <some> is something from the next: (3)

  • pgp-mda5
    to RSA keys
  • pgp-sha1
    to DSS (DSA) keys
  • pgp-rmd160

In the three next sections the configuration variables to each of the PGP versions will be explained. The fourth section will explain how to modify the variables if you use more than one PGP version.

(1) as Mutt requires to type the passphrase every time you want to sign or select the receipts if you want to encrypt, it may be unconvenient to set this variable. Possibly you may want to unset this variable. This is specially true encrypting messages, as you don't have all the public keys of the message receipts.

(2) depending on the number of messages that we sign or decrypt, we would like to maintain the pass phrase in cache memory more or less time. This option avoid you from type the pass phrase each time you sign a new message or decrypt an incoming message. Warning: maintaining the pass phrase in cache memory is not secure, specially in network connected systems.

(3) this is only necesary with the key that we use to sign. When the key is selected from the compose menu, Mutt will calculate the algoritm.

6.3 PGP2 configuration variables

To use PGP2 with Mutt-i you need to add the following lines to the ~/mutt.varios/.gnupgp.mutt file:

set pgp_default_version=pgp2
set pgp_key_version=default
set pgp_receive_version=default
set pgp_send_version=default
set pgp_sign_micalg=pgp-md5
set pgp_v2=/usr/bin/pgp
set pgp_v2_pubring=~/.pgp/pubring.pgp
set pgp_v2_secring=~/.pgp/secring.pgp

As you know, the ~/.pgp/pubring.pgp and secring.pgp files must exist. More information on PGP2 with the man pgp command.

6.4 PGP5 configuration variables

To use PGP5 with Mutt-i you need to add the following lines to the ~/mutt.varios/.gnupgp.mutt file:

set pgp_default_version=pgp5
set pgp_key_version=default
set pgp_receive_version=default
set pgp_send_version=default
set pgp_sign_micalg=pgp-sha1
set pgp_v5=/usr/bin/pgp
set pgp_v5_pubring=~/.pgp/pubring.pkr
set pgp_v5_secring=~/.pgp/secring.skr

As you know, the ~/.pgp/pubring.pkr and secring.pkr files must exist. More information on PGP 5 with the man pgp5 command.

6.5 GnuPG configuration variables

To use GnuPG with Mutt-i you need to add the following lines to the ~/mutt.varios/.gnupgp.mutt file:

set pgp_default_version=gpg
set pgp_key_version=default
set pgp_receive_version=default
set pgp_send_version=default
set pgp_sign_micalg=pgp-sha1
set pgp_gpg=/usr/bin/gpg
set pgp_gpg_pubring=~/.gnupg/pubring.gpg
set pgp_gpg_secring=~/.gnupg/secring.gpg

As you know, the ~/.gnupg/pubring.gpg and secring.gpg files must exist. More information on GnuPG with the man gpg.gnupg, man gpgm, and man gpg commands.

6.6 Mixed configuration variables

If you want to use more than one PGP software you need to modify some of the variables that we have commented previously. Really, it is only to remove the redundant version variables.

If, for example, you want to use GnuPG as the default signing tool, all menu commands in Mutt to use GnuPG/PGP would call to this program to the signing, decrypting, encrypting, verifying, etc... operations
To do that you must set the configuration variable $set_pgp_default once, so:

set pgp_default_version=gpg

now, to use the all three programs, the ~/mutt.varios/.gnupgp.mutt file could be like this:

set pgp_default_version=gpg     # default version to use

set pgp_key_version=default     # default key to use
                                # in this case, gnupg defines it

set pgp_receive_version=default # default version to decrypt will be the default
set pgp_send_version=default    # version defined in the first line (gpg)

set pgp_gpg=/usr/bin/gpg        # where to find the GnuPG binary
set pgp_gpg_pubring=~/.gnupg/pubring.gpg        # public key file to GnuPG
set pgp_gpg_secring=~/.gnupg/secring.gpg        # secret key file to GnuPG

set pgp_v2=/usr/bin/pgp         # where to find the PGP2 binary
set pgp_v2_pubring=~/.pgp/pubring.pgp           # public key file to PGP2
set pgp_v2_secring=~/.pgp/secring.pgp           # secret key file to PGP2

set pgp_v5=/usr/bin/pgp         # where to find the PGP5 binary
set pgp_v5_pubring=~/.pgp/pubring.pkr           # public key file to PGP5
set pgp_v5_secring=~/.pgp/secring.skr           # secret key file to PGP5


Next Previous Contents