Don't let *them* read your mail. Encrypt it now.
Clone or download
Fetching latest commit…
Cannot retrieve the latest commit at this time.
Permalink
Failed to load latest commit information.
.gitignore
README.md
arcane
arcane-encrypt-mail
arcane-is-encrypted
arcane-maildir
gpg.py
imap.py
util.py

README.md

arcane

Arcane is a set of tools which allows you to encrypt all your existing unencrypted mails and all your new incoming mail with a GPG key so that only you can read them.

Why do I need this?

Many email providers store your emails for you on their servers, so that you can read them anywhere. This also means that your provider, anyone who hacks the server and the police (in case the server is seized) can read your private emails.

If all your emails are GPG encrypted, only you can read them because only you have access to your secret GPG key.

What could go wrong?

  • If you lose your secret GPG key you can not decrypt your emails anymore. Your emails will be lost. Therefore make a backup of your secret GPG key (i.e. print it).
  • After encrypting your emails you will (probably) not be able search the content of your emails (because they are encrypted). Searching for sender or subject should still work.
  • The metadata of your emails (sender,subject,date) will not be encrypted.
  • Your emails will not be more secure during transit (because they are encyrpted after arriving at the destination). Tell your friends and colleagues to encrypt their mails before sending them.

Install

Dependancies

  • imaplib (Included in the Python Standard Library)
  • python-gpgme https://launchpad.net/pygpgme (Should be available in Debian and Ubuntu repositories)

Debian

# aptitude install python python-gpgme
# mkdir -p /usr/local/lib && cd /usr/local/lib
# git clone https://github.com/n0g/arcane.git
# cd ../bin 
# ln -s ../lib/arcane/arcane
# ln -s ../lib/arcane/arcane-encrypt-mail

Afterwards you should be able to call 'arcane' and 'arcane-encrypt-mail' and get a usage output.

Step-by-Step Configuration

Generate GPG Key

To generate a new GPG key the following command will guide you through the key generation process:

$ gpg --gen-key

You will need to use an RSA key for encryption (do not choose any option that says 'sign only'). A secure key size is 2048 bit and above, 1024 bit RSA keys are considered insecure.

After the generation process your keypair should be visible with the following command:

$ gpg --list-secret-keys

Copy Public GPG Key to Server

(If you do not want automatic encryption of incoming emails or do not have access to your procmail configuration, then you can skip to 'Encrypting Existing Mails')

Export your key into a .pub file:

$ gpg --export --armor 77FA1F54 > robin-jankins.pub

Copy the public key to your mailserver:

$ scp robin-jankins.pub robin.jankins@mail.example.com:~/

Import the public key to your keyring on the mailserver:

$ gpg --import robin-jankins.pub

Create procmail Configuration

Your procmail configuration file probably lies at '~/.procmailrc'. To encrypt all your incoming mail you will need to add a rule at the top:

# encryption
:0 fw
* <300000
| arcane-encrypt-mail --key 77FA1F54

The 'f' tells procmail to use this rule as a filter (i.e. the filtered email will continue to match other rules). The 'w' tells procmail to continue with the unfiltered mail if arcane-encrypt-mail exits with an error (i.e. the mail is already encrypted).

Note that you will either have to set the PATH variable so that the arcane-encrypt-mail script will be found.

Encrypt Existing Mails

Usually the hostname of your mailserver and your user credentials will be enough to start arcane. In this example the hostname is 'mail.example.com', SSL needs to be used and the user is 'robin.jankins'.

Your GPG key identifier should be in the list you get after executing 'gpg --list-secret-keys'.

Now you have all the details for starting arcane:

$ arcane -h mail.example.com -s -u robin.jankins -k 77FA1F54

Quick Start

Usage

arcane -h hostname [-p port] [-s] -u username [-d] -k identifier
    -h,--hostname	Hostname of IMAP4 compatible mailserver
    -p,--port	Optional port number of IMAP4 service
    -s,--ssl	Optional SSL flag (changes default port to 993)
    -u,--username	Username that should be used for authentication
    -k,--key	Public key Identifier that will be used to encrypt the mails
    -m,--mailbox	Optional Mailbox argument which specifies which mailbox should be encrypted
    -d,--decrypt	Optional argument for decryption (useful for key rollover)

Examples

Encrypt all emails on an SSL IMAP compatible mailserver for the user robin.jankins with the public pgp key 77FA1F54

 arcane --hostname mail.example.com --ssl --username robin.jankins --key 77FA1F54

Encrypt only the 'office' mailbox on an SSL IMAP compatible mailserver

 arcane --hostname mail.example.com --ssl --mailbox office --username robin.jankins --key 77FA1F54

Example .procmailrc File if you want to encrypt all incoming mails with procmail

DEFAULT=$HOME/Maildir
SHELL=/bin/bash
PATH=/usr/local/bin:/usr/bin

# encryption
:0 fw
* <300000
| arcane-encrypt-mail --key 77FA1F54

# your bunch of filter rules
# ...

# default rule
:0
$DEFAULT

Known Issues

  • read/unread state is not preserved (all emails are displayed as read after using this tool)