I am trying to get K9 to use an encryption setup that I have on my computers. I use that setup with an email account that I use on Thunderbird - Thunderbird on Windows and on Linux. In Windows, and using Thunderbird 102 (on Linux I am on a slightly earlier version of Thunderbird), I exported the key (or is it pair of keys?) that is associated with the relevant email account. I transferred the resulting single file to the phone. I told K9, via ‘OpenKeyChain’, to import the key. It did, but it said it (or something to do with it) was ‘unconfirmed’ and needed confirming . . via QR code or fingerprint. That left me stumped.
I looked at this thread but, at least given my limited knowledge, it shed little light.
This is a question for the K-9 forum, even aside from the recent merger between K-9 and Thunderbird. Here is why. K-9 offers to import and use the sort of keys at issue.
Thanks. I have, now, looked at those FAQ. Insofar as I understand relevant material therein, that material is telling me that I need to use OpenKeychain to create a key and then use that key to ‘confirm’ my imported key. Yet, as I reported, OpenKeychain seems to require me to confirm my imported key via . . QR code or fingerprint - and, thus, not via some other key.
When you confirm a key (i.e. sign it with your key), you tell others that they can trust that key if they trust you. Thus, you should only verify other keys if you yourself trust them.
Often, this is simply conducted through Key Signing Parties (KSP). Everybody brings their IDs (dirver’s licence, national ID card, etc.pp.) as well as the fingerprint of their key. When presenting their key to you, you can verify the fingerprint and match the name to the information on the ID. If everything is OK, you sign the key with your key. And everybody does this for everybody else during a KSP. That way, a group of people verify in person the keys presented at the KSP.
The QR codes help make KSPs easier. You don’t need to manually check the fingerprint and key itself. Once you establish trust through the ID, you can scan the QR code and then validate the key.
Of course, you can just verify a key without checking the validity and the identity of the presenter, but I strongly urge you not to do that.
Edit: If you’re using Thunderbird’s built-in OpenPGP support, open the “OpenPGP Key Manager”, select your own key, then select “Backup Secret Key(s) To File” from the “File” menu.
I made some progress. First, I discovered - or rediscovered - that OpenKeychain had a somewhat buried option to confirm not by QR code by fingerprint. And it dawned on me that the fingerprint at issue here is not one created by one’s finger. I managed to use the ‘fingerprint’ to ‘confirm’ my imported key - but only after I had created a key - or was it an ‘identity’? - on my phone. But now, when I try on the phone to decrypt a message, K9 tells me that I need to ‘import’ a key in order to . . use my key. Or something. No wonder people say that a problem with email encryption is that it is too hard to setup.