I’ve been through every setting and menu item and no where is encryption or signing mentioned at all. I install K9 because I read it supports pgp on android. Did I install the wrong app?
Settings » Account » End-To-End Encryption
Thank you very much. Now I’m being asked to scan a code. I’m confused. The public/private keys are just text files with numbers. How does a qr code get involved here?
You can import keys using multiple different ways. One of them is importing the text files. One of them is scanning a QR code. You don’t need to use the QR code.
This is just not working. I import the text file and now have an unconfirmed key. 2 options are given for confirming the key, qr code or fingerprints. I select fingerprints and select that the fingerprints match and am promptly taken back to the page indicating an unconfirmed key. It shouldn’t be this difficult to import and confirm a key. Thank you for your assistance but this proves to me that K9 + pgp + my android phone isn’t going to work. Again, thank you for your prompt help.
Did you install the app OpenKeychain? Did you add your private key to OpenKeychain? As far as I know K9 can only encrypt using OpenKeychain.
Yes I installed openkeychain, yes I imported my public key text file. The public key was created by Thunderbird, exported (saved) to a text file and then copied to my android phone. It is a 3072 bit, RSA, never expire, public and private key pair. I am only dealing with the public key. I opened the text file and confirmed it is indeed a public key. In openkeychain, I’m left with an unconfirmed key that must be qr scanned because the match fingerprints method of confirmation is being ignored. BTW this is android version 9.
I asked for your private key. If you want to encrypt you need to use your private key. The reciever needs your public key to decrypt it.
(Face-palm) Of course! Somehow I was fixated on the public key being sent with the messages so that’s what I needed. Didn’t occur to me to do it the “right” way! Thank you so much for your guidance. I got the private key saved to a file (with password), transferred to the phone and imported into openkeychain. Enabled e2ee in K9, turned on email signing, sent test email, works great. Now the hard part, getting my friends/family to use e2ee.
Careful! What you describe is how signatures work.
To send encrypted mail, you only need the recipient’s public key. They will decrypt with their private key.
If it were the other way round, anybody with your public key (whom is everybody) could decrypt your mails! Thus, you only use this for signatures (which are in fact encrypted hashes of the message).
TL;DR:
encryption: pub_R(message) = cipher
decryption: sec_R(cipher) = sec_R(pub_R(message)) = message
signing: sec_S(hash(message)) = sig
verifying: pub_S(sig) = pub_S(sec_S(hash(message))) = hash(message)
correct PGP usage by sender:
pub_R(message, sec_S(hash(message))) = signed cipher
Thanks for clarification! Sure - it is how you described it!
This question is about the openkeychain.org app. Can we update a PGP sig with other indentities. For instance if the same PGP is used for several email addresses can we update identities in in the app? thanks,
Yes. However, you should expand the key pair on a full GnuPG application.
For security reasons I want to strongly urge you the use separte keys for separate identities. Make sure all of them have different expiry dates and that you cross-sign.