OpenPGP Smart Card with Re-Encrypting Mailing List

Schleuder can be used to create mailing lists that allow encryption of e-mails with GnuPG/PGP. Schleuder has to decrypt incoming mails and re-encrypts them for each subscriber of the mailing list.

Therefore it is necessary to entrust the server with the private key. However, it is possible to add an additional layer of security by storing the private key in a OpenPGP card, for example a Nitrokey. As Schleuder basically uses GnuPG without any special configuration, a PGP key pair can be imported as a key for the mailing list. Obviously, your server needs a USB port.

This can be used in combination with a mailbox, that forwards incoming e-mails to the Schleuder list. This allows a team to have a trusted public PGP key that does not have to be shared across the team. If someone from the outside sends an encrypted e-mail to the team mailbox, the mail gets re-encrypted for all team members with their private PGP keys. If they have to answer back to the original sender, the x-resend command of Schleuder can be used to sign the mail with the key on the smart card.

For this to work, first install and configure Schleuder as described in the documentation. Then configure a new mailing list.

To use the OpenPGP card for your list, create a key pair on it with all needed identities. The Schleuder list address needs to be included, for example mylist@schleuder.example.com. If you want a public mailbox, which redirects incoming mails to the Schleuder list, add this identity as well (for example secure@example.com). Do not forget to set the URL of public key. Then store the public key in the provided location.

When you’re done with the smart card setup, attach it to your server (and forward the USB device to a VM, if you need to). Then, as root, import the smart card for the mailing list:

sudo -u schleuder gpg --pinentry-mode loopback --homedir /var/lib/schleuder/lists/schleuder.example.com/mylist/ --edit-card

Then, in the GnuPG console, execute the following commands:

fetch
quit

You now should have imported the key pair with the private key stored on the smart card. You now need to ensure that your key is unlocked by decrypting a file and entering the pin. Create a simple text file that is encrypted with the public key stored on the smart card and save it to /var/lib/schleuder/unlock-pin.gpg. Then execute the following command

sudo -u schleuder gpg --homedir /var/lib/schleuder/lists/schleuder.netzbegruenung.de/cert-dispatch/ --decrypt /var/lib/schleuder/unlock-pin.gpg

In some cases I have to to this twice for the smart card to be unlocked. You can now send an e-mail to the list encrypted with the public key belonging to the private key on the smart card.