{"id":1186,"date":"2024-06-26T19:18:59","date_gmt":"2024-06-26T17:18:59","guid":{"rendered":"https:\/\/sven-seeberg.de\/wp\/?p=1186"},"modified":"2024-06-26T19:22:06","modified_gmt":"2024-06-26T17:22:06","slug":"openpgp-smart-card-with-re-encrypting-mailing-list","status":"publish","type":"post","link":"https:\/\/sven-seeberg.de\/wp\/?p=1186","title":{"rendered":"OpenPGP Smart Card with Re-Encrypting Mailing List"},"content":{"rendered":"\n<p><a href=\"https:\/\/schleuder.org\">Schleuder<\/a> can be used to create mailing lists that allow encryption of e-mails with GnuPG\/PGP. Schleuder has to decrypt incoming mails and re-encrypts them for each subscriber of the mailing list.<\/p>\n\n\n\n<p>Therefore it is necessary to entrust the server with the private key. However, it is possible to add an additional layer of security by storing the private key in a <a href=\"https:\/\/en.wikipedia.org\/wiki\/OpenPGP_card\">OpenPGP card<\/a>, for example a <a href=\"https:\/\/shop.nitrokey.com\/shop\/category\/nitrokeys-7\">Nitrokey<\/a>. As Schleuder basically uses GnuPG without any special configuration, a PGP key pair can be imported as a key for the mailing list. Obviously, your server needs a USB port.<\/p>\n\n\n\n<p>This can be used in combination with a mailbox, that forwards incoming e-mails to the Schleuder list. This allows a team to have a trusted public PGP key that does not have to be shared across the team. If someone from the outside sends an encrypted e-mail to the team mailbox, the mail gets re-encrypted for all team members with their private PGP keys. If they have to answer back to the original sender, the <a href=\"https:\/\/schleuder.org\/schleuder\/docs\/subscribers.html#resending\">x-resend command<\/a> of Schleuder can be used to sign the mail with the key on the smart card.<\/p>\n\n\n\n<p>For this to work, first install and configure Schleuder as described in the <a href=\"https:\/\/schleuder.org\/schleuder\/docs\/server-admins.html#installation\">documentation<\/a>. Then configure a new mailing list.<\/p>\n\n\n\n<p>To use the OpenPGP card for your list, create a <a href=\"https:\/\/docs.nitrokey.com\/storage\/windows\/openpgp-keygen-on-device\">key pair<\/a> on it with all needed identities. The Schleuder list address needs to be included, for example mylist@schleuder.example.com. If you want a public mailbox, which redirects incoming mails to the Schleuder list, add this identity as well (for example secure@example.com). Do not forget to set the <code>URL of public key<\/code>. Then store the public key in the provided location.<\/p>\n\n\n\n<p>When you&#8217;re done with the smart card setup, attach it to your server (and forward the USB device to a VM, if you need to). Then, as root, import the smart card for the mailing list:<\/p>\n\n\n\n<pre class=\"wp-block-code\"><code>sudo -u schleuder gpg --pinentry-mode loopback --homedir \/var\/lib\/schleuder\/lists\/schleuder.example.com\/mylist\/ --edit-card<\/code><\/pre>\n\n\n\n<p>Then, in the GnuPG console, execute the following commands:<\/p>\n\n\n\n<pre class=\"wp-block-code\"><code>fetch<br>quit<\/code><\/pre>\n\n\n\n<p>You now should have imported the key pair with the private key stored on the smart card. You now need to ensure that your key is unlocked by decrypting a file and entering the pin. Create a simple text file that is encrypted with the public key stored on the smart card and save it to <code>\/var\/lib\/schleuder\/unlock-pin.gpg<\/code>. Then execute the following command<\/p>\n\n\n\n<pre class=\"wp-block-code\"><code>sudo -u schleuder gpg --homedir \/var\/lib\/schleuder\/lists\/schleuder.netzbegruenung.de\/cert-dispatch\/ --decrypt \/var\/lib\/schleuder\/unlock-pin.gpg<\/code><\/pre>\n\n\n\n<p>In some cases I have to to this twice for the smart card to be unlocked. You can now send an e-mail to the list encrypted with the public key belonging to the private key on the smart card.<br><\/p>\n","protected":false},"excerpt":{"rendered":"<p>Schleuder can be used to create mailing lists that allow encryption of e-mails with GnuPG\/PGP. Schleuder has to decrypt incoming mails and re-encrypts them for each subscriber of the mailing list. Therefore it is necessary to entrust the server with &hellip; <a href=\"https:\/\/sven-seeberg.de\/wp\/?p=1186\">Continue reading <span class=\"meta-nav\">&rarr;<\/span><\/a><\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"closed","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[17],"tags":[],"class_list":["post-1186","post","type-post","status-publish","format-standard","hentry","category-debian"],"_links":{"self":[{"href":"https:\/\/sven-seeberg.de\/wp\/index.php?rest_route=\/wp\/v2\/posts\/1186","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/sven-seeberg.de\/wp\/index.php?rest_route=\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/sven-seeberg.de\/wp\/index.php?rest_route=\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/sven-seeberg.de\/wp\/index.php?rest_route=\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/sven-seeberg.de\/wp\/index.php?rest_route=%2Fwp%2Fv2%2Fcomments&post=1186"}],"version-history":[{"count":5,"href":"https:\/\/sven-seeberg.de\/wp\/index.php?rest_route=\/wp\/v2\/posts\/1186\/revisions"}],"predecessor-version":[{"id":1191,"href":"https:\/\/sven-seeberg.de\/wp\/index.php?rest_route=\/wp\/v2\/posts\/1186\/revisions\/1191"}],"wp:attachment":[{"href":"https:\/\/sven-seeberg.de\/wp\/index.php?rest_route=%2Fwp%2Fv2%2Fmedia&parent=1186"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/sven-seeberg.de\/wp\/index.php?rest_route=%2Fwp%2Fv2%2Fcategories&post=1186"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/sven-seeberg.de\/wp\/index.php?rest_route=%2Fwp%2Fv2%2Ftags&post=1186"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}