In this chapter we will look at installing an additional app called APG to allow us to use K-9 to send and receive encrypted emails.
About email encryption
Before explaining the process for setting up APG and K-9 it is useful to know a little about email encryption using the PGP technology.
The process of PGP requires you to use two sets of keys to read and send emails. Both the sender and receiver of email need a private (secret) key and a public key to be able to correspond.
You can see that in order to sent an encrypted mail you will need the public key of the person you are sending to and vice versa.
It is really easy to fake who is sending emails. To counter this, PGP is also used to sign emails. Signing emails is a good way to check that email is really sent by the person you receive it from. There is more background information about the process here.
OpenPGP is an open source approach to encryption via PGP method. In these days after the release of information on the PRISM surveillance programme, it has become accepted that open source solutions offer the best chance of privacy. APG and K-9 are also open source applications.
Open source solutions are much less likely to have any 'backdoors' which allow access by security contractors. Their source code is available for their users to check. We may not be able to understand the code, but other users do. This community review process makes software much more unlikely to contain anything harmful or risky to use.
Installing and using APG to encrypt your email in K-9
Follow a similar procedure to installing K-9 to install the APG app from the Play store or F-droid.
After you have checked that the App Permissions are ok, click Accept.
If you want to find out more about Android apps and security there are many resources available on the Internet. As a basic rule, apps should not ask for more permissions than they need to do their job.
Creating your PGP key pair
Start the APG app. You will see a welcome message that suggests that you install K-9 Mail, if you haven't already and some other tips, click OK.
To get started click on the More Actions menu key or the Menu button if your phone has one.
To get started we need to set up a key pair. You may have one already if you use PGP in another way. In any case, select Manage Secret Keys.
Select the More Actions menu again. If you already have a key pair you can click on Import Keys. If not, then select the Create Key option.
You should normally add a pass phrase, a password that gives additional protection to the process.
Click on Set Pass Phrase and enter a chosen password twice.
Add a User ID by clicking on the + next to User Id and entering a name and email.
You can now create a key by clicking on the + next to Keys.
It is suggested that you keep the default setting of RSA but double the suggested 1024 to 2048.
You now get the option to set an expiry date for your key and to choose how you will use they key.
Under Usage choose Sign and Encrypt.
Now click on Save. This completes the process of creating your key pair (public and secret keys).
You should see your new key in the list of secret keys.
If you browse to manage your public keys then you will see your new public key is listed. This is very useful as you will need to send this key to people you want to receive encrypted emails from.
Importing Keys from other Applications
You may already have a key pair that you want to import from another email applications (like Thunderbird). If so you can import them into AGP. To proceed you will need to export your keys into an asc or gpg file and transfer them onto the storage space of your phone via USB or Bluetooth.
In the Manage Private Keys menu, select the Import Keys option.
Now browse to where you have copied your keypair to and select it.
You have the option to delete the key after importing it.
This should import your own key to your Private Key menu ready to be used for encryption.
If you start with Private key you will need to repeat the process with any public keys you want to inport.
Exchanging Public Keys
To send and receive encrypted mail you need to exchange public keys with another email user.
Choose a place to save the exported key which is a text file.
Send this public key to one of your contacts that uses PGP and ask them to send you an encrypted email.
If you want to try but don't know anyone who used encryption, you can send an email with your public key to email@example.com.
Sending Encrypted Email
Keeping a track of all these keys can be hard. To make it easier there are key servers where you can upload your and download other people's keys.
From the options menu of main screen of AGP select Key Server.
Enter the email of the contact you want to send an email to and select Search.
If the key is on the key server it will return a result.
The number to the right of the result is called your Key ID. This key ID is a quick way of checking you are using the right key as sometimes there may be more than one key associated with an email address.
Once you have downloaded or imported the key of your contact, you will be able to send them an email in K-9 easily.
When you compose a new message simply put a tick in the Encrypt box which is now viisible after installing APG.
Remember you can only encrypt email to people for who you have the public PGP key.
To sign your email select the Sign box and then choose the key you want to use to sign this email.
Current limitations of encryption in K-9
As you can see K-9 uses the external tool APG to do the encryption of emails. There are some current limitations of this process.
No encryption of attachments or email mime
The encryption process currently only works with the text inside your email message. This is called 'inline' encryption. Some email clients also allow you to encrypt attachments to your email but this is not possible currently with K-9 / APG.
This process of encrypting attachments is also used to send encrypted email and attachments together as gpg/mime type. Without going into the technical details, this is now the preferred way to encrypt your mail if your client supports it.
Because this is a frequently requested feature, it is very likely that this will be possible soon. Certainly the Guardian project are working in this area to create a GnuPG client for Android and are likely to make their project compatible with K-9.