Alex's Adventures on the Infobahn - gpghttps://www.bennee.com/~alex/2010-03-17T07:35:00+00:00the wanderings of a supposed digital nativeAdding Google Juice to mutt2010-03-17T07:35:00+00:002010-03-17T07:35:00+00:00alextag:www.bennee.com,2010-03-17:/~alex/blog/2010/03/17/adding-google-juice-to-mutt/<p>As I've been mailing out invites I discovered a minor problem with my data.</p>
<p>My main email client is the fantastically functional <a class="reference external" href="http://www.mutt.org">mutt</a>. It's terminal based but incredibly flexible. When it comes to mass sorting/searching your email it leaves GUI based clients standing. However now I'm a roving around …</p><p>As I've been mailing out invites I discovered a minor problem with my data.</p>
<p>My main email client is the fantastically functional <a class="reference external" href="http://www.mutt.org">mutt</a>. It's terminal based but incredibly flexible. When it comes to mass sorting/searching your email it leaves GUI based clients standing. However now I'm a roving around with a Google Phone the majority of my contact data is <a class="reference external" href="http://en.wikipedia.org/wiki/Gmail">in the cloud</a>. While I have a small address file used by mutt it only has a few oft-mailed addresses in it.</p>
<p>Luckily thanks to <a class="reference external" href="http://code.google.com/apis/gdata/">Google's data APIs</a> <strong>your information</strong> is only a few <a class="reference external" href="http://en.wikipedia.org/wiki/Representational_State_Transfer#RESTful_web_services">RESTful</a> requests away. The <a class="reference external" href="http://code.google.com/p/goobook/">goobook</a> program provides a handy mutt compatible address book interface to this cloud data.</p>
<p>There is one wrinkle however. The <a class="reference external" href="http://code.google.com/p/goobook/source/browse/trunk/README.txt#59">configuration</a> of the script involves putting some rather valuable login details in a plain text file on your home partition. While I like to think my machines are pretty secure and maintained you can always do more. Good security is defence in depth. A <a class="reference external" href="http://groups.google.com/group/goobook/browse_thread/thread/f632e3d5c4fcaf25">quick patch later</a> and I can store those details in an <a class="reference external" href="http://en.wikipedia.org/wiki/GNU_Privacy_Guard">GPG</a> encrypted file that can be decrypted on the fly when required.</p>
<p>The final piece of the puzzle is creating these encrypted config files in the first place. Although you can do this by hand from the command line I find the best method is using <a class="reference external" href="http://www.emacswiki.org/emacs/EasyPG">EasyPG</a> (now part of Emacs 23). This will automatically cause any files with a .gpg extension to be encrypted. You can control the Emacs mode selection and default encryption key to use by using <a class="reference external" href="http://www.gnu.org/software/emacs/manual/html_node/emacs/Specifying-File-Variables.html#Specifying-File-Variables">file variables</a> in the header comments of the file.</p>
<p>It's not all perfect though, when enabling EasyPG I had to do the following:</p>
<pre class="literal-block">
(if (maybe-load-library "epa-file")
(progn
(setenv "GPG_AGENT_INFO" nil) ; gpg-agent confuses epa when getting passphrase
(epa-file-enable)))
</pre>
<p>The problem seems to be that when GPG agent runs in terminal mode it confuses Emacs/EasyPG. By suppressing the GPG_AGENT_INFO environment variable EasyPG will fall back to requesting your passphrase in the mode line. While it takes care to flush the value as soon as possible it does open a small window of attack if an attacker can cause emacs to crash and dump core.</p>
New Keys Please2010-03-08T11:25:00+00:002010-03-08T11:25:00+00:00alextag:www.bennee.com,2010-03-08:/~alex/blog/2010/03/08/new-keys-please/<p>I've finally gotten around to updating my <a class="reference external" href="http://www.bennee.com/~alex/key.asc">personal GPG key</a>. At the same time I've plumbed in the various bits I need into my <a class="reference external" href="http://www.mutt.org/">mail client</a> so it's a little easier to sign, encrypt, and verify GPG enabled email. Of course the super paranoid will want to check the public …</p><p>I've finally gotten around to updating my <a class="reference external" href="http://www.bennee.com/~alex/key.asc">personal GPG key</a>. At the same time I've plumbed in the various bits I need into my <a class="reference external" href="http://www.mutt.org/">mail client</a> so it's a little easier to sign, encrypt, and verify GPG enabled email. Of course the super paranoid will want to check the public key linked to is in fact mine and not some evil twin clone of me. Contact me by some other means (any of my <a class="reference external" href="http://en.wikipedia.org/wiki/Extensible_Messaging_and_Presence_Protocol">XMPP</a> accounts* will do although to be safe I recommend using a <a class="reference external" href="http://en.wikipedia.org/wiki/Off-the-Record_Messaging">Off the Record</a> plugin).</p>
<p>If you show me your cryptographic fingerprint I'll show you mine ;-)</p>
<p>* That would be LJ chat, Google Talk or the new Facebook chat</p>