K9 mail e2ee

E24

I was scrolling through k9 mail settings the other day and found a e2ee option for emails if you install openkeychain. Does anyone use this?

Volen

E24

Not K9 mail but I do use Fairemail with Openkeychain. It's very easy - you add the keys to Openkeychain, then tap to lock button in Fairemail when composing an email, enter your Openkeychain password and get the whole thing encrypted.

I suspect K9 is using more or less the same approach.

E24

Volen and this ensures then emails cannot be read while in transit, correct?

raccoondad

E24 It uses OpenPGP, you will need to learn how to use OpenPGP, have you and the recipient generate and exchange keys, and then use K9s built in support.

If the recipient does not have a OpenPGP key, K9s support cannot be used

[deleted]

E24 I use k9 and also openleychain app to connect with mailbox. Org, the server I use to store my encrypted emails. Mailbox.org encrypts my emails with my public key when received and I decrypt with my private key when downloaded.
But if you will the emails sent to any encrypted you need to share anything with the other side

brightjob4495

[deleted] I had this exact same setup and it works well, but it's not as comfortable to use as regular plain text email.

In the end I disabled the inbox encryption as I decided that my threat model didn't need this, and it was better to use the webmail with its 2FA. PGP only encrypts email contents, but neither the metadata nor the subject. In my case, I only receive sign up confirmations, purchase confirmations and things like those. Most of what anyone could gain by surveying my email is know where I've signed up and what I've bought, which is a learning they can have by analysing the email metadata and subject anyway.

For people that have an email usage like mine, which I would say is the unavoidable email usage, I don't think PGP encryption is very useful. The only threat it would protect from would be someone being able to see temporary confirmation links for resetting passwords and content like that. But with IMAP/POP3 disabled, 2FA enabled and no "app passwords", for the adversary to have access to my email content, they need my email credentials, including 2FA, or access to my email provider's servers. At which point, they could disable inbox encryption anyways to receive those password reset emails.

[deleted]

brightjob4495 I do not use webmail but K9 or Thunderbird (at desktop) and configured PGP in both scenarios and working transparent to me (after first setup). I haven't shared my private key with mailbox.org. That's doesn't grants mailbox.org do not read my emails but grants that anyone hacking the servers can't read if mailbox.org accomplish the promise to do not store plain emails.
Really I need it? maybe no ;)

brightjob4495

[deleted] I meant that I was using K9 with openkeychain too (and thunderbird in the desktop), with mailbox using my public key to encrypt the emails with PGP as they came in, like you have. But I ended up disabling it and switching to plain text and webmail for the reasons I described.

Regarding an adversary with access to Mailbox servers, if they had access to your emails, they would also have access to intercept them before they are encrypted, or they could disable encryption for your user. So unless I'm missing something, I don't see the use case for inbox encryption in that case

[deleted]

brightjob4495 I think that if a hacker had access to the mailbox.org servers, he would be detected shortly, so he could effectively have access to a certain number of emails, those that arrived from the time he entered until he was detected, but not to my history, unless mailbox.org tricks us into keeping unencrypted copies, which I don't think is the case.

treequell

GrapheneOS does not recommend using email for private communication, even when using with encryption. It's strongly recommended to use an app with proper support for E2EE like Signal instead.

E24

treequell this is what I'll end up doing. Thank you guys for the help! I dont think the key thing will work for all of my emails so I'll try to use proton or tutanota more for emails and signal

spiral

E24 I dont think the key thing will work for all of my emails

I'm not sure if you understand how PGP works. In the case that you don't... When using regular email and PGP, anyone you're corresponding with must have your public key to encrypt email to you and you must have their public key to encrypt to them. It's very much "opt-in."

E24 I'll try to use proton or tutanota

Similarly, anyone you're corresponding with on protonmail or tutanota must ALSO be using the same platform as you. While using these emails providers, the only "by default" encryption that happens is when you're emailing someone who is also using PM or tuta. If, for instance, you are using protonmail and you're emailing a contact @gmail, there is no encryption happening unless you manually encrypt with PGP (or with a password which PM and tuta provide the option for but which is less secure than actual PGP).