codema.in
Tue 13 Jul 2021 10:41PM

Guide for encrypting mails using pep

RD Ravi Dwivedi Public Seen by 46

This is a guide to encrypt emails using [pep app](pep.security). Pep is available for download for [Android](https://www.pep.security/en/android/), [iOS](https://www.pep.security/en/ios/), and for desktop, it is available as an [add-on in Thunderbird](https://pep.software/thunderbird/).

-------Review this-----
The Thunderbird addon is not recommended because it disables OpenPGP in Thunderbird.
----------------------

For Android, pep app is available on [F-Droid](f-droid.org) and Google Play Store. Download the pep app in Android. The app will ask you for the permission to read contacts and download files. Permission to read contacts is to autofill the contacts when writing mails and the permission to download files is to save attachments in your phone. Both permissions are optional and can be changed at a later time. Set up your email account by entering email account and password. In case you have a Google Account, select “Use OAuth 2.0 token”. Depending on your email provider, you might have to manually enter IMAP/POP and SMTP details. These details would usually be available on the website of your email provider. Pep then asks whether to store messages securely which means https://www.pep.security/docs/general_information.html#store-messages-securely.Then, on the next screen, set an account name and a display name for outgoing mails.

You can also import your private gpg keys to pep app.

The first mail from a pep user will be unencrypted, but when you reply to that mail, you can check the 'Privacy Status' of that user which should be yellow. This means that the message will be end-to-end encrypted.

In order to mitigate MITM attacks, pep has introduced a feature called [handshake](https://www.pep.security/docs/general_information.html#handshake). You can do this by pressing the Privacy Status icon and then comparing the Trustwords using other means of communication. Select "Confirm" if the Trustwords match, otherwise select "Reject". Now you will see a green icon on the Privacy Status of the contact you handshaked with. It says 'Secure & Trusted'.

From now on, all the future messages to this contact will be encrypted with GPG. This means that your email provider cannot read your mails as well as the subject of the mail (as they are encrypted with your private keys). The email provider will still have metadata-- whom you contacted you and when. But sending encrypted mails is better for privacy than sending unencrypted mails.

The same steps work for pep in iOS as well.

PP

Pirate Praveen Sat 28 Aug 2021 9:46AM

@Ravi Dwivedi I think we should add a big warning about importing existing gpg keys with password to android app and make an explicit recommendation to use PEP only if they are willing to use a key without passwords. We can also possibly try to remove passwords from our keys and importing again some time.

I

Irfan Mon 30 Aug 2021 2:53AM

What's the issue with PEP and keys with passwords?

PP

Pirate Praveen Mon 30 Aug 2021 9:07AM

In android app, it will ask you for password once when it starts, pep app remembers it for 10 minutes. If another encrypted mail comes after that, it can't remember password or ask again. So it won't show any new mails until you manually kill (force close) the app and start again. We reported the issue but not fixed yet. See https://pep.community/t/support-using-open-keychain-directly-via-api-for-gpg-keys/86/