How to use the Fidesmo PGP applet to encrypt and sign emails in Android

November 12th, 2015

There are many good reasons to protect your email from prying eyes with encryption. There are also many reasons to ensure nobody can impersonate you by digitally signing your messages. PGP has been providing the tools to do both encryption and signing since 1991. This blog post, written as a tutorial, shows how to use it on the most popular smartphone platform in the world. Storing such important keys should be done on a secure platform. As Android has some security shortcomings, we will show how to use the Fidesmo Privacy Card for Android as the device to securely store the private keys.

This step-by-step guide is wonderful, but it shows you how to store the keys on the smartphone, not on a contactless card. Let’s do that instead!

What you need

Step-by-step guide

1. Generate the PGP keys and store them in the Fidesmo card

We’ll do this with the OpenKeychain app. When opening OpenKeychain for the first time, there will not be any keys to manage. So let’s create them.

Click on the “You don’t have any keys yet!” message and select “USE YUBIKEY NEO”.

OpenKeychain will ask you to tap your phone your Fidesmo card (OpenKeychain’s picture shows a Yubikey Neo, but it is the same procedure). Let’s do it!

When in the next screen OpenKeychain asks whether to use this card (as before, it says “this YubiKey Neo” – something that hopefully will change soon 😉 ), click on “USE THIS YUBIKEY”

Fill in details that will be associated with this key: name for the key, email address, and a PIN to make sure that only you will be able to use that key. It is a good idea to do as advised and write down in a safe place the Admin PIN (similar to your SIM card’s PUK). I use KeePass for this kind of stuff.

    

Now, in the confirmation screen, you can review your data and check “Synchronize with the Internet” if you want your public key to be published in a centralized server. Click on “CREATE KEY”. I don’t think you’ll have time for the cup of coffee promised by the app…

Note that the “Change key configuration” is disabled. That’s because the key configuration is determined by the card’s capabilities: 3 RSA 2048 bit subkeys.

It will generate a new RSA keyset, and then ask you to tap the card (well, the Yubikey… you know) to store it there.

  

Once the private key is stored on the card, it will show up as ‘available’ in the app and you can read its details and share the public key with your correspondents. Now let’s sign some emails!

  

2. Sign a message

For this part of the tutorial, we will use the powerful K-9 email client. To avoid making this an endless post, we’ll assume you have configured your email account properly, so you are able to send and receive emails using K-9. Let’s sign them now, using K-9.

From the bottom right menu, select “Settings” at the bottom, then “Account settings”. Scroll down to the cool stuff, “Cryptography” and (obviously) click it. You will need to select an OpenPGP Provider – let’s choose OpenKeychain. The list coming up in your phone might be larger than the screenshot below, if you have installed more apps that can manage PGP keys.

  

Now let’s write a new message. Don’t forget to click on “Sign”!. Let’s send it.

OpenKeychain will pop up, asking for permission. Click “ALLOW ACCESS”. Then select the key we created above as the one to be configured for this account and click “SAVE” on the top right corner.

  

This was still configuration. Now we get to the actual signing: get your card ready! A dialog box will pop us asking for the PIN to access the card (well, you know… the YubiKey) for the new key. Enter the one you defined a few rows above, and click “UNLOCK”.

You will be prompted to tap the phone will the card, some NFC magic will happen, a new prompt comes asking you to take away the card, and… your signed message was just sent!

  

Signing or encrypting other messages will be much easier, since you have already done all the configuration work. Don’t forget to share your public keys so your correspondents can verify your signature or write encrypted emails to you; OpenKeychain offers convenient options for that.