mutt and pgp

this article will cover using mutt with pgp, it is a work in progress.

this is gentoo centric and assumes that you are most likely using a google apps enabled domain or gmail address.

at time of writing :

first things first, lets install some software:

for non-gentoo systems:
install mutt, gnupg, and pinentry.

for gentoo systems :

% USE="crypt gnutls imap nls sasl smime smtp ssl" sudo emerge mutt
% USE="bzip2 nls readline usb" sudo emerge gnupg
% sudo emerge pinentry

lets move onto the configuration.

lets first create a gpg key :
% gpg --gen-key
(follow all the steps here)

now lets list our keys, to make sure they are right :
% gpg --list-keys
we need to copy the key ID since we will need that later

if you have not done so, i recommend uploading your keys (public) the the pgp key servers:
% gpg --send-keys "KEY ID"

now lets start creating the muttrc accounts section.

i tend to keep my accounts info separate from the muttrc file,
so at the bottom of the muttrc file just add a line that reads source ~/muttrc-accounts
but make sure to point to the right location of that file.
here is a sample of my muttrc-accounts file.

now lets start editing “muttrc-accounts”
for our config email we will use “foo@bar.com“,
and foo@baz.com which we will assume are google apps enabled domain.
for our key ID we will use “0xABCD1234
for our password we will use “P4SSW0RD

lets add a mailboxes section :

mailboxes 'imaps://foo@bar.com@imap.gmail.com:993/INBOX'
or for multiple accounts:
mailboxes 'imaps://foo@bar.com@imap.gmail.com:993/INBOX' \

now lets add an fkey macro so we can access these accounts by pressing either F5 or F6 (change to whatever suits you):

macro generic,index,pager  "c imaps://foo@bar.com@imap.gmail.com:993/INBOX/\n"

or for multiple accounts:

macro generic,index,pager  "c imaps://foo@bar.com@imap.gmail.com:993/INBOX/\n"
macro generic,index,pager  "c imaps://foo@baz.com@imap.gmail.com:993/INBOX/\n"

now for the account password management:

## we need to add this line to set up our account hooks
account-hook . 'unset preconnect imap_user imap_authenticators'

#### passwords ####
# to create gpg file : gpg -r foo@bar.com -e 
set my_tmp=`gpg -q --no-verbose -o /tmp/.passwords.tmp -d ~/.mutt-cfg/.passwords.gpg`
set my_pass_bar=`cat /tmp/.passwords.tmp | grep bar | awk '{ print $2 }'`
set my_pass_baz=`cat /tmp/.passwords.tmp | grep baz | awk '{ print $2 }'`
set my_del=`rm -f /tmp/.passwords.tmp`
#### end passwords config ####

now let me explain this section
the format that i use for the .passwords.tmp file is:
bar P4SSW0RD

which will then get an initial encrypting using : gpg -r foo@bar.com -e
the password that you set up here will be entered when you enter mutt using “my_tmp”, then stored into
variables “my_pass_bar” & “my_pass_baz”.
then the file is deleted once the passwords are set into vars by line set my_del=`rm -f /tmp/.passwords.tmp`

make sense so far ?

now lets add the account hook for our account (which is somewhat explained here):

#### foo@bar.com ####
account-hook 'imaps://foo@bar.com@imap.gmail.com:993/' \
' set imap_user = "foo@bar.com" \
imap_pass = $my_pass_bar '

folder-hook 'imaps://foo@bar.com@imap.gmail.com:993/INBOX' \
' set imap_user = "foo@bar.com" \
imap_pass = $my_pass_bar \
smtp_url = "smtp://foo@bar.com@smtp.gmail.com:587/" \
smtp_pass = $my_pass_bar \
from = "foo@bar.com" \
realname = "foo" \
folder = "imaps://imap.gmail.com:993" \
spoolfile = "+INBOX" \
postponed="+[Gmail]/Drafts" \
mail_check=60 \
imap_keepalive=300 \
signature="" \
pgp_decode_command="gpg %?p?--passphrase-fd 0? --no-verbose --batch --output - %f" \
pgp_verify_command="gpg --no-verbose --batch --output - --verify %s %f" \
pgp_decrypt_command="gpg --passphrase-fd 0 --no-verbose --batch --output - %f" \
pgp_sign_command="gpg --no-verbose --batch --output - --passphrase-fd 0 --armor --detach-sign --textmode %?a?-u %a? %f" \
pgp_clearsign_command="gpg --no-verbose --batch --output - --passphrase-fd 0 --armor --textmode --clearsign %?a?-u %a? %f" \
pgp_encrypt_only_command="pgpewrap gpg --batch --quiet --no-verbose --output - --encrypt --textmode --armor --always-trust --encrypt-to 0xABCD1234 -- -r %r -- %f" \
pgp_encrypt_sign_command="pgpewrap gpg --passphrase-fd 0 --batch --quiet --no-verbose --textmode --output - --encrypt --sign %?a?-u %a? --armor --always-trust --encrypt-to 0xABCD1234 -- -r %r -- %f" \
pgp_import_command="gpg --no-verbose --import -v %f" \
pgp_export_command="gpg --no-verbose --export --armor %r" \
pgp_verify_key_command="gpg --no-verbose --batch --fingerprint --check-sigs %r" \
pgp_list_pubring_command="gpg --no-verbose --batch --with-colons --list-keys %r" \
pgp_list_secring_command="gpg --no-verbose --batch --with-colons --list-secret-keys %r" \
pgp_autosign=yes \
pgp_sign_as=0xABCD1234 \
pgp_replyencrypt=yes \
pgp_timeout=1800 \
pgp_good_sign="^gpg: Good signature from" '
#### end foo@bar ####

for the snippet above, remember to replace all instances of “foo”, “foo@bar.com”, & “0xABCD1234”.

if you want to add a second account :

#### foo@baz ####
account-hook 'imaps://foo@baz.com@imap.gmail.com:993/' \
' set imap_user = "foo@baz.com" \
imap_pass = $my_pass_baz '

folder-hook 'imaps://foo@baz.com@imap.gmail.com:993/INBOX' \
' set imap_user = "foo@baz.com" \
imap_pass = $my_pass_baz \
smtp_url = "smtp://foo@baz.com@smtp.gmail.com:587/" \
smtp_pass = $my_pass_baz \
from = "foo@baz.com" \
realname = "foo" \
folder = "imaps://imap.gmail.com:993" \
spoolfile = "+INBOX" \
postponed="+[Gmail]/Drafts" \
mail_check=60 \
imap_keepalive=300 \
signature="" '
#### end foo@baz ####

after all this is sourced from the main muttrc file, lets give it a start up.

you should be greeted by a pin entry box (“Enter passphrase” from encrypting the passwords file), like so :
click image to enlarge

after pin entry, press “F5” to get your mail.

now lets try to send encrypted mail.

so compose an email to yourself (press “m”).

once done composing and before sending, you will see your “Mutt: Compose” window like so:
click image to enlarge

From here you can verify “sign as” and “Security”, but if you press “p”, you will get the options to:
“PGP (e)ncrypt, (s)ign, sign (a)s, (b)oth, (i)nline format, or (c)lear?”, like so:
click image to enlarge

so lets encrypt and sign, so press “b”.
now press “y” to send.
once you press “y” it will ask you for your PGP passphrase, enter that, then mail is sent.

here is a sample of my muttrc-accounts file.


sources : http://www.mutt.org/doc/PGP-Notes.txt

The following two tabs change content below.

charlie root

VP of keeping it real / HNIC at pissedoffadmins.com
I bring the cold coffee.

Latest posts by charlie root (see all)

2 comments so far

Add Your Comment
  1. This is great, thank you! Although I’d suggest to securely remove the password file:

    set my_del=`shred -xu /tmp/.passwords.tmp`

    • i like this. i am going to use it and thanks.