Heya, I found how you can digitally sign and encrypt emails! (It even gives them a cool icon for others to see!), and I haven’t seen anything about it before so I thought I’d share how I did it!

Do you also want to send encrypted emails and sign them? Just follow these few steps!

But beforehand, let’s define some terms :

  • Signed email : Email with a valid numerical signature. Anyone can read it and know it has not been modified since it was sent.

  • Encrypted email : Email encrypted with the recipient’s public key. They can decrypt it with their private key

  • S/MIME certificate : A .p12 file containing your private key (So keep it for yourself and don’t send it to anyone!!) and your public key.

Okay, now it’s time to…

Start the setup (Obtain an S/MIME certificate)

  • You’ll need to ask to an authority for a certificate. Personally I use Actalis because they give free certificates for multiple email addresses, valid for a year (you need to redo the setup every year). If you don’t want to use Actalis, more info is avilable here.
  • Don’t forget to put the website in english if you don’t understand italian.
  • Go on the page to request an S/MIME certificate, create an account and follow the setup. The verification email can take a little while (~2min)
  • When the setup ends, you’ll have a valid certificate in your dashboard (It can take a few minutes to appear if you just verified it) that you can download, and a password that Actalis emailed you to enable your certificate.

Install the certificate

  • Download the .p12 file, then open it, type your password, and leave the default options to install the certificate on your device (Android or PC, on Android pick “For VPN and apps”). Also delete your expired certificate if you have one (for example after a year)
  • Use an S/MIME compatible email client. On PC, there is Thunderbird, on Android, FairEmail.
  • In your email client settings, importer the S/MIME certificate pofor signing AND encrypting your messages. It changes depending on your client, so here it is for Thunderbird :
    • In the top-right menu, go to Account settings, End-to-end encryption, underS/MIME click on Manage S/MIME certificates, Import and pick your.p12 file. Then, pick Select a certificate, and pick yours from the tab “Your certificates”.

An image is worth a thousand words (Sorry for the french)

Don’t forget to check the box to sign and/or encrypt every message just below, if you want!

Communicate with someone

Once this is done, here is how you can communicate…

  • …While signing your messages :

It’s easy, just click on “Sign” before sending. Usually, email clients show a small medal next to your name to show the email is signed.

  • …While encrypting your messages :

For that, you’ll need your recipient’s public key. They needs to send you a signed message (not encrypted, since you don’t have each other’s key at this point) where you can get their public key from their signature, and add it to your email client, which will allow you to encrypt messages you send to them. Then, send them a signed email (you can encrypt it) so they can get your public key and add it to their client, and then you’ll be able to exchange encrypted emails!

I’m not an expert and probably made a few mistakes, if you spot any please tell me in the comments and I’ll try to fix the guide!

  • tapdattl@lemmy.world
    2·
    2 days ago

    Question 1: What’s the point of using Actalis? Can’t you generate your own certificate?

    Question 2: Is there a way to get your email.server to automatically publish your public key?

    • helloyanis@jlai.luOPFrançais
      1·
      2 days ago

      So as I understand :

      1. Actalis is a trusted authority among others but is the only one to issue free S/MIME certificates that I found. You need to use a trusted authority to make the signature, or else your email client will say “Cannot verify signature authenticity” and show a red badge. This explains it better
      2. When you sign your email, you include your public key in the signature. So just sign every email (usually an option in your client) to let anyone you email have your public key. I don’t really understand why you would need to change stuff in the email server.
      • tapdattl@lemmy.world
        1·
        2 days ago

        Ahh gotcha, that makes sense, so like the difference between a self signed SSL certificate and something like LetsEncrypt.

        Re 2: I was thinking in the scenario to allow auto discovery of your certificate, so someone who is emailing you for the first time could look up your public key automatically and use it to encrypt their email.

        Also, great writeup and thank you!

        • helloyanis@jlai.luOPFrançais
          1·
          2 days ago

          I don’t think it’s possible to do that, but I have no experience on this since I don’t use my own email server so I could very well be wrong.