User Tools

Site Tools


guides:pgp.android

A guide to using PGP on Android

This guide was written and tested on Android 5, and according to the authors of used applications, should also work for Android 4.0.3+. Additionally, for Open Keychain, permissions will be requested on the go in Android 6+.

Ingredients

  1. Open Keychain - Essential. Handles key management and the actual decryption, other apps just use it's API to work with PGP
  2. Communication app of your choice. This guide will use K-9 Mail, but a number of other options are available. 1)
  3. Password Manager - Highly recommended, but not necessary. For convenience, use a password manager with support for the same password database format as on the desktop. All of KeePass(.kbd & .kbdx), PasswordSafe(.psafe3) and PasswordStore have Android versions.

Open Keychain

Setup

  1. Use F-Droid or Play Store to download Open Keychain
  2. Get a PGP key pair on the device
    1. Click on the three dots in the upper right of the screen
    2. Choose Manage my keys
    3. Choose the appropriate option:
      • Import key from file
        Do NOT upload your private key to a cloud unencrypted. Transfer your existing PGP key to the phone via USB instead
      • Create my key
    4. Follow the instructions in the app2)
  3. Import your contact's keys onto the device
    • Use the + in the lower right of the screen
  4. Check the status of the imported contact

Key Verified Unverified Insecure
Symbol green tick orange :?: grey X
Background green or photo3) orange red

  • Keys will be unverified by default, unless you import a key with your, or another verified key's signature on it

Verifying keys

  1. Press on a key to open contact view
  2. If your contact uses QR codes, use them. Otherwise:
    1. Press the three dots in the upper right corner
    2. Confirm with fingerprint
    3. Compare the fingerprint of the key with one provided by your contact
      Note: Full fingerprints are rarely provided. Commonly only the last 8 or 16 hex digits(aka. key ID) are
  3. Sign the key to verify it4)

  • Check beforehand, if the key's owner wants it published and whether you want to publicly admit knowing them. Adjust the “Synchronize with the Internet” tick accordingly
  • Untick the identities5) you don't want to sign
  • Choose with which of your keys you want to sign the key with

Further information on Open Keychain is available in the Help section of the app, available under the hamburger(upper left corner).

K-9 mail

K-9 mail is a fork of the Android Mail with a long history. It was chosen for the guide thanks to it's excellent integration with Open Keychain that allows you to encrypt all emails in just 3 more clicks per email, plus some initial setup.

Setup

K-9 Mail is available for download on F-Droid and Play store.

  • Configure your account conventionally(IMAP/Exchange + SMTP). Refer to the documentation6) when necessary
  • Go to Three dots(lower right corner) > Settings > Account settings
  • Scroll to the bottom
  • Go to Cryptography
  • Choose Open Keychain as your PGP app
    1. Open Keychain will ask you to confirm granting K-9 access to the PGP API
    2. Allow it
  • Choose your key

Writing encrypted emails

When composing a new email, you will now see a lock next to your email address. The lock will change according to PGP is used:

  • A white tick on a blue circle when the email will be signed, but not encrypted
  • A green lock with 3 full circles when all recipient keys have verified keys in your keychain
  • A grey, crossed lock and a single red dot when no recipient keys are among those verified in the keychain

The number of dots is also displayed next to each recipient separately. You can press the lock to change the encryption mode. The default is encrypt if possible and in it emails will be sent encrypted and unencrypted. You can also switch it to Don't Encrypt or Encrypt. In the last case, the email will fail to send if any recipient lacks a verified key in the keychain. That situation is indicated with a red lock with a white x and a singe red dot.

After pressing send, if the lock is green, Open Keychain will fire up to ask you for your PGP passphrase. Upon entering it, K-9 will send the encrypted message.

Pictures to the K-9 section will be added later.

Alternatives

PGP in Gmail using OpenKeychain encrypt file for PGP/MIME and Oversec for PGP/INLINE

1)
Android Mail is NOT one of them due to a bug in it's PGP/MIME parser
2)
If you want to see more details on the settings you should use, consult Kyle's MacPGP guide
3)
By default verified keys are added to your address book and merged with contacts with a matching email address. Then, if you have a photo of that contact, Open Keychain will try to use it
4)
That is the actual, confirmed PGP key of Facebook Inc
5)
A key can hold multiple identities for multiple email addresses
6)
The official documentation of K-9 mail is unfortunately quite outdated
guides/pgp.android.txt · Last modified: 2018/09/03 17:25 (external edit)