A guide to using PGP on Android
Last updated
Last updated
This guide was written and tested on Android 5, and according to the authors of used applications, should also work for Android 4.0.3+. Additionally, for Open Keychain, permissions will be requested on the go in Android 6+.
Open Keychain - Essential. Handles key management and the actual decryption, other apps just use it's API to work with PGP
Communication app of your choice. This guide will use K-9 Mail, but a number of other options are available.
Password Manager - Highly recommended, but not necessary. For convenience, use a password manager with support for the same password database format as on the desktop. All of KeePass(.kbd & .kbdx), PasswordSafe(.psafe3) and PasswordStore have Android versions.
Use F-Droid or Play Store to download Open Keychain
Get a PGP key pair on the device
Click on the three dots in the upper right of the screen
Choose Manage my keys
Choose the appropriate option:
Import key from file
Do NOT upload your private key to a cloud unencrypted. Transfer your existing PGP key to the phone via USB instead
Create my key
Follow the instructions in the app
Import your contact's keys onto the device
Use the + in the lower right of the screen
Check the status of the imported contact
Key | Verified | Unverified | Insecure |
Symbol | green tick | grey X | |
Background | green or photo | orange | red |
Keys will be unverified by default, unless you import a key with your, or another verified key's signature on it
Press on a key to open contact view
If your contact uses QR codes, use them. Otherwise:
Press the three dots in the upper right corner
Confirm with fingerprint
Compare the fingerprint of the key with one provided by your contact
Note: Full fingerprints are rarely provided. Commonly only the last 8 or 16 hex digits(aka. key ID) are
Sign the key to verify it
Check beforehand, if the key's owner wants it published and whether you want to publicly admit knowing them. Adjust the “Synchronize with the Internet” tick accordingly
Untick the identities you don't want to sign
Choose with which of your keys you want to sign the key with
Further information on Open Keychain is available in the Help section of the app, available under the hamburger(upper left corner).
K-9 mail is a fork of the Android Mail with a long history. It was chosen for the guide thanks to it's excellent integration with Open Keychain that allows you to encrypt all emails in just 3 more clicks per email, plus some initial setup.
K-9 Mail is available for download on F-Droid and Play store.
Configure your account conventionally(IMAP/Exchange + SMTP). Refer to the documentation when necessary
Go to Three dots(lower right corner) > Settings > Account settings
Scroll to the bottom
Go to Cryptography
Choose Open Keychain as your PGP app
Open Keychain will ask you to confirm granting K-9 access to the PGP API
Allow it
Choose your key
When composing a new email, you will now see a lock next to your email address. The lock will change according to PGP is used:
A white tick on a blue circle when the email will be signed, but not encrypted
A green lock with 3 full circles when all recipient keys have verified keys in your keychain
A grey, crossed lock and a single red dot when no recipient keys are among those verified in the keychain
The number of dots is also displayed next to each recipient separately. You can press the lock to change the encryption mode. The default is encrypt if possible and in it emails will be sent encrypted and unencrypted. You can also switch it to Don't Encrypt or Encrypt. In the last case, the email will fail to send if any recipient lacks a verified key in the keychain. That situation is indicated with a red lock with a white x and a singe red dot.
After pressing send, if the lock is green, Open Keychain will fire up to ask you for your PGP passphrase. Upon entering it, K-9 will send the encrypted message.
orange
