💾 Archived View for thatit.be › 2022-12-03-12-25-59.gmi captured on 2024-12-17 at 09:54:48. Gemini links have been rewritten to link to archived content

View Raw

More Information

⬅️ Previous capture (2024-09-29)

🚧 View Differences

-=-=-=-=-=-=-

ProtonMail and E2E Encryption to Private Domains

The point

ProtonMail can do encryption to non ProtonMail domains, despite all my google queries turning up how to do that ridiculous password-protected email feature that ProtonMail supports. I arrived at this through a very oddly serendipitous exploration of Gemini.

I strongly dislike medium-style articles and recipe sites that bury the information I actually care about around a bunch of fluff, so I’ll start with the steps and then I’ll go back to the fluff/context.

very oddly serendipitous exploration of Gemini

The steps

Almost every other resource will do a better job than this at describing it, but if any frustrated visitors somehow land here, I don’t want to compound your frustration, so here are some steps that will get you a solution. Or, more realistically, when I come back in the future to do this again I want this all in one place.

These steps assume you are using apache and the document root is /var/www/html. Adjust as needed. Also, I don’t prefix anything with sudo, so pay attention to what things say they should be done as root…

1. Use GnuPG to generate your keys if you haven’t done so already, there are many ways to do this, here is one, as your normal user:

# command to generate keys
gpg --full-generate-key

2. Put your keys into a directory hierarchy – I’m going to only cover the direct approach here, there is a more advanced approach but you can read about it in one of the references at the bottom.

# commands to create hierarchy and files
mkdir -p .well-known/openpgpkey
gpg --list-options show-only-fpr-mbox -k YOUR_EMAIL_ADDRESS |
/usr/lib/gnupg/gpg-wks-client -C .well-known/openpgpkey -v --install-key
mv .well-known/openpgpkey/*/hu .well-known/openpgpkey/
touch .well-known/openpgpkey/policy

Pick your favorite way to become root and move the directory to your http root:

# as root, move and set permissions
mv .well-known /var/www/html/
find /var/www/html -type d -exec chmod 755 {} \;
find /var/www/html -type f -exec chmod 644 {} \;

3. Configure Cross Origin Resource Sharing for the directory hierarchy – I made the entire sub-directory shared, but you can limit it to just the part with the policy and below if you want.I put this in my apache2.conf, adapt as needed, you could also do a .htaccess (not covered here):

<!-- xml to go in the apache configuration -->
<Directory /var/www/html/.well-known/>
    Header set Access-Control-Allow-Origin "*"
</Directory>

4. Actually, I think that’s it, but if you want to confirm, someone made this awesome checker that clued me in to the parts I had wrong (and the need for CORS…):https://wkd.sequoia-pgp.org/

Some more caveats: this was the directory method and it assumed just one user, if you start adding more users/keys you will need to adjust step two to copy just the relevant files, copying a directory when it exists will fail.

The fluff

The solution is setting up something called WKD or Web Key Directory. It’s documented all over the place, but I couldn’t find it while searching for information on ProtonMail until I was clued in to WDK and started putting that in my search.

Per a message on mailarchive.ietf.org, high-volume email providers like Proton would probably need to look for a policy file as the first step to avoid more intensive work like trying to fetch and use a key that might not be present. I’m paraphrasing a bit, so my words, not theirs.

That bears repeating as it was the first problem I had:

I had created one, but I put it in the wrong directory. Per the very excellent WKD wiki, and damn near every guide I read, said it should be at .well-known/openpgpkey/policy but somehow I put it adjacent to the key file. Oops.

What some of the guides do not cover is the need for configuring CORS (Cross Origin Resource Sharing) to set the Access-Control-Allow-Origin header, but luckily, some guides do. I assume this has to do with accessing the policy and the key, but I don’t really understand it. The files are accessible vi HTTP, why wold this need to be set? Perhaps some day I will find out.

WKD

mailarchive.ietf.org

WKD wiki

guides

Navigation

index

tags

Backlinks

2022-12-05 - md2gemini eats newlines in code blocks in item lists

2022-12-03 - ProtonMail and E2E Encryption to Private Domains (backstory)

created: 2022-12-03

(re)generated: 2024-12-17