Secure Email with Hardware Keys
This is my first post, I will be documenting things like this as I come across them in my personal/professional life. Feedback is welcome in the comments.
Yubikey can store your GPG RSA 4096bit keys, for git signing, SSH authentication, and sign and encrypt messages, which is awesome, but the majority of us use online web mail such as gmail. While gmail supports FIDO U2F authentication for login, it does not support GPG out of the box.
Mailvelope to the rescue.
Mailvelope is an extension for Firefox and Chrome enabling GPG with webmail clients. Up until version 3.0 keys were stored in the browser extension, yikes. But now it can use keys securely stored on your hardware token such as yubikey.
Assuming you already have keys stored on your yubikey. If not see Dr Duh’s tutorial
Linux: gpgme-json (I had to build from source)
Once you have gpgme-json installed find its location.
For my installation it was at
Now we have to let Chrome/Firefox access this program. Adding a .json config file in the right place will accomplish this.
On Windows, the manifest file can be located anywhere in the file system. The application installer must create registry key HKEY_LOCAL_MACHINE\SOFTWARE\Google\Chrome\NativeMessagingHosts\ or HKEY_CURRENT_USER\SOFTWARE\Google\Chrome\NativeMessagingHosts\gpgmejson.json, and set default value of that key to the full path to the manifest file. For example, using the following command:
REG ADD “HKCU\Software\Google\Chrome\NativeMessagingHosts\com.my_company.my_application” /ve /t REG_SZ /d “C:\path\to\gpgmejson.json” /f or using the following .reg file:
Windows Registry Editor Version 5.00
OS X (system-wide)Google Chrome:
OS X (user-specific, default path)Google Chrome:
Linux (user-specific, default path)
The file contents should be the following
Now Restart your browser.
Go to Mailvelope’s website and install the appropriate browser extension.
Once the extension is installed you’ll see a padlock on the right of your toolbar. Configure your options, and select gnupg instead of opengpg.js
How to use
Open your gmail account and compose a new message.
Click the pencil and paper icon on the right. And enter your secure message.
And now Its prompting for my YUBIKEY to be inserted. VERY EXCITING STUFF.
Insert and unlock your Yubikey.
And now you have an encrypted message and your secret keys never left your Yubikey.
Send your message as you normally would, secure in the knowledge that only the intended recipient can read your message.