Secure Email with Hardware Keys

This is my first post, I will be documenting things like this as I come across them in my personal/professional life. Feedback is welcome in the comments.

Yubikey can store your GPG RSA 4096bit keys, for git signing, SSH authentication, and sign and encrypt messages, which is awesome, but the majority of us use online web mail such as gmail. While gmail supports FIDO U2F authentication for login, it does not support GPG out of the box.

Mailvelope to the rescue.

Mailvelope is an extension for Firefox and Chrome enabling GPG with webmail clients. Up until version 3.0 keys were stored in the browser extension, yikes. But now it can use keys securely stored on your hardware token such as yubikey.

How To:

Assuming you already have keys stored on your yubikey. If not see Dr Duh’s tutorial

Linux: gpgme-json (I had to build from source)

Once you have gpgme-json installed find its location.

Copy to Clipboard

For my installation it was at /usr/local/bin/gpgme-json

Now we have to let Chrome/Firefox access this program. Adding a .json config file in the right place will accomplish this.

Filename: gpgmejson.json

On Windows, the manifest file can be located anywhere in the file system. The application installer must create registry key HKEY_LOCAL_MACHINE\SOFTWARE\Google\Chrome\NativeMessagingHosts\ or HKEY_CURRENT_USER\SOFTWARE\Google\Chrome\NativeMessagingHosts\gpgmejson.json, and set default value of that key to the full path to the manifest file. For example, using the following command:
REG ADD “HKCU\Software\Google\Chrome\NativeMessagingHosts\com.my_company.my_application” /ve /t REG_SZ /d “C:\path\to\gpgmejson.json” /f or using the following .reg file:
Windows Registry Editor Version 5.00

OS X (system-wide)Google Chrome: /Library/Google/Chrome/NativeMessagingHosts/gpgmejson.jsonChromium: /Library/Application Support/Chromium/NativeMessagingHosts/gpgmejson.json.json
OS X (user-specific, default path)Google Chrome: ~/Library/Application Support/Google/Chrome/NativeMessagingHosts/gpgmejson.json
Chromium: ~/Library/Application Support/Chromium/NativeMessagingHosts/gpgmejson.json

Linux (system-wide)
Google Chrome: /etc/opt/chrome/native-messaging-hosts/gpgmejson.json
Chromium: /etc/chromium/native-messaging-hosts/gpgmejson.json

Linux (user-specific, default path)
Google Chrome: ~/.config/google-chrome/NativeMessagingHosts/gpgmejson.json
Chromium: ~/.config/chromium/NativeMessagingHosts/gpgmejson.json



The file contents should be the following

Copy to Clipboard

Now Restart your browser.

Go to Mailvelope’s website and install the appropriate browser extension.

Once the extension is installed you’ll see a padlock on the right of your toolbar. Configure your options, and select gnupg instead of opengpg.js

How to use

Open your gmail account and compose a new message.

Click the pencil and paper icon on the right. And enter your secure message.


Click Encrypt

And now Its prompting for my YUBIKEY to be inserted. VERY EXCITING STUFF.

Insert and unlock your Yubikey.

And now you have an encrypted message and your secret keys never left your Yubikey.

Send your message as you normally would, secure in the knowledge that only the intended recipient can read your message.