How to send end-to-end encrypted emails on the Linux command line.
If you want to add attachments, use mutt or mail from GNU Mailutils as the mail client. The following examples use mailx and ssmtp.
Unencrypted mail
Install package “bsd-mailx”:
$ sudo apt-get install bsd-mailx
Edit /etc/mail.rc and add the following lines:
set smtp=smtp://mail.example.com alias root postmaster@example.com
Run mailx:
$ mailx root Subject: test This is a test. . Cc:
Notes:
- Mail gets sent to postmaster@example.com (see mail.rc).
- Mail server is mail.example.com (see mail.rc).
- Email message body is terminated by a single “.” as the last line.
Encrypted mail (Inline PGP)
Make sure you can send unencrypted mail (s. “Unencrypted mail” above).
Check that you have GnuPG version 2 installed, and If you haven’t done so before, create private and public GnuPG key.
$ gpg --version gpg (GnuPG) 2.2.4 libgcrypt 1.8.1 ... $ gpg --gen-key ...
Import public PGP key from recipient.
$ gpg --import alice.pub
First sign message (clearsign – ascii signature will be appended to text), then encrypt message, then mail message.
$ echo "Hello Alice, if you can read this your PGP mail client is working." | gpg --clearsign | gpg -a -r alice@example.com --encrypt | mailx -s "PGP encrypted mail test" alice@example.com
Notes:
- First sign the message. “gpg –clearsign” uses the default private key to sign message. Check with “gpg -K”. Otherwise use option “–default-key bob@example.com” to choose a specific private key.
- Then encrypt the message. Check with “gpg -k” that the recipient’s user id is properly added to your GPG keyring.
- The user id of the public key used for encryption does not necessarily has to correspond with the recipient email address. You can encrypt a message with the public key of “bob@example.com”, and then send the email to “alice@example.com”. If Alice has the corresponding private key for “bob@example.com”, she will be able decrypt and read the email without any problems.
- Finally send the mail message. The email body is simply the signed and encrypted message text in ASCII format.
- The email subject will not be encrypted.
Encrypted mail (S/MIME)
Make sure you can send unencrypted mail (s. “Unencrypted mail” above).
You need your own public certificate / private key pair, and the public certificate from the recipient (all in PEM format).
You can get a S/MIME email certificate for free from COMODO. Or you run your own certificate authority. Either way, both your own certificate and your own key need to be in a single file in PEM format (in the following example it is called “bob.pem”).
-----BEGIN PRIVATE KEY----- ... -----END PRIVATE KEY----- -----BEGIN CERTIFICATE----- ... -----END CERTIFICATE-----
The public certificate of the recipient must be in PEM format too (in the following example it is called “alice.pem”). You can extract it from an email signature if the recipient already sent you a signed email.
-----BEGIN CERTIFICATE----- ... -----END CERTIFICATE-----
Install the package “ssmtp”.
$ sudo apt-get install ssmtp
Again (as in the above example for PGP encrypted mail), all commands for signing, encrypting and sending the message can be chained together to a single command line.
$ echo "Hello Alice, if you can read this your S/MIME mail client is working." | openssl smime -sign -signer bob.pem -text | openssl smime -encrypt -from bob.example.com -to alice@example.com -subject "S/MIME encrypted mail test" -aes-256-cbc alice.pem | ssmtp -t
Notes:
- Email body is simply the signed and encrypted message text in ASCII format. OpenSSL adds all required headers to it (sender, recipient, subject).
- If you are using a S/MIME certificate from a public CA (like COMODO) to sign your message, it is easier for the recipient to validate your signature, compared to PGP encrypted emails.
- You still need the public certificate of the recipient, and make somehow sure that it is authentic.
- Again, the email subject will not be encrypted.