Posted on Sun 26 February 2012

Protecting your mails with GnuPG

You probably know that you can encrypt and sign your emails using GnuPG, and there's even a bunch of programs and plugins to make it easier for you. However, if you are like me and use Gmail's browser interface, there's no plugin for you. Your only choice is to copy & paste your mails to some external program, encrypt / decrypt them and paste them back into Gmail. Certainly not very comfortable.

Today, I set out to change this. I wrote a small Chrome extension which interfaces with GnuPG so you can encrypt and decrypt your mails directly from the browser. It uses a very simple mechanism - pipes. Using the excellent "stx-execpipe" librarycache, I wrote a small NPAPI plugin that handles all calls to GnuPG.

With all error checking removed, it boils down to a few lines of code:

// our pipe
stx::ExecPipe ep;               

// set arguments
std::vector<std::string> gpgargs;
gpgargs.push_back("/usr/bin/gpg");
gpgargs.push_back("--quiet");
gpgargs.push_back("--no-tty"); 
gpgargs.push_back("--decrypt");
gpgargs.push_back("--use-agent");
gpgargs.push_back("--logger-fd");
gpgargs.push_back("1");
ep.add_execp(&gpgargs);

// connect stdin and stdout
std::string output;
ep.set_output_string(&output); 
ep.set_input_string(&crypt_txt);

// launch it
ep.run();

The special --use-agent option ensures gpg will pop up a window to ask the user for his password when it's needed - it will stay as far away from the browser as possible!

That's basically the design for the whole plugin, it's just variations on the arguments for decryption, signing, etc. The NPAPI interface is handled by FireBreathcache, a most excellent framework you should definitely check out if you want to write your own plugin.

Communication with the browser is handled by a Chrome extension. It provides entries in the context menu when the user selects text, so he can directly encrypt the selection. The output of gpg will then be pasted into the clipboard.

{% img /images/cryptochrome_contextmenu.png %}

For future version, in-place encryption and decryption is planned, but it's not yet implemented yet. For now, select, right-click to encrypt and then paste is all you need. Also note that all needed keys have to be present in your gpg keychain - right now, the plugin won't query external servers for them.

If you have any ideas on how to improve this (I sure as hell have), please let me know. Of course, the source is on GitHub: CryptoChromecache

Category: misc

Tags: security, privacy, programming

© Julian Schrittwieser. Built using Pelican. Theme by Giulio Fidente on github. .