4.31 Security

Gnus is able to verify signed messages or decrypt encrypted messages. The formats that are supported are PGP, PGP/MIME and S/MIME, however you need some external programs to get things to work:

  1. To handle PGP and PGP/MIME messages, you have to install an OpenPGP implementation such as GnuPG. The Lisp interface to GnuPG included with Emacs is called EasyPG (see EasyPG in EasyPG Assistant user’s manual), but Mailcrypt is also supported.
  2. To handle S/MIME message, you need to install OpenSSL. OpenSSL 0.9.6 or newer is recommended.

The variables that control security functionality on reading/composing messages include:

mm-verify-option

Option of verifying signed parts. never, not verify; always, always verify; known, only verify known protocols. Otherwise, ask user.

mm-decrypt-option

Option of decrypting encrypted parts. never, no decryption; always, always decrypt; known, only decrypt known protocols. Otherwise, ask user.

mm-sign-option

Option of creating signed parts. nil, use default signing keys; guided, ask user to select signing keys from the menu.

mm-encrypt-option

Option of creating encrypted parts. nil, use the first public-key matching the ‘From:’ header as the recipient; guided, ask user to select recipient keys from the menu.

mml1991-use

Symbol indicating elisp interface to OpenPGP implementation for PGP messages. The default is epg, but mailcrypt is also supported although deprecated. By default, Gnus uses the first available interface in this order.

mml2015-use

Symbol indicating elisp interface to OpenPGP implementation for PGP/MIME messages. The default is epg, but mailcrypt is also supported although deprecated. By default, Gnus uses the first available interface in this order.

By default the buttons that display security information are not shown, because they clutter reading the actual e-mail. You can type K b manually to display the information. Use the gnus-buttonized-mime-types and gnus-unbuttonized-mime-types variables to control this permanently. MIME Commands for further details, and hints on how to customize these variables to always display security information.

Snarfing OpenPGP keys (i.e., importing keys from articles into your key ring) is not supported explicitly through a menu item or command, rather Gnus do detect and label keys as ‘application/pgp-keys’, allowing you to specify whatever action you think is appropriate through the usual MIME infrastructure. You can use a ~/.mailcap entry (see mailcap in The Emacs MIME Manual) such as the following to import keys using GNU Privacy Guard when you click on the MIME button (see Using MIME).

application/pgp-keys; gpg --import --interactive --verbose; needsterminal

This happens to also be the default action defined in mailcap-mime-data.

More information on how to set things for sending outgoing signed and encrypted messages up can be found in the message manual (see Security in Message Manual).