Compatibility gpg4o and Google Chrome “End-To-End”
Google’s End-To-End (E2E) is yet (July 2014) an experimental Plugin for Chrome, Google’s Webbrowser. It is in Alpha stage which means there is no precompiled version in the Chrome webstore. At the moment you need a little bit technological knowhow and a compiler to get it working. Once you have done that you are able to setup a encrypted communication with other products like gpg4o. The following shows how to do that.
What do you need to do to bring gpg4o to work with Google’s End-To-End?
To send encrypted emails from E2E to gpg4o you just need to import the OpenPGP public key of the receiving gpg4o installation. This is the same as with other OpenPGP implementations as well.
Actually the opposite direction is a little bit more difficult to set up. E2E is creating keypairs with an algorithm which is not yet very popular with OpenPGP. GnuPG does notsupport it so far but shall do so in the near future. Public keys created from E2E cannot be imported to GnuPG yet and this is the same with gpg4o and a lot of other OpenPGP implemenations.
The workaround is to create an RSA keypair for E2E with other software like GnuPG or gpg4o. Please consult the manual of gpg4o to learn how to export the keypair in order to be able to follow the import process described below.
Attention: At the moment less can be said about the security of the key management in E2E. While importing the private key, which was created by other software, the passphrase is removed. (It does not need to be provided with E2E: at least not in the current implentation. This seems to be comfortable but please give security a second thought. With E2E the complete keyring (not every key) is secured with just one passphrase. In Memory all keys are available unencrypted.
How to import a keypair in Google’s End-To-End
- Right-click on the E2E icon in the upper right corner of the window (see picture below)
- Choose “Options”
- In the upcoming dialog, choose “Import a keyring in the section “Keyring management”
- Select the previously (from gpg4o or elsewhere) imported keypair and click on “Import”
- Click OK to confirm the import.
- Gotcha – you imported a working keypair
You may now use this keypair to communicate with gpg4o or other OpenPGP implementation based on an RSA key. Please be reminded: The passphrase of this private key has been removed during the import process. Please do not experiment with your personal private key which you use for secret communication.
It works! Google’s End-To-End may be in a very early stage at the moment. It is possible with some workarounds to exchange plaintext messages with gpg4o or other PGP software. At the moment (July 2014) it is not possible to exchange HTML-Mails and send or receive attachments. As time goes by this may be possible in the future. With some work but not for the normal enduser it is now possible to communicate via OpenPGP from Google’s Chrome to the rest of the OpenPGP world.
Annotation: How safe are private keys in memory?
In memory, the private key is sandboxed by Chrome from other things. When private keys are in local storage they are not protected by Chrome’s sandbox, which is why we encrypt them there. Please note that enabling Chrome’s “Automatically send usage statistics and crash reports to Google” means that, in the event of a crash, parts of memory containing private key material might be sent to Google.
Cryptographic Algorithm: http://de.wikipedia.org/wiki/Elliptic_Curve_Cryptography