a few month ago I had the Idea that it would be nice, if Nextcloud would encrypt the email it sends to me. Sending pgp encrypted Emails · Issue #7310 · nextcloud/server · GitHub
So I started coding and would like to present the current state. If you want to test it I would be happy to get some feedback.
The first Branch is about sending Emails: GitHub - tacruc/server at GPG-Email
What should be working?
- The user should be able to upload and delete his public key
- The test email in settings/admin/additional, should be send encrypted if the key was uploaded and signed if there is a server private key
- Creating server Keys on install/update
What to test?
- Check if Server Keys are generated
Check the log for:
“Saved server key fingerprint:”.$fingerprint." to system config"
“No server GPG key found so no signed emails are possible”
The second Branch is about adding public keys to contacts:
Contacts app Branch: GitHub - tacruc/contacts at GPG-Pubkey
Server Branch: GitHub - tacruc/server at GPG-Contacts
What should be working?
- uploading a public key to contact
- the key is imported and a X-KEY-FINGERPRINT is added to the vCard visbille when downlaoded
The App Keymanager GitHub - tacruc/keymanager is supposed to give more options for key managment it will require the contacts branch to work
What should be working?
- All keys avalible for the user should be listed.
- apps/keymanager/keys should return a json file with contacts connected to the keys and contacts suggested to connect with the key
- apps/keymanger/public.asc or apps/keymanager/server.asc should download the servers publickey
Where is help appreciated?
- I’m not a designer or a big java script fan, so if you would like to do som UI work I would love to implement all calls you need.
I totally like the idea of encrypted mails send by the server, but do I get this right, that I need to install nextcloud from your repository and am cut off from the Nextcloud GmbH repository?
In that case I would prefer an app, that brings the additional features, instead of a fork.
At the moment it is under devolpment and not ready for production. In the end I would like to get it integrated into Nextcloud maybe at version 14.
This implementation extends the mailsystem with an extra parameter if and to whom the email should be encrypted. This parameter has to be set by the part of nextcloud creating the email. (For example the share by email dialog or the part creating the test email for the email configuration.) This part has a lot of information (user requested the sending, meaning of the content of the email) on wich it can decied if the email is encrypted.
In worst case it could ask the user if the email should be encrypted. For example the “share by email” dialog could be extended with an option encrypt email with gpg.
To get this with an app, the app would have to interact with all this parts of nextcloud, where emails are created. I think it is not possible to implement it, but maybe I’m wrong here.
The second Implementation could be an app which gets all emails bevor they are sent. But then the app is lagging alot of information. It could for example decied based on the reciver of the email if it is encrypted or not. But this would mean that every email where a public key of the reciver is known to the app would be encrypted. But imagen an instance with two users Alice and Bob. And both know Charlie. Alice and Charlie are encryption affine and exchange Public key’s. Alice imports the key into her contact of Charlie. Then Bob shares a file with Charlie via email. The app gets an email from Nextcloud to charlie. And the app know’s a public key for charlie. So the app is going to encrypt the email for charlie. So in the end Charlie would get an encrypted email from Bob. This would be an unexpected behavior. And it would get more messedup if Chalie gives different Public keys to Alice and Bob.
Did you contact @ChristophWurst?
He is the mail app developer and it could be useful to connect with him…
Just my 2 cents…
The Mailingsystem in Nextcloud is as far I noticed disconnected from the Mail app.
So on the first step I would like to get the gpg class and the mailing system to use it.
The second step would be from my point of view, to enable GPG key upload on contacts to encrypt share by Email messages. The third step would be an app for the Key management.
After that I have some Ideas to get GPG email working in the mail app, or an own app, but it is just an Idea.
The main Problem is, that you could do the encryption serverside-> then a admin would be able to get your key.
Quick question: Has there been any progress on GPG enrcyptet emails in Nextcloud?
In our company we send emails with GPG via Outlook. It would be cool if we could integrate this into the Cloud
Well the app is released and working for me, without open issues right now.
Notice the app just takes care to encrypt system emails, which are send to a user.
Thanks for making that GPG app. I am interested in protecting email notifications sent from the calendar plugin… Is it possible to add the php-gnupg module into NC23 snap ?
NC23 Snap is not installed with phpx.x-gnupg which is required by the app
/snap/bin/nextcloud.occ app:enable --force gpgmailer
App “GPG Mailer” cannot be installed because the following dependencies are not fulfilled: The library gnupg is not available.
This is a good argument for a bare metal install of NextCloud
I think this is a disadvantage of Snap.
But perhaps you can create an issue.
GPX Mailer is also only supported till Nextcloud 21.
I think this feature is not really useful.
System messages should minimal and without confidential content.
All confidential infos should be behind a Nextcloud link with user authentication and TLS/SSL.
We send calendar item notifications by email. Some of the calendar items are financial and can be a bit to descriptive for plain text email communications. The GPG plug in would be a good solution. On wordpress upload notifications are emailed, the messages are GPG then sent.
Do you have a bare metal install of NextCloud that enables a /snap/bin/nextcloud.occ app:enable --force gpxmailer command to be run to force install to test NC23 compatibility ?
I have avoided the bare metal installs as I like to get the latest versions. When the snap is updated i dont see data loss; i heard it is difficult to port data from the db to a new bare metal install.