#100Days, Day 13

Aaaand, I'm back. Yesterday was not the best day for me to write. Mostly because I got so engulfed in working on mailbox encryption and decryption for all my devices, and spent some time working on my eventual writing business.

Next thing I know, dinner's ready, and right after that, Game of Thrones. My wife and I were pretty happy with the final ending of the show, and it sort of redeemed itself for so many missed opportunities to tell a much more powerful story in the previous couple of episodes.

However, we still feel robbed over one thing that never came to fruition, and so I guess we have to take the good with the bad. If you're a fan of the show and have watched to the end, I think you'll know what that one thing I'm referring to is.

In any case, yesterday was also the first time for as long as I can remember, that I didn't dread a Monday. Maybe it's because I have a better understanding of all the various of what could be considered a "good job" with my project, when I thought it was really just one.

Or, it could be because I know what I've got to do for the project, and the people on my team a really great to work with, even if our "customers" are spoiled little shits.

Then again, perhaps it's because I'm taking this Friday off, enjoying a holiday on Monday, and taking Tuesday off just because it feels good.

Think it might be all of the above? I'd bet good money on it. Regardless, it just feels great to not be all tense and full of anxiety when going to work.

I will say that the time I spent on getting my encrypted mailbox from Mailbox.org working with all my devices was well worth the effort. I'd started poking at it here and there since a few weeks ago, but never really gave it my full attention.

The issue was that I could see all the mail in my encrypted mailbox just fine as long as I was using their web interface. But, whenever I'd try to connect my laptop/desktop/mobile email apps to it, I could never see the encrypted contents of my emails.

And for a while, I thought that was perhaps a "feature" and not a bug. Where if you wanted true privacy and security, use the browser and not third party email clients, like ProtonMail and Tutanota do. But, I thought that to be quite limiting, and somewhat defeating the purpose of having a productivity suite bundled in that you can use from any device.

I also thought that for some reason I just wasn't grasping the concept of managing encryption keys, and that maybe it is just that complicated. Then I started reading more about the issue I was experiencing, and started piecing it together.

If you're interested here's what I found, and how I fixed it:

In Mailbox.org, you can choose to have Mailbox.org create your PGP keys. It's called "Guard" and it makes it very easy to encrypt your emails and receive encrypted emails. Another benefit, however, is that Guard will also encrypt all incoming messages to your mailbox (even if the sender didn't encrypt the email to you), and it will also encrypt the files you store in their cloud as part of the productivity suite.

Using Guard and having Mailbox.org create your keys is the easiest way to get this all done. So, when I was having issues using 3rd party email clients, I really thought I was kind of stupid for not understanding how this should be done.

Ok, so here's what happened:

  • When I first signed up for Mailbox.org as a trial, I used a different username and that username became my email address at Mailbox.org.

  • In order to set up Guard to encrypt my mailbox and cloud storage, I needed to copy and paste my public key to a setting in my Mailbox.org account.

  • Not long after setting all that up, I created an alias to use in conjunction with my primary email address.

  • Then, I decided to change my alias to my primary email address, and my primary email address to be my alias. Yeah, I like to complicate stuff, don't I?

  • After doing so, new encryption keys were generated by Guard for my "new" primary email address.

  • Once the new keys were created, I could still see all my email when logging in with the web interface. When I confirmed that it worked, I revoked the keys for the original primary email address that is now my alias. No need to use the key any more as I didn't want to really use the alias anyway. I just wanted to promote my original alias to be my primary account name and email.

  • Every time I'd try to connect an email client with PGP support, I couldn't decrypt the emails in my mailbox. Again, on the web: just fine. Anything else: Nope.

  • I'd pasted or imported my public and private keys into these email clients, and even my keyring on my laptop and desktop machines. For iOS, I was using Canary Mail and that's a simple upload from my Files app to where it immediately recognizes the key and knows everything inside the key.

  • But, no matter what, I couldn't decrypt my emails when using anything other than the web interface. I'd paid $10 for Canary Mail and I thought I'd wasted it because no matter what I tried, I couldn't get it to work.

  • I started reading about querying for public keys on keyservers. Seahorse for Gnome, of course, doesn't support the hkps protocol, only hkp, the non-secure version. So, I installed Thunderbird and Engimail, since Enigmail supports querying public key servers with hkps.

  • Did my query and found me on the Mailbox.org key server. Found my current primary account, and my alias that used to be my primary account and had since revoked.

  • Decided to export both private and public keys for both identities (primary and alias) on Mailbox.org. They've got a very easy way to do that with their web interface that manages your account.

  • As I set up the private and public keys for my current primary email in Enigmail, I saw a funny message on each of my emails in Thunderbird. Since it couldn't decrypt any of my email contents, it would keep telling me the message was intended for my current alias, which used to be my primary account.

  • I thought that was really weird because I changed my primary account away from that identity. And, I'm able to see and decrypt all my email when using the web interface.

  • Decided to try something. If Thunderbird and Enigmail think the encrypted contents are for my old primary email address, what if I imported the key pair for that old one that has since been revoked?

  • Turns out I can't use revoked keys on my laptop or desktop, but Canary Mail didn't care. As long as I had the contents of the key to upload to the app, it took it. And guess what.... I could see my emails in Canary Mail!

  • Not done yet, if I can see my emails in Canary mail that are clearly addressed to my current primary email, why do I have to use the private key of the current alias identity to read those emails. Shouldn't email that gets encrypted with my keys in Guard automatically know which account the encrypted contents of the message would be intended for?

  • Then it hit me. After I promoted my alias to primary, I didn't paste the new public key that Guard created for my new primary account in my encrypted mailbox setting on my Mailbox.org account settings! Once I pasted the public key of my now current account, messages with encrypted contents were now encrypted for my actual primary account.

  • The public key I'd pasted in before never got changed, so it thought my alias was still my primary.

  • Once I could verify that new emails coming in were indeed encrypted and meant for my now primary account, I saw that I could see my older emails that were encrypted for the wrong identity. I didn't lose access to my emails during the time of misconfiguration.

  • On my email clients, I uploaded the key pairs for my current primary as well as the revoked key pair for my alias, and now I can see all my emails, and from here out, incoming emails are encrypted for the proper identity, so my current primary key pair is now the right key pair, and I can use any damn email client I want that supports PGP.


I love figuring shit out. It was a stupid mistake, an oversight really, and it turns out I was managing keys the way I understood it from all the websites I'd visited. I was just managing the wrong keys! D'OH!!

So now that I'd borked something up by making a change, and figuring out how to fix it afterwards means that using public and private keys for email really isn't all that hard.

Never gonna forget that little lesson when securing emails and mailboxes. So, all in all, Sunday was a pretty great day.

You'll only receive email when they publish something new.

More from Jay's Journal
All posts