From 2e5f28bf8b75a72d82e3459a557a0fc583b3128f Mon Sep 17 00:00:00 2001 From: M66B Date: Fri, 6 Dec 2019 13:25:45 +0100 Subject: [PATCH] Updated FAQ --- FAQ.md | 48 +++++++++++++++++++++++++++++++----------------- 1 file changed, 31 insertions(+), 17 deletions(-) diff --git a/FAQ.md b/FAQ.md index 6289dd19d5..cfe36cd11d 100644 --- a/FAQ.md +++ b/FAQ.md @@ -85,8 +85,8 @@ Related questions: * ~~Select domains to show images for~~ (this will be too complicated to use) * ~~Unified starred messages view~~ (there is already a special search for this) * ~~Notification move action~~ +* ~~S/MIME support~~ * Search for settings: low priority -* S/MIME support Anything on this list is in random order and *might* be added in the near future. @@ -560,25 +560,32 @@ So, unless your provider can enable this extension, you cannot use FairEmail for **(12) How does encryption/decryption work?** -First of all you need to install and configure [OpenKeychain](https://f-droid.org/en/packages/org.sufficientlysecure.keychain/). +*General* -To encrypt and send a message just check the menu *Encrypt* and the message will be encrypted on sending. +To sign/encrypt a message, just select the appropriate method in the send dialog. +You can always open the send dialog using the three-dots overflow menu in case you selected *Don't show again* before. -To decrypt a received message, open the message and just tap the padlock icon just below the message action bar. +To verify a signature or to decrypt a received message, open the message and just tap the gesture or padlock icon just below the message action bar. -The first time you send an encrypted message you might be asked for a sign key. -FairEmail will automatically store the sign key ID in the selected identity for the next time. -If you need to reset the sign key, just save the identity to clear the sign key ID again. -The sign key is visible in the list of identities. +The first time you send a signed/encrypted message you might be asked for a sign key. +FairEmail will automatically store the selected sign key in the used identity for the next time. +If you need to reset the sign key, just save the identity or long press the identity in the list of identities and select *Reset sign key*. +The selected sign key is visible in the list of identities. -You can enable *Encrypt by default* in the identity settings, which replaces *Send* by *Encrypt and send*. -You can enable *Automatically decrypt messages* in the privacy settings, but be aware that automatic decryption is not possible if user interaction is required. +In the privacy settings you can select the default encryption method (PGP or S/MIME), +enable *Sign by default*, *Encrypt by default* and *Automatically decrypt messages*, +but be aware that automatic decryption is not possible if user interaction is required, like selecting a key or reading a security token. -FairEmail will send the [Autocrypt](https://autocrypt.org/) headers for other email clients. +The to be encrypted message text/attachments and the decrypted message text/attachments are stored locally only and will never be added to the remote server. +If you want to undo decryption, you can use the *resync* menu item in the three-dots menu of the message action bar. -The decrypted message text and decrypted attachments are stored. If you want to undo this, you can use the *resync* message 'more' menu. +*PGP* -Inline PGP in received messages is supported, but inline PGP in outgoing messages is not supported, +You'll need to install and configure [OpenKeychain](https://f-droid.org/en/packages/org.sufficientlysecure.keychain/) first. + +FairEmail will send the [Autocrypt](https://autocrypt.org/) headers for use by other email clients. + +Inline encrypted PGP in received messages is supported, but inline PGP in outgoing messages is not supported, see [here](https://josefsson.org/inline-openpgp-considered-harmful.html) about why not. Signed-only or encrypted-only messages are not a good idea, please see here about why not: @@ -589,16 +596,23 @@ Signed-only or encrypted-only messages are not a good idea, please see here abou Signed-only messages are supported, encrypted-only messages are not supported. -For S/MIME support, please see the [planned features](#user-content-planned-features). +*S/MIME* + +Encrypting a message requires the public key(s) of the recipient(s). Signing a message requires your private key. + +Private keys are stored by Android and can be imported via the Android advanced security settings. +There is a shortcut (button) for this in the privacy settings. +Public keys are stored by FairEmail and can be imported when verifying a signature for the first time or via the privacy settings (PEM or DER format). + +The use of expired keys, inline encrypted/signed messages and hardware security tokens is not supported. -Extract a public key from a S/MIME certificate: +How to extract a public key from a S/MIME certificate: ``` openssl pkcs12 -in filename.pfx -clcerts -nokeys -out cert.pem ``` -Please see [this comment](https://forum.xda-developers.com/showpost.php?p=79444379&postcount=5609) -about [these vulnerabilities](https://amp.thehackernews.com/thn/2019/04/email-signature-spoofing.html). +S/MIME sign/encrypt is a pro feature, but all other PGP and S/MIME operations are free to use.