As touched on in other articles in this knowledge base, Kolab Now has configured Perfect Forwarding Secrecy (PFS), and data in transport is encrypted with SSL/TLS. Some customers have asked us to also enable them to do end to end encryption through the web client. We have long resisted that for multiple reasons; for one, letting the server hold a copy of the public / private key pair is not really providing true end-to-end encryption.
One workaround has been to use Mailvelope, a popular extension for browsers such as Firefox and Chrome, but this solution gives the browser access to the public/private key pair of the user, which brings another level of security considerations.
Another reason for holding back has been the many potential problems that users could get into with keys. Let’s face it: PGP encryption is not the most user friendly technology the internet has seen ever.
We have decided to implement PGP encryption in the webclient, and do it in a way that will guide the user as well as possible through the curves and wiggles. A more detailed explanation of PGP can be found here.. or here.. This article, however, is about how to use the PGP implementation in the Kolab now webclient.
In short, PGP encryption is building on the premises that a user has a public and a private key. The public key is public, and can be distributed to anyone who is expected to encrypt messages, and the private key is private. It should never get distributed to anyone else.
To use the encryption functionality, one must first have a PGP private and public key. To avoid known security issues, users will have to create and publish their own keys. More information about how to do so can be found in one of these places:
- GnuPG Documentation
- PGP key pair creation on Linux (fedora)
- PGP key pair creation on Windows
- PGP key pair creation on Mac OS
When the PGP key pair is available, the private key and the public key should be available as files. e.g. jdoe-privkey.asc / john.doe.pubkey.asc or john.doe.private.key.pgp / john.doe.public.key.pgp.
MAKE SURE TO BACK UP THESE FILES AND STORE THE BACKUP IN A SAFE PLACE.
| Import the keypair from these files into Kolab Now via ‘Settings -> PGP keys -> Import’: |  |
 | When keys are imported, the information about them (ID’s, Expiration date, type, ETC.) can be checked: |
| Import the public key(s) or the recipient(s) |  |
 | Make sure that ‘Encryption’ is enabled in ‘Settings -> Preferences -> Encryption’: |
| When composing a new mail, the option ‘Encrypt This Message’ is available. When enabled, the mail will be encrypted at the time of sending. The data saved to disc will also be encrypted: |  |
 | The recipient will receive the mail encrypted, and only if in possession of the personal private key, and the public key of the sender it is possible to decrypt the mail. |
| Even when decrypted in the webclient for reading, the mail is still saved to disc in the receivers end in encrypted form. |  |
Please Note: According to the ToS, Kolab Now is not responsible for the encryption keys. It is up to the user to maintain those with regards to validity, publishing to key servers, revocation, ETC. Always make sure to save a backup of public and private keys in a safe place away from network connections (e.g. a USB key). This is valid for encryption keys, as well as for any other data.