Encryption of mail with a certificate on a token in the Linux system using the example of JaCarta, Debian and the Evolution mail client
In MS Windows, there is a good mechanism for encrypting and signing mail with user certificates on smart cards (tokens). However, it is not always clear how to work with this in the hybrid IT infrastructure, when part of workstations, if not all, are running under the Linux kernel OS.
The problem is that in Linux distributions out of the box, as a rule, programs do not tend to work with key carriers, in our case with smart cards. However, this issue can always be solved by installing the appropriate modules that are in the standard repositories and setting them up.
In this article, we describe the process of encrypting mail with a certificate on the JaCarta token developed by Aladdin RD, in the Evolution mail client, in the Debian distribution, and we will demonstrate the ability to encrypt mail messages in the hybrid IT infrastructure.
Using the modutil command, register the PKCS11 library for the mail client.
After that, the certificate on JaCarta will be visible in the list of personal certificates in the settings.
The following is the certificate for sMIME operations.
Encrypting mail with a certificate on the JaCarta token on the Debian system and the Evolution mail client:
1. Install the libnss3-tools package:
2. Before closing the Evolution, register the module:
3. Connect JaCarta, launch Evolution (a PIN code must be requested when entering the settings).
4. In the account settings, in the Security section, select the certificate for encryption (Encryption certificate):
5. In the address book, select the addressee.
6. Open the properties and in the "Certificates" section specify the open part of the certificate of this user from the * .cer file (this file can be exported by standard means, DER format).
7. When sending mail in the options, specify S / MIME encrypt (Settings → Encrypt using S / MIME).
If a certificate is specified in the address book of the addressee, the message will be successfully encrypted and sent, as well as receiving and reading encrypted mail will be available.
Similarly, we can customize the signature of messages. To do this, you will need to add the certificate of the CA, which issued the certificate for the user, to the sender and recipient:
Thank you for your attention!
The problem is that in Linux distributions out of the box, as a rule, programs do not tend to work with key carriers, in our case with smart cards. However, this issue can always be solved by installing the appropriate modules that are in the standard repositories and setting them up.
In this article, we describe the process of encrypting mail with a certificate on the JaCarta token developed by Aladdin RD, in the Evolution mail client, in the Debian distribution, and we will demonstrate the ability to encrypt mail messages in the hybrid IT infrastructure.
General decision principle
Using the modutil command, register the PKCS11 library for the mail client.
After that, the certificate on JaCarta will be visible in the list of personal certificates in the settings.
The following is the certificate for sMIME operations.
7 steps to encrypt mail
Encrypting mail with a certificate on the JaCarta token on the Debian system and the Evolution mail client:
1. Install the libnss3-tools package:
# apt install libnss3-tools2. Before closing the Evolution, register the module:
modutil -add "JaCarta" -libfile /usr/lib/libjcPKCS11-2.so -dbdir ~/.local/share/evolution;/3. Connect JaCarta, launch Evolution (a PIN code must be requested when entering the settings).
4. In the account settings, in the Security section, select the certificate for encryption (Encryption certificate):
5. In the address book, select the addressee.
6. Open the properties and in the "Certificates" section specify the open part of the certificate of this user from the * .cer file (this file can be exported by standard means, DER format).
7. When sending mail in the options, specify S / MIME encrypt (Settings → Encrypt using S / MIME).
If a certificate is specified in the address book of the addressee, the message will be successfully encrypted and sent, as well as receiving and reading encrypted mail will be available.
Conclusion
Similarly, we can customize the signature of messages. To do this, you will need to add the certificate of the CA, which issued the certificate for the user, to the sender and recipient:
Thank you for your attention!