We've used Chronoforms in the past and just happened to have a copy of v5 to use as a test vehicle with some new GPG keys!


chronoforms


For the uninitiated, Chronoforms is a free component that can be found on the Joomla! Extensions Direcgtory (JED). Their "build a contact form in seconds" is a big lie a huge exaggeration but it does live up to its other benefits - the form builder - that can make [more or less] "every kind of form is possible, contact forms, payment forms, auto-responders, article form, survey, captcha, multi page and more." The software is released under the GPLv2 or later license.


Soon after completing the basic structure of a form and connecting it to a database it became apparent users could be better served if an additional, easy (and more importantly) secured method of sending highly sensitive private information was also available to them. That means encrypted email using GPG keys!


First, you need to generate your own GPG keys. We had some issues with keyring entropy timeouts from the command line and eventually elected to use GPA: the GNU Privacy Assistant. It uses the same GnuPG back-end. You can learn more about GPA here or choose another GUI listed here.


GPA makes GPG key generation super easy.

Second, you need to add the public key to your own server. You'll find apt-key list a helpful command to check the keys on the server as you manipulate them. If you generate the keys on the server itself, you can skip down a few paragraphs, else read on.


Use GPA to export your public key to a basic .txt file. Upload this file to /root/.gnupg/ location on the server. Then run this command to add the key: sudo apt-key add key.txt. Delete the text file afterward.


At this point, your key should be in the keyring. Again, apt-key list to check. You'll see something like this towards the bottom of the list:


pub   1234R/D9002845 2015-01-12
uid                  YOUR NAME <>;
sub   1234R/13DF7891 2015-01-12


Chronoforms will need the www-data user able to access the key. A quick method is to copy the key information from the privilege user to the www-data location at /var/www/.gnupg/ with the following command: sudo cp /root/.gnupg/pubring.gpg /var/www/.gnupg/. Be sure the permissions are set correctly for this folder. 700 for the hidden .gnupg folder and 600 for the files within it. These permissions were de facto after running the cp command.


Open up Chronoforms in the CMS and start a basic form (just use the auto Demo tool).


You'll notice inside the Chronoforms form wizard there is a section explicitly for GPG encryption. You'll need to mark Encrypted to Yes and enter your GPG key ID number (the parent ID) e.g. D9002845. This field should NOT contain your actual public key string. See image below:


chronoforms v5 gpg id field

Save your form and test it that it works. It should send mail, normally. Now we must modify Chronoforms itself to use encryption.


According to outdated Chronoforms v4 FAQ "GPG needs to be installed on the server and Crypt_GPG needs to be installed as well." GPG is installed by default on Ubuntu 16.04 LTS. Crypt_GPG however requires the installation of PEAR as described at pear.php.


Install PEAR with: sudo apt install php-pear


Install Crypt_GPG with: pear install Crypt_GPG


You might think this will create an option for you to enable in your php.ini file...wrong. It's going to be created instead on your server at: /usr/share/Crypt/GPG.php or if you are using Ubuntu 18.04 it shows up in /usr/share/php/Crypt.


The Chronoforms test form is looking for GPG but the actual php code driving the component isn't. You'll have to make the following modifications in the email.php at the absolute end of the file located here: /var/www/YOURWEBSITE/administrator/components/com_chronoforms5/chronoforms/actions/email/email.php:

require_once '/usr/share/php/Crypt/GPG.php';

Further, we had to append (around line 244) in the same file gpg = new Crypt_GPG(); to gpg = new \Crypt_GPG(); as described here at this Chronoforms forum post "Email Encryption Problem." Said simply, add the \ backspace but nothing else in the post.

At this point its time to test the form again. It won't function any different with encryption in the browser. If you get a red error message such "key not found" you'll have to re-check the keyring copied to the www-data owned .gnupg folder in your web server location. Navigate to it directly with cd /var/www/.gnupg and then use apt-key list again to review.


In your email client your encrypted email will look like this:


-----BEGIN PGP MESSAGE----- Version: GnuPG v1 hQEMAyzk/aMIrURZAQf/XQCBOfDrABS1dVhgUnvssZQwtzxzCj7WepLCqqOrXvh2 nQjoXC7XG/wwNGtS7aMhmE3kXGok8E6mfFflrtusS4bWkQwsz+KRH+dH1QEmq70PzJ7pqont3en6bYBNz3TxSxunNrd1Koy/DQfFJ9otGPC1vlPR3O30Mq9fjN0q+Xhi 17VXkGfX8UNsRxEdFzWIJfNgf3sEEW2DmFcixYrABcoPOuQRHqWdKw8wSfHz8PrI/yWxlL6Y/7gtPu6RuQ6+cbfwI8Ga4VVWF9TyTLLgqFQ0FAXWb4l+KzsZmy51kdvl KnsB6UsfYvMydwTT3CM95Y1Cuf5ZquYmAfWaNaiNetLAKwE5hE24nYZDCiUc4XtgNLQY3dYo8DbHKuLj2mPW/5EgCFxv/1j0gFLFguJQf9A5Q2mLN7K8oX5CoPlSN+hk E9zJsArQ80F2jbTILJ7aCs0JPRIabOQ77HqjEQAOR9IwuT/Mm4gzCxDDrBNOegZwCAtyD4ALQ2dMROtSvT1z8nSUGEy98/PHZpJidWsaMdbtWNwXkw02BkPEdqx1XdYm EYf4ApaqgAc+f+AiCvolrJpTX8IYooGNC91nob5WqTfHz5lLIkwsr0O+qqSCYAD8oU+0e3kgktoAAYGa7p+gS7eLjjMhvDNQrgDVYEg= =GUgL -----END PGP MESSAGE-----


At this point you can install the Thunderbird add-on Enigmail. Run Enigmail's Setup Wizard and select the Import OpenPGP Keys > I have existing public and private keys that I would like to import. Simply select your public and private key and select Continue. You will be asked to enter your key's passphrase.


At this point check your encrypted message from your Chronoforms form. The encrypted message will now de-crypt automatically in Thunderbird into a plain text message (oddly enough with the html form brackets).

 

We hope this turotial inspires you to generate your own GPG keys and start using secured, encrypted email. If you need help with this process for your family and/or your business PLEASE DO NOT HESITATE to send us an encrypted email or use our normal contact page. Visitors can of course opine publically in the comments section.


Casually ask your HR department or your Finance Department or your Tax Preparer just how much they've sent through the Internet without securing email; it will shock and anger you. By the way, your chipped debit card with the mag strip isn't encypted either (just the chip).

You can also send an encrypted sms message to us through Signal Messenger through our posted phone number. Get safe with web design and development from Grip Fast Information Services and Technology today!

 


About the Writer
Chris Lessley
Author: Chris Lessley
A server admin, dev ops warrior and website designer since 2002, Chris is a lover of all things Linux and open-source! Each blog topic has been tested by fire in the real world and shared with the hope to help others. Chris' other interests include fine art and the humanities in the classical tradition and can be found writing for our partner-site gripfastartworks.com.

Comments powered by CComment