Secure E-mail

E-mail is inherently insecure.  Compared with sending a post card, any message sent by e-mail could be read by any number of people including those monitoring the network path, the servers that process the message along its route, or anyone with access to the distant computer.  Basically you should consider any information transmitted via e-mail as potentially ending up in the public.  While there have been improvements with systems using STARTTLS to offer encryption between servers there are too many places where the message is not protected. The only true way to protect your message is to use end-to-end encryption.

There are two preferred methods for providing end-to-end encryption and authentication via email: S/MIME and PGP.  S/MIME utilizes X509 certificates to protect messages.  These certificates are generally issued by a certificate authority and aren’t widely used outside of homogeneous organizations (the DoD utilizes X509 certificates for e-mail protection within their enclave and when working with contractors).  PGP is probably a better solution for individuals as it doesn’t require a certificate authority and is easily setup.  The use of a hardware security module (HSM) is highly recommended since computers can be targeted and keys can be stolen.  If an HSM is stolen the private key cannot be recovered without the passphrase and the device will self-destruct if the wrong passphrase is entered too many times.  The OpenPGP card can work as an HSM and a Gemalto USB Shell Token works as a great interface device.  Other good choices are the Crypto Stick or the Yubico Yubikey NEO which provides PGP key storage but requires some hacking.

It should be noted that my use of PGP should be read as synonymous of OpenPGP and GnuPG (GPG).  I’ve not used PGP in many years so I don’t know how well it’s supported.  I use GPG constantly and have no problems with it.  Getting it setup with your email program will likely cause some headaches.  Thunderbird uses a plugin called Enigmail.  Other email programs natively support GPG including mutt.

  1. No comments yet.
  1. No trackbacks yet.

Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s