Securingemail
From CoolSolutionsWiki
-My other WIKIs
Secure Email, Increasing the Security of email communications.
Contents |
Option 1
For a secure email client I recommend Thunderbird.
- It has a anti-spam learning filter
- It does NOT auto-load images, so you control what you see in your inbox.
- It runs on Linux and Windows.
- It will do secure POP3 and IMAP. Which means you do NOT put your username and password onto the NET un-secured.
- Has a nice Pretty Good Privacy (PGP) plugin that allows one to SIGN and Encrypt emails messages.
COOKBOOK:
- Download and install Thunderbird at: http://www.mozilla.com/thunderbird/
- Download and install Enigmail (which is a PGP plugin for Thunderbird that allows you to Encrypt the message). Enigmail Quickstart
- If you don't have GnuGP, installed you'll need to install it. For SuSE Linux just find it in yast. If Windows, go to: http://www.gnupg.org/download/ (Version 1.4.8 is a minimum requirement)
- After you install the Enigmail plugin, restart thunderbird
TIPS
Once installed, you should create ONE public/private key pair (if you don't aready have one) and then upload to a "Key Server" the public cert, so others can download it and use it to encyrpt mail with you.
To create a key:
Menu Selections:
In Main Thunderbird Window
- OpenPGP | Key Management
Then OpenPGP Key Management Window
- Generate | New Key Pair
Specifics:
1. Select initial Account or User ID for your key (you can add more later by right-clicking on your Key and selecting Manage User IDs)
2. Check Select Passphrase. If you don't choose a passphrase then anyone using your email can decrypt any email that is sent to you encrypted.
3. Advanced Tab - This allows you to increase the Default Key Size and you can change the key encryption method as well.
4. Make sure to start using PC immediately after clicking Generate Key button to help "randomness".
To find other people's public Keys:
Main Thunderbird Window
- OpenPGP | Key Management
In OpenPGP Key Management Window
- Keyserver| Search for keys | put in the person's name or email address | import.
When trusting and signing Public Keys it is considered a best practice to contact the person who is listed as the owner of that Public Key. You do not have to trust or sign their certificate to use it or communicate securely.
Signing the key allows you to indicate how thoroughly you have checked the credentials.
Trusting the key: There are various levels of trust that you can select based on how well you feel you can trust that person. Personal Friend, Co-Worker, Customer/Vendor, etc. The more sure you are, the more trust you can assign.
Once you have signed and trusted the key you can re-upload that Public Key to a Key Server. This will allow others who have your Public Key to see how you trust this person. This leads to a "Web of Trust".
Periodically you should refresh all your downloaded Public Keys (yours and others). This would allow you to see updated Trusts and Signatures.
Sharing your public key automatically when you send people emails
You might consider enabling sending your public key automatically when you send an email. This will prevent others from having to find your key manually.
To automatically include your Public Key in an email to recipients:
In Main Window:
- Edit | Account Settings
In Account Settings window:
- OpenPGP Security | check "Send OpenPGP Key ID"
While this option appears to be a Per Account setting, it isn't. This will apply to all email accounts that have OpenPGP Security enabled.
Signing vs. Encrypting email
Encryption seems fairly obvious. The pluging generates a hash based on your private key and the recipient(s) public key(s). This can only be decrypted by a recipient who has your Public Key and their own Private Key and, if applicable, the passphrase they saved with their Private Key.
Signing is a little more sneaky. Signing doesn't actually hide any information. All it does is create a code that can be checked to verify the contents haven't been changed. This guarantees that the data is accurate, but not secure.
Also, you can Sign and Encrypt. This is like a Belt and Suspenders type of action. I would expect that if you can decrypt an encrypted message, change it and re-encrypt it then Signing it also would pose no problem.
Option 2
If you prefer web mail (in a web browser), then you'll love the FireGPG plugin for Firefox. This allows you to encrypt/decrypt your email within your webbrowser. This can be used for google email or your work etc etc.
FireGPG is specifically written for Google Mail and adds buttons for Signing, Encrypting and Decrypting right in the web page when composing or reading an email. Conversely, when not using Google Mail you can select the text in the email you wish to encrypt then go to the FireFox menu Tools | FireGPG | select your option. This will pop up a list of pulic keys that you have downloaded. Make sure to select the appropriate Public Key for your recipient. A new window will come pop up with the encrypted text. Make sure to copy all of it and paste it over the original text in your email. When done make sure none of the original text is left. Then send the email.
Since fireGPG doesn't really allow the type of control that Enigmail and Thunderbird does it is recommended to still download Thunderbird, Enigmail and, if needed, GnuPG and manage your keys there (See Above).
- Google and download firefox
- Google and download fireGPG
Option 3
Running GroupWise?
Fact
GroupWise 6.5.2
Symptom
How to securely send and receive email.
Symptom
How to digitally sign email.
Symptom
How to encrypt email.
Fact
Internal GroupWise email is encrypted by Novell’s proprietary encryption.
Fix
Disclaimer: NTS does not endorse this method. This is just a simple and free way to encrypt email. For Novell
recommended methods and partners see http://www.novell.com/products/groupwise/certified.html
Less convenient, but increased assurance:
Fix
Summary:
The sender and receiver must get a key (public and private) and share the public key.
Once they each share their public key then the email message can be encrypted.
Obtain a Key:
FREE: http://loki.goateye.com/certsrv/certrqma.asp
Other non-free Keys: http://www.novell.com/products/groupwise/certified.html
Requesting a Free Key instructions:
http://loki.goateye.com/certsrv/certrqma.asp
Fill in your Name, Email address, Company, Department, City, State, Country.
For TYPE of Certificate needed: set to:
"Email Protection Certificate"
Key Options "Create New Key set", CSP: "Microsoft ENHANCED Cryptographic Provider..."
Key Usage: Both
Key Size: (Make it as big as you want, but the bigger the key the slower the encryp/decrypt process, as well as the
harder it is to crack)
"Automatic key container name"
CHECK "Mark keys as exportable" (DON'T check "export keys to file")
CHECK "Enable strong private key protection"
Request format: set to PKCS10
Friendly name, if you want... (like "FLastname@novell.com secure key" or whatever)
Hit request, answer the questions that pop up, then click "Install this Certificate", then in Groupwise | Tools |
Options | Certificates | select your Cert/Key | click default. Then you will either need to SEND someone a DIGITALLY
SIGNED email, or they will need to send you one, once one person has received the other person's Public Key (stored in
the digital signature), you will then be able to send/receive ENCRYPTED email.
Send your public key to a co-worker:
Create a normal email message | Actions | Digital Signature | send the message to a co-worker. Your co-worker must
also get a key and reply with their Digital Signature before you and they can encrypt a message.
Possible problems:
1) Caching Mode: “Since you do not have an internet address, you cannot send a signed or encrypted msg to external
users.”
GroupWise Client 6.5.2 6/18/2004
See TID: 10093914
Concerns: Subject line is NOT encrypted
Non-encrypted email can be stored, accessed and audited for many years.
- This page was last modified 17:08, 31 January 2008.
- This page has been accessed 1,141 times.
- About CoolSolutionsWiki
- Disclaimers