To be an encrypted ninja or not to be...

Its a debate whether or not foreign powers hacked into Hillary Clinton's private email servers. There is consensus however that the private email server was hacked though, and this is precisely how emails can easily get leaked. To solve this sort of problem you can either have Hilary and Hilary's friend's become ninjas at cryptography, have cryptography tools become mainstream and transparent, or have a middle ground solution somehow. For this year's 2017 Hackweek at SUSE and Aaron Swartz day I have worked on a middle ground solution as a proof of concept using GPG, forcing all incoming emails to you to be encrypted, even if you use gmail or yahoo to store your emails. On this post I will explain the motivation for such work, and document how to accomplish this for yourself, should you want to implement this for yourself.

Motivation

Emails sent to you when you are using popular email servers such as gmail or yahoo get encrypted only on the wire, as they make their way onto email servers hosted by the companies that provide these services. The emails are however stored unencrypted. Likewise for typical private email servers. You are at left at the whims of the security best practices of these companies, and even if you did have your private email server, to get things done right requires substantial work. In fact, even if you used a good company to store your email, you may still face issues with ensuring your email privacy remains outside of the control of intelligence agencies which may argue they should be able to read everyone's email.

Reasons for wanting your emails stored with good cryptography vary but here are a few reasons:

  • You're a politician
  • You're a therapist
  • You're a journalist
  • You're a human rights advocate
  • You just give a damn about privacy


For most people's day to day, the below diagram simplifies and reveals how email transactions work, Exhibit-A:


One solution to this is to have everyone, for example, use encryption tools when crafting and sending emails, Exhibit-B:


This is a bit unrealistic, however for some folks this is possible, for instance if you're a journalist working with very sensitive material. If you fall into one of the categories below you might not be able to get to this point:

  • You're a human rights watch group worker dealing with folks who can't easily become ninjas... 
  • Your're a therapist, who obviously deals with folks who don't even care about what a crypto ninja is
  • You're a politician and just want to encrypt everything
  • You want to open up your email on a certain date and use an escrow to stash your PGP key, such key becomes public after certain date
  • You want to ask company admins to setup a secure and sensible way to forward some company emails to a public mail server safely (say, a way to get work email on public servers)
  • You just care about cryptography
  • You cannot trust your email provider's data store at all
  • You don't want your data to be scraped by the company hosting it

Making cryptography more easily accessible is a much better approach. Such good efforts exists, one example I found was FlowCrypt which lets you uses Public Key Cryptography, however that does mean trying to trust a private key on the plugin store locally. Another effort, which doesn't use Public Key Cryptography is SecureGmail by streak, you encrypt emails using a one way cipher. Both and similar solutions still require some effort or deploying some sort of software on the sender's side.

What I've worked on means as a ninja, or if you have a ninja friend, you get the benefit of having your emails stored on your preferred email server encrypted, provided you can trust a particular middle service provider I'll describe how to set up, and you can get it secured. You end up with the following, Exhibit-C:

To accomplish this we need a middle end system which does the actual encryption for you using your public key. Email providers such as Google, Yahoo, and others won't do this for us today, and they have some reasons not to. By scraping your email they get the ability to provide search facilities, they get to scrape emails as they might legally see fit, and advertise for you. This is how they make money off of storing our emails for free. Using a middle layer to encrypt your email is reflected in the following diagram, Exhibit-D:

One must admin that this shifts trust to a particular server admin who sets this server up,  and to trust the setup to parse and bounce emails to your preferred email server properly. Your emails are still at risk but they are not stored on the middle server if done propery, they are just being piped through. Also, with unencrypted emails even your old emails are at risk, once an email server is compromised all your emails stored on that server are at risk. With a super simple service such as the one I am describing, it would be fairly easy to monitor against attacks and only protect one thing: receive encrypted emails via TLS, encrypt them write away without writing them to disk, and immediately bounce them. Nothing unencrypted lands on disk or storage.

How do I get this?

If you're curious to try it for a few tests cases, you trust me for such tests cases, shoot me an email and I can set you up with an account on my proof of concept email system, encrypted.ninja. I can give you an account on such system, and if you get an email sent to that email address all emails will be immediately bounced back to you, encrypted with your PGP key.

I would not recommend you to use this setup just as-is though, it'd be best to have spam detection be done on your behalf, otherwise it may be possible your email provided's spam detection tool won't pick up spam, and you end up getting tons of spam.

As such, this is just a proof of concept at this point.

How do I replicate your setup?

Even though this uses PGP keys to encrypt data, you'll need to set up an email server with proper TLS certificates for encryption for communication between senders and bouncing emails to email servers. Fortunately letsencrypt can give you a free certificate, it must be renewed (easy to do). The same SSL certificate you get for them for your apache setup can be used for email as well. So first thing you should do is get a DNS name, then get a simple website up with an SSL certificate from letsencrypt.

If you have control over the email server you may not want to give an full shell login account to all users, but just an email alias. I used postfix for my email server, as its easy to setup, and has some hooks we'll use later. So get yourself postfix installed and setup, no need to setup TLS for your first setup. Just get it receiving emails locally first. Once you have that setup, setup the same SSL certificate you used for your apache setup for your postfix configuration. The following is my setup, roughly.


You'll then need to edit /etc/postfix/master.cf and add the following phphook like, and replace your smtp line with the one below as well:

pgphook unix - n n - - pipe flags=F user=www-data argv=/opt/bin/mail2pgp.sh ${sender} ${size} ${recipient}
smtp inet n - - - - smtpd -o content_filter=pgphook:dummy


Then setup virtual aliases, /etc/postfix/address.txt looks like this:

mcgrof@encrypted.ninja FILTER pgphook:dummy

Add more entries per email address you want to add. After updating it you must run:

postmap /etc/postfix/address.txt

Then its all a matter or just one script and one procmailrc file, and ensuring the script, its gpg directory, and keyring are all owned by the user the email server runs as. That's it.

I stashed the script, procmailrc and gpg directory and keyring for the email server in:

/opt/mail2pgp/
mkdir /opt/mail2pgp/.gnupg
chmod o-rwx /opt/mail2pgp/.gnupg
chmod g-rwx /opt/mail2pgp/.gnupg
sudo chown -R www-data /opt/mail2pgp/

To create a keyring with keys, or update them later with new keys as you update the alias file, and script provided later:

gpg --search-keys hexkeyid
gpg --export --output keyring.gpg
cp keyring.gpg /opt/mail2pgp/keyring.gpg

The script:


You'll also need a MIME preamble, and postfix:


And finally, the procailrc file:


That's it. In fact, you can use the MIME  preamble and postfix and procmailrc file as a template on a system you *don't* have root on to bounce encrypted emails out to you in a much more secure way as well.

Now I'll surely see someone try to hack this server :) and I'm sure they will ;)

Comments

Rocky said…
It's very informative Blog, it's more helpful to us thanks for sharing keep it up !!! Here is my site gmail sign out problems
lavanya said…
I just got to this amazing site not long ago. I was actually captured with the piece of resources you have got here. Big thumbs up for making such wonderful blog page!
I just got to this amazing site not long ago. I was actually captured with the piece of resources you have got here. Big thumbs up for making such wonderful blog page!Java training in Chennai

Java Online training in Chennai

Java Course in Chennai

Best JAVA Training Institutes in Chennai

Java training in Bangalore

Java training in Hyderabad

Java Training in Coimbatore

Java Training

Java Online Training

ramesh said…

very nice blogs!!! i have to learning for lot of information for this sites...Sharing for wonderful information.Thanks for sharing this valuable information to our vision. You have posted a trust worthy blog keep sharing.

Azure Training in Chennai

Azure Training in Bangalore

Azure Training in Hyderabad

Azure Training in Pune

Azure Training | microsoft azure certification | Azure Online Training Course

Azure Online Training

Ramya said…
Very interesting blog. Many blogs I see these days do not really provide anything that attracts others, but believe me the way you interact is literally awesome.You can also check my articles as well.
DevOps Training in Chennai

DevOps Online Training in Chennai

DevOps Training in Bangalore

DevOps Training in Hyderabad

DevOps Training in Coimbatore

DevOps Training

DevOps Online Training
devi said…
it’s really nice and meaningful. it’s really cool blog. Linking is very useful thing.you have really helped lots of people who visit blog and provide them useful information.
Data Science Training In Chennai

Data Science Online Training In Chennai

Data Science Training In Bangalore

Data Science Training In Hyderabad

Data Science Training In Coimbatore

Data Science Training

Data Science Online Training
tejaswini said…
I am dazzled by the data that you have on this blog. It shows how well you comprehend this subject.data science certification
prabhu said…
Excellent Blog! I would Thanks for sharing this wonderful content.its very useful to us.I gained many unknown information, the way you have clearly explained is really fantastic.keep posting such useful information.
IELTS Coaching in chennai

German Classes in Chennai

GRE Coaching Classes in Chennai

TOEFL Coaching in Chennai

spoken english classes in chennai | Communication training


360DigiTMG said…
I see some amazingly important and kept up to length of your strength searching for in your on the sitehrdf training course
Bhavana said…
I think I have never watched such online diaries ever that has absolute things with all nuances which I need. So thoughtfully update this ever for us.
PMP
360DigiTMGMY said…


Nice work... Much obliged for sharing this stunning and educative blog entry!
hrdf claimable training
Data Science said…
I am impressed by the information that you have on this blog looking forward for next update thank you.
Data Analytics Course Online 360DigiTMG
360digitmg said…
I am sure that this is going to help a lot of individuals. Keep up the good work. It is highly convincing and I enjoyed going through the entire blog.
data science institute in hyderabad
tejaswini said…
I see some amazingly important and kept up to length of your strength searching for in your on the site
digital marketing course
Farhan.Jee said…
The future of automated cars depends a lot on the processing of the exorbitant amount of data. As estimated, self-driving cars produce around 1 GB data each second, and more than that, they also receive data from other cars around them. data science course syllabus
Mike Johnson said…
I advise you to be a ninja, it is cool! You can make some tricks and make video how you are doing it, post on youtube and buy youtube likes from here https://soclikes.com/. Lol, it is a joke
Excelr Tuhin said…
keep up the good work. this is an Ossam post. This is to helpful, i have read here all post. i am impressed. thank you. this is our site please visit to know more information
data science training
This comment has been removed by the author.
360DigiTMGNoida said…
As always your articles do inspire me. Every single detail you have posted was great.
data science training in noida
360DigiTMG said…
great article!! sharing these type of articles is the nice one and i hope you will share an article on data science.By giving a institute like 360DigiTMG.it is one the best institute for doing certified courses
data scientist course
This is also a very good post which I really enjoyed reading. It is not every day that I have the possibility to see something like this..
machine learning courses in aurangabad
Wow, amazing post! Really engaging, thank you.
machine learning course aurangabad
360DigiTMG-Pune said…
I just found this blog and have high hopes for it to continue. Keep up the great work, its hard to find good ones. I have added to my favorites. Thank You.
data science certification
UFABET1688 said…
Your site got my attention and shows me different perception for how we should boost our site. This is a really perfect for a new blogger like me who doesn't want their site to be messy with those spammers who don't even read your post but they have the guts to comment in your site. Thanks again. บาคาร่าออนไลน์
360DigiTMG-Pune said…
Excellence blog! Thanks For Sharing, The information provided by you is really a worthy. I read this blog and I got the more information about
artificial intelligence course
senthilpraveen said…
This Blog have relevant information’s and reference links which not get board to the readers.
Digital Marketing Training in Chennai
Digital Marketing Online Course
Digital Marketing Training in Bangalore
Mike Johnson said…
Your article is very interesting and funny! Do you want to make a video for tiktok about it? You can buy tiktok followers for your profile and post other video too. What do you think about it?
Good information you shared. keep posting.
machine learning training in aurangabad
lionelmessi said…
Happy to visit your blog, I am by all accounts forward to more solid articles and I figure we as a whole wish to thank such huge numbers of good articles, blog to impart to us.

Data Science Training in Hyderabad
"Very Nice Blog!!!


Please have a look about "
ai courses aurangabad
This is additionally a generally excellent post which I truly delighted in perusing. It isn't each day that I have the likelihood to see something like this..
data science training

What sets us apart from other security companies is that we put lay a lot of emphasis on personal protection. close protection in UK
We have the latest security gadgets, arms, tracking devices, and all accessories that are necessary to detect threats and protect our clients. This is perhaps the leading reason why we are the first choice for many high-end clients who need protection around the clock.
Tom said…
Thank you for this article.. Travelers around the world who wish to travel the Kenya need to apply for Kenya visa through online e visa portal. That offers the fast and secure visa services and offers fast Kenya evisa processing time.
Ramesh Sampangi said…
Nice information. Very useful to all. I am satisfied with your site. Keep sharing more stuff like this. Thanks for sharing this blog with us.
Data Science Course in Hyderabad

Data Science Training in Hyderabad
토토사이트 said…
It's really great. Thank you for providing a quality article. There is something you might be interested in. Do you know 룰렛사이트? If you have more questions, please come to my site and check it out!


James said…
It is actually helpful and useful information. Thanks for posting this blog. The traveler who travels to India must know about Indian visa fees.

This is really very nice post you shared, i like the post, thanks for sharing..
cyber security course malaysia
data science said…
I truly like your style of blogging. I added it to my preferred's blog webpage list and will return soon…
360DigiTMG, the top-rated organisation among the most prestigious industries around the world, is an educational destination for those looking to pursue their dreams around the globe. The company is changing careers of many people through constant improvement, 360DigiTMG provides an outstanding learning experience and distinguishes itself from the pack. 360DigiTMG is a prominent global presence by offering world-class training. Its main office is in India and subsidiaries across Malaysia, USA, East Asia, Australia, Uk, Netherlands, and the Middle East.
MARTIN KAPOS said…

I think this is an informative post and it is very useful and informative. So, I want to thank you for the effort you put into writing this article. India introduces a new air suvidha self declaration form to help stop the spread of COVID-19. Indian self declaration form registration, You can fill online India self declaration form & read online required documents for self declaration form via India visas website.
Cyberz Pc said…
Any creature can look at the WiFi Password Hacker Online section in the diagram and would like to use it for free. Online Wifi Password Hack
Cyberz Pc said…
Deep Dark Love Quotes quotations area unit simply phrases or quotes concerning deep love with such a splash of romance, tranquilly, and joy thrown certain smart live. Dark Love Quotes
slot said…
สำหรับสมาชิกใหม่ ฝากเข้ามาเพียง 29 บาท ก็สามารถรับเครดิตได้เลยฟรีๆ 100 บาท ทำกำไรได้มากมายผ่านเว็บไซต์ PGSLOTGAMES ให้คุณเล่นได้มั่นคงปลอดภัย ทำกำไรได้ตลอด 24 ชั่วโมง สล็อตลิขสิทธิแท้จากค่าย PG SLOT AUTO พีจีสล็อต
PSW550 said…
เล่นสนุกตลอด 24 ชั่วโมง ทำได้ผ่านเว็บไซต์ PGSLOT-AUTOS เล่นง่าย โปรโมชั่นเพียบ ไม่ว่าจะเป็นโปรสมัครสมาชิก โปรโมชั่นแนะนำเพื่อน โปรชั่นฝากทั้งวัน และโปรโมชั่นคืนยอดเสีย ทำกำไรได้ตลอด 24 ชั่วโมง PG SLOT AUTO เล่นได้สบาย รับเครดิตฟรีได้ง่ายดาย มากถึง 1,000 เครดิตฟรีต่อวัน
Jack Bravo said…
I am particularly joyful to appear by these variety of blogs. I am dispensing it with my companions as they are similarly seeking out this type of educational blogs.
url opener
Maddy Crusoe said…
Marvelous details and aspects imparted in this short guide. Getting ready for even more blog posts similar to this one.

umrah packages uk
Unknown said…
Splendid truths and components given out in this shortened blog. Expecting more reports such as this one.
uwatchfree
playtubes
Phuwadon said…
The jackpot is over a hundred thousand. almost one million And the camp we actually pay because we are the number one website in the country of online slots games. No matter how much it is broken, it pays us as a website sent directly from abroad. There are many great activities to play every week. Welcome new members to play ทางเข้าเล่นpg pgslot with us always.
Maya said…
Thanks for writing such a great article! It has posts that are great and helpful. Keep it up.
TransMac
Breet Pink said…
Thanks for this awesome artilce.
More Details
What is Website said…
This very informative and interesting blog.
web design company
เรามาเล่นเกมสล็อต PG SLOT-GAME ไปพร้อมกับการหาของทานเล่นไปพร้อม ๆ กันดีกว่ากับค่ายเกมสล็อตออนไลน์ ที่กำลังมาแรงที่สุดในช่วงเวลานี้เรามาเล่นเกมสล็อต pgslot หนึ่งในเกม
PG SLOT said…
ทดลอง เล่น สล็อต ฟรี พร้อมอัพเดทเกมใหม่ทุกวัน เกมล่าสุดของ ค่าย PG SLOT ได้รวบรวมมาไว้อยู่ที่นี้ให้ทุกท่านได้ลองเล่นแล้ว ไม่ต้องสมัครสมาชิกเล่นได้ทันที ไม่ยุ่งยาก เล่นง่าย
Rupesh Kumar said…
Excellent post, it will be definitely helpful for many people. Keep posting more like this. Embark on a transformative journey with our comprehensive online English classes in Kuwait.
For more info visit spoken english language classes in Kuwait
Johny Clark said…
Your blog is truly remarkable! The way you combine insightful knowledge with eloquent storytelling is simply amazing. It's like taking a beautifully crafted journey through a vast universe of knowledge, designed for readers of all backgrounds. Your talent in simplifying complex concepts is truly impressive. Additionally, I'd like to provide some valuable information about the Venice 2024 Ticket Booking Guide. Delve into the guide for essential tips, enhancing your booking experience and ensuring a seamless, memorable visit to this enchanting city.
Nikkitr Godman said…
You know, there was something about your post that really struck a chord with me. It's not every day that I feel compelled to comment, but your words really resonated with me. I was taken aback by your ability to effortlessly infuse humor and insight into your writing. It's like you have this amazing instinct for knowing exactly when to sprinkle a joke or drop a profound thought. As I read, I couldn't help but find myself nodding along and occasionally chuckling. Exciting news! US permits students to apply early grab your chance for a head start!
GCPMASTERS said…
thanks for valuable info
gcp training in hyderabad

Popular Posts