To be an encrypted ninja or not to be...

Its a debate whether or not foreign powers hacked into Hillary Clinton's private email servers. There is consensus however that the private email server was hacked though, and this is precisely how emails can easily get leaked. To solve this sort of problem you can either have Hilary and Hilary's friend's become ninjas at cryptography, have cryptography tools become mainstream and transparent, or have a middle ground solution somehow. For this year's 2017 Hackweek at SUSE and Aaron Swartz day I have worked on a middle ground solution as a proof of concept using GPG, forcing all incoming emails to you to be encrypted, even if you use gmail or yahoo to store your emails. On this post I will explain the motivation for such work, and document how to accomplish this for yourself, should you want to implement this for yourself.

Motivation

Emails sent to you when you are using popular email servers such as gmail or yahoo get encrypted only on the wire, as they make their way onto email servers hosted by the companies that provide these services. The emails are however stored unencrypted. Likewise for typical private email servers. You are at left at the whims of the security best practices of these companies, and even if you did have your private email server, to get things done right requires substantial work. In fact, even if you used a good company to store your email, you may still face issues with ensuring your email privacy remains outside of the control of intelligence agencies which may argue they should be able to read everyone's email.

Reasons for wanting your emails stored with good cryptography vary but here are a few reasons:

  • You're a politician
  • You're a therapist
  • You're a journalist
  • You're a human rights advocate
  • You just give a damn about privacy


For most people's day to day, the below diagram simplifies and reveals how email transactions work, Exhibit-A:


One solution to this is to have everyone, for example, use encryption tools when crafting and sending emails, Exhibit-B:


This is a bit unrealistic, however for some folks this is possible, for instance if you're a journalist working with very sensitive material. If you fall into one of the categories below you might not be able to get to this point:

  • You're a human rights watch group worker dealing with folks who can't easily become ninjas... 
  • Your're a therapist, who obviously deals with folks who don't even care about what a crypto ninja is
  • You're a politician and just want to encrypt everything
  • You want to open up your email on a certain date and use an escrow to stash your PGP key, such key becomes public after certain date
  • You want to ask company admins to setup a secure and sensible way to forward some company emails to a public mail server safely (say, a way to get work email on public servers)
  • You just care about cryptography
  • You cannot trust your email provider's data store at all
  • You don't want your data to be scraped by the company hosting it

Making cryptography more easily accessible is a much better approach. Such good efforts exists, one example I found was FlowCrypt which lets you uses Public Key Cryptography, however that does mean trying to trust a private key on the plugin store locally. Another effort, which doesn't use Public Key Cryptography is SecureGmail by streak, you encrypt emails using a one way cipher. Both and similar solutions still require some effort or deploying some sort of software on the sender's side.

What I've worked on means as a ninja, or if you have a ninja friend, you get the benefit of having your emails stored on your preferred email server encrypted, provided you can trust a particular middle service provider I'll describe how to set up, and you can get it secured. You end up with the following, Exhibit-C:

To accomplish this we need a middle end system which does the actual encryption for you using your public key. Email providers such as Google, Yahoo, and others won't do this for us today, and they have some reasons not to. By scraping your email they get the ability to provide search facilities, they get to scrape emails as they might legally see fit, and advertise for you. This is how they make money off of storing our emails for free. Using a middle layer to encrypt your email is reflected in the following diagram, Exhibit-D:

One must admin that this shifts trust to a particular server admin who sets this server up,  and to trust the setup to parse and bounce emails to your preferred email server properly. Your emails are still at risk but they are not stored on the middle server if done propery, they are just being piped through. Also, with unencrypted emails even your old emails are at risk, once an email server is compromised all your emails stored on that server are at risk. With a super simple service such as the one I am describing, it would be fairly easy to monitor against attacks and only protect one thing: receive encrypted emails via TLS, encrypt them write away without writing them to disk, and immediately bounce them. Nothing unencrypted lands on disk or storage.

How do I get this?

If you're curious to try it for a few tests cases, you trust me for such tests cases, shoot me an email and I can set you up with an account on my proof of concept email system, encrypted.ninja. I can give you an account on such system, and if you get an email sent to that email address all emails will be immediately bounced back to you, encrypted with your PGP key.

I would not recommend you to use this setup just as-is though, it'd be best to have spam detection be done on your behalf, otherwise it may be possible your email provided's spam detection tool won't pick up spam, and you end up getting tons of spam.

As such, this is just a proof of concept at this point.

How do I replicate your setup?

Even though this uses PGP keys to encrypt data, you'll need to set up an email server with proper TLS certificates for encryption for communication between senders and bouncing emails to email servers. Fortunately letsencrypt can give you a free certificate, it must be renewed (easy to do). The same SSL certificate you get for them for your apache setup can be used for email as well. So first thing you should do is get a DNS name, then get a simple website up with an SSL certificate from letsencrypt.

If you have control over the email server you may not want to give an full shell login account to all users, but just an email alias. I used postfix for my email server, as its easy to setup, and has some hooks we'll use later. So get yourself postfix installed and setup, no need to setup TLS for your first setup. Just get it receiving emails locally first. Once you have that setup, setup the same SSL certificate you used for your apache setup for your postfix configuration. The following is my setup, roughly.


You'll then need to edit /etc/postfix/master.cf and add the following phphook like, and replace your smtp line with the one below as well:

pgphook unix - n n - - pipe flags=F user=www-data argv=/opt/bin/mail2pgp.sh ${sender} ${size} ${recipient}
smtp inet n - - - - smtpd -o content_filter=pgphook:dummy


Then setup virtual aliases, /etc/postfix/address.txt looks like this:

mcgrof@encrypted.ninja FILTER pgphook:dummy

Add more entries per email address you want to add. After updating it you must run:

postmap /etc/postfix/address.txt

Then its all a matter or just one script and one procmailrc file, and ensuring the script, its gpg directory, and keyring are all owned by the user the email server runs as. That's it.

I stashed the script, procmailrc and gpg directory and keyring for the email server in:

/opt/mail2pgp/
mkdir /opt/mail2pgp/.gnupg
chmod o-rwx /opt/mail2pgp/.gnupg
chmod g-rwx /opt/mail2pgp/.gnupg
sudo chown -R www-data /opt/mail2pgp/

To create a keyring with keys, or update them later with new keys as you update the alias file, and script provided later:

gpg --search-keys hexkeyid
gpg --export --output keyring.gpg
cp keyring.gpg /opt/mail2pgp/keyring.gpg

The script:


You'll also need a MIME preamble, and postfix:


And finally, the procailrc file:


That's it. In fact, you can use the MIME  preamble and postfix and procmailrc file as a template on a system you *don't* have root on to bounce encrypted emails out to you in a much more secure way as well.

Now I'll surely see someone try to hack this server :) and I'm sure they will ;)

Comments

Rocky said…
It's very informative Blog, it's more helpful to us thanks for sharing keep it up !!! Here is my site gmail sign out problems
Tuhin said…
keep up the good work. this is an Assam post. this to helpful, i have reading here all post. i am impressed. thank you. this is our digital marketing training center. This is an online certificate course
digital marketing training in bangalore / https://www.excelr.com/digital-marketing-training-in-bangalore
sathya said…
I must thank you for the efforts you have put in penning this site. I am hoping to check out the same high-grade content by you later on as well. Keep up the good work

selenium training in chennai

selenium training in chennai

selenium online training in chennai

selenium training in bangalore

selenium training in hyderabad

selenium training in coimbatore

selenium online training
lavanya said…
I just got to this amazing site not long ago. I was actually captured with the piece of resources you have got here. Big thumbs up for making such wonderful blog page!
I just got to this amazing site not long ago. I was actually captured with the piece of resources you have got here. Big thumbs up for making such wonderful blog page!Java training in Chennai

Java Online training in Chennai

Java Course in Chennai

Best JAVA Training Institutes in Chennai

Java training in Bangalore

Java training in Hyderabad

Java Training in Coimbatore

Java Training

Java Online Training

ramesh said…

very nice blogs!!! i have to learning for lot of information for this sites...Sharing for wonderful information.Thanks for sharing this valuable information to our vision. You have posted a trust worthy blog keep sharing.

Azure Training in Chennai

Azure Training in Bangalore

Azure Training in Hyderabad

Azure Training in Pune

Azure Training | microsoft azure certification | Azure Online Training Course

Azure Online Training

Anirban Ghosh said…
This article is well formulated. I particularly like the way how you have delivered all the major points about the topic of the content in petite and crisp points.
SAP training in Kolkata
SAP training Kolkata
Best SAP training in Kolkata
SAP course in Kolkata
CloudLearn ERP said…
You have provided finicky information for a new blogger so it has turned out to be really obliging. Keep up the good work!
Data Science training in Mumbai
Data Science course in Mumbai
SAP training in Mumbai
Ramya said…
Very interesting blog. Many blogs I see these days do not really provide anything that attracts others, but believe me the way you interact is literally awesome.You can also check my articles as well.
DevOps Training in Chennai

DevOps Online Training in Chennai

DevOps Training in Bangalore

DevOps Training in Hyderabad

DevOps Training in Coimbatore

DevOps Training

DevOps Online Training
Thanks for Sharing This Article.It is very so much valuable content. I hope these Commenting lists will help to my website
blockchain online training
best blockchain online training
top blockchain online training
dhinesh said…
Thanks for sharing this wonderful content.its very useful to us.This is incredible,I feel really happy to have seen your webpage.I gained many unknown information, the way you have clearly explained is really fantastic.keep posting such useful information.
Full Stack Training in Chennai | Certification | Online Training Course
Full Stack Training in Bangalore | Certification | Online Training Course

Full Stack Training in Hyderabad | Certification | Online Training Course
Full Stack Developer Training in Chennai | Mean Stack Developer Training in Chennai
Full Stack Training

Full Stack Online Training


devi said…
it’s really nice and meaningful. it’s really cool blog. Linking is very useful thing.you have really helped lots of people who visit blog and provide them useful information.
Data Science Training In Chennai

Data Science Online Training In Chennai

Data Science Training In Bangalore

Data Science Training In Hyderabad

Data Science Training In Coimbatore

Data Science Training

Data Science Online Training
tejaswini said…
I am dazzled by the data that you have on this blog. It shows how well you comprehend this subject.data science certification
Revathi said…
I feel really happy to have seen your webpage.I am feeling grateful to read this.you gave a nice information for us.please updating more stuff content...keep up!!

Android Training in Chennai

Android Online Training in Chennai

Android Training in Bangalore

Android Training in Hyderabad

Android Training in Coimbatore

Android Training

Android Online Training
prabhu said…
Excellent Blog! I would Thanks for sharing this wonderful content.its very useful to us.I gained many unknown information, the way you have clearly explained is really fantastic.keep posting such useful information.
IELTS Coaching in chennai

German Classes in Chennai

GRE Coaching Classes in Chennai

TOEFL Coaching in Chennai

spoken english classes in chennai | Communication training


360DigiTMG said…
I see some amazingly important and kept up to length of your strength searching for in your on the sitehrdf training course
I think I have never watched such online diaries ever that has absolute things with all nuances which I need. So thoughtfully update this ever for us.
PMP
A decent blog consistently concocts new and energizing data and keeping in mind that perusing I have feel that this blog truly has each one of those quality that qualify a blog to be a one.
360DigiTMG data analytics course
360DigiTMGMY said…


Nice work... Much obliged for sharing this stunning and educative blog entry!
hrdf claimable training
Anirban Ghosh said…
You have provided finicky information for a new blogger so it has turned out to be really obliging. Keep up the good work!
SAP training in Kolkata
SAP training Kolkata
Best SAP training in Kolkata
SAP course in Kolkata
CloudLearn ERP said…
I am highly overwhelmed to read this perfect piece of writing. It has really enthused me to read more on this topic.
Data Science training in Mumbai
Data Science course in Mumbai
SAP training in Mumbai

CloudLearn ERP said…
With so much overstated negative criticism of the corporate culture in the media, it is indeed bracing to have an upbeat, positive report on the good things that are happening. Wish to read some more from you!
Data Science training in Mumbai
Data Science course in Mumbai
SAP training in Mumbai

CloudLearn ERP said…
I am astounded by the fact how you have described the entire scenario of the topic. It contains judiciously sound advices.
Data Science training in Mumbai
Data Science course in Mumbai
SAP training in Mumbai

Vegas Marketing said…
Very interesting blog. Many blogs I see these days do not really provide anything that attracts others, but believe me the way you interact is literally awesome.You can also check my articles as well.

Security Guard License
Ontario Security License
Security License Ontario
Security License

Thank you..
Data Science said…
I am impressed by the information that you have on this blog looking forward for next update thank you.
Data Analytics Course Online 360DigiTMG
devika iangar said…
Super site! I am Loving it!! Will restore again, Im taking your food in like manner, Thanks.
difference between analysis and analytics
360digitmg said…
I am sure that this is going to help a lot of individuals. Keep up the good work. It is highly convincing and I enjoyed going through the entire blog.
data science institute in hyderabad
tejaswini said…
I see some amazingly important and kept up to length of your strength searching for in your on the site
digital marketing course
Fantastic blog with very informative information, found valuable thanks for sharing
typeerror nonetype object is not subscriptable
Farhan.Jee said…
The future of automated cars depends a lot on the processing of the exorbitant amount of data. As estimated, self-driving cars produce around 1 GB data each second, and more than that, they also receive data from other cars around them. data science course syllabus
Cyber Security said…
Nice Information Your first-class knowledge of this great job can become a suitable foundation for these people. I did some research on the subject and found that almost everyone will agree with your blog.
Cyber Security Course in Bangalore
Writing in style and getting good compliments on the article is hard enough, to be honest, but you did it so calmly and with such a great feeling and got the job done. This item is owned with style and I give it a nice compliment. Better!
Cyber Security Training in Bangalore
360digitmgdelhi said…
Its most perceptibly horrendous piece was that the item just workedspasmodically and the data was not exact. You unmistakably canot confront anyone about what you have found if the information isn't right.
https://360digitmg.com/india/business-analytics-training-in-delhi
Ashok said…
Wow! Such an amazing and helpful post this is. I really really love it. It's so good and so awesome. I am just amazed. I hope that you continue to do your work like this in the future also.
data science course in India
EXCELR said…
Thanks For sharing a nice post about Course.It is very helpful and useful for us.data science courses
Ashok said…
You might comment on the order system of the blog. You should chat it's splendid. Your blog audit would swell up your visitors. I was very pleased to find this site.I wanted to thank you for this great read!!
Artificial Intelligence Course
Mike Johnson said…
I advise you to be a ninja, it is cool! You can make some tricks and make video how you are doing it, post on youtube and buy youtube likes from here https://soclikes.com/. Lol, it is a joke
Excelr Tuhin said…
keep up the good work. this is an Ossam post. This is to helpful, i have read here all post. i am impressed. thank you. this is our site please visit to know more information
data science training
This comment has been removed by the author.
360DigiTMGNoida said…
As always your articles do inspire me. Every single detail you have posted was great.
data science training in noida
Truly incredible blog found to be very impressive due to which the learners who ever go through it will try to explore themselves with the content to develop the skills to an extreme level. Eventually, thanking the blogger to come up with such an phenomenal content. Hope you arrive with the similar content in future as well.
Digital Marketing training
Stupendous blog huge applause to the blogger and hoping you to come up with such an extraordinary content in future. Surely, this post will inspire many aspirants who are very keen in gaining the knowledge. Expecting many more contents with lot more curiosity further.

Digital Marketing training
Wonderful blog found to be very impressive to come across such an awesome blog. I should really appreciate the blogger for the efforts they have put in to develop such an amazing content for all the curious readers who are very keen of being updated across every corner. Ultimately, this is an awesome experience for the readers. Anyways, thanks a lot and keep sharing the content in future too.

Digital Marketing training in Bhilai
Mallela said…
Thanks for posting the best information and the blog is very helpful.digital marketing institute in hyderabad
aishu said…
I read your article it is very interesting and every concept is very clear, thank you so much for sharing. AWS Certification Course in Chennai
360DigiTMG said…
great article!! sharing these type of articles is the nice one and i hope you will share an article on data science.By giving a institute like 360DigiTMG.it is one the best institute for doing certified courses
data scientist course
Maradona Jons said…
เราคือผู้นำด้านเกมพนันออนไลน์ Major168 เราคือผู้ให้บริการ คาสิโนออนไลน์ ที่ได้รับรองว่าดีที่สุดในประเทศไทย มีค่ายเกมส์ให้เล่นมากมาย Sagaming, Sexy bacarat, Dreamgame, Ebet, Wm casino, Vivo gaming ไม่ผ่านเอเย่นต์ ระบบปลอดภัยมีทีมงานดูแลตลอด 24ชม.

SAGAME88 แหล่งรวมเกมส์พนันออนไลน์ คาสิโนสด บาคาร่า กำถั่ว คาสิโนออนไลน์ ไฮโล รูเล็ต รับเครดิตฟรีเล่นได้ทุกเกมส์ โบนัสสมาชิกใหม่เพียบ พร้อมระบบฝากถอนออโต้ 10วิ เรามีทุกค่ายเกมส์ให้คุณเลือกเดิมพัน SA Game Sexy bacarat Dreamgame WM Casino VIVO Gaming Ebet เล่นได้ทุกเกมส์

Our website ufabet provides betting services in the system of Auto Deposit-Withdrawal. Our members are not only in Thailand. Online football betting UEFA Bet market And this makes a guarantee that Ufabet168 is another reliable football betting website

ufa through the website UFABET1688 a web gambling online , one that integrated all the bets from online casinos , online casino , online , and also have a game a lot more to be chosen to play such games.
This is also a very good post which I really enjoyed reading. It is not every day that I have the possibility to see something like this..
machine learning courses in aurangabad
Wow, amazing post! Really engaging, thank you.
machine learning course aurangabad
Mallela said…
Thanks for posting the best information and the blog is very important.digital marketing institute in hyderabad
360DigiTMG-Pune said…
I just found this blog and have high hopes for it to continue. Keep up the great work, its hard to find good ones. I have added to my favorites. Thank You.
data science certification
UFABET1688 said…
Your site got my attention and shows me different perception for how we should boost our site. This is a really perfect for a new blogger like me who doesn't want their site to be messy with those spammers who don't even read your post but they have the guts to comment in your site. Thanks again. บาคาร่าออนไลน์
360DigiTMG-Pune said…
Excellence blog! Thanks For Sharing, The information provided by you is really a worthy. I read this blog and I got the more information about
artificial intelligence course
360DigiTMG-Pune said…
Excellence blog! Thanks For Sharing, The information provided by you is really a worthy. I read this blog and I got the more information about
artificial intelligence course in pune
senthilpraveen said…
This Blog have relevant information’s and reference links which not get board to the readers.
Digital Marketing Training in Chennai
Digital Marketing Online Course
Digital Marketing Training in Bangalore
Mike Johnson said…
Your article is very interesting and funny! Do you want to make a video for tiktok about it? You can buy tiktok followers for your profile and post other video too. What do you think about it?
Good information you shared. keep posting.
machine learning training in aurangabad
Anyone having a keen interest in artificial intelligence which require analytical knowledge and want to contribute to these fields, MBA in Artificial Intelligence is definitely for you.
lionelmessi said…
Happy to visit your blog, I am by all accounts forward to more solid articles and I figure we as a whole wish to thank such huge numbers of good articles, blog to impart to us.

Data Science Training in Hyderabad
trainingcourses said…
I curious more interest in some of them hope you will give more information on this topics in your next articles.
digital marketing courses in hyderabad with placement
Tremendous blog quite easy to grasp the subject since the content is very simple to understand. Obviously, this helps the participants to engage themselves in to the subject without much difficulty. Hope you further educate the readers in the same manner and keep sharing the content as always you do.

data science course in faridabad
Great to become visiting your weblog once more, it has been a very long time for me. Pleasantly this article i've been sat tight fosuch a long time. I will require this post to add up to my task in the school, and it has identical subject along with your review. Much appreciated, great offer. data science course in nagpur
trainingcourses said…
Great tips and very easy to understand. This will definitely be very useful for me when I get a chance to start my blog.
data scientist certification malaysia
"Very Nice Blog!!!


Please have a look about "
ai courses aurangabad
Extremely overall quite fascinating post. I was searching for this sort of data and delighted in perusing this one. Continue posting. A debt of gratitude is in order for sharing. data scientist course in delhi
What a really awesome post this is. Truly, one of the best posts I've ever witnessed to see in my whole life. Wow, just keep it up.
data scientist course in malaysia
Riya Raj said…
Wonderful Blog!!! Waiting for your upcoming data... thanks for sharing with us.
Software Testing Training in Chennai
Software Testing Online Course
Software Testing Course in Coimbatore
This is additionally a generally excellent post which I truly delighted in perusing. It isn't each day that I have the likelihood to see something like this..
data science training

Shiva Shakthi said…

More impressive Blog!!! Its more useful for us...Thanks for sharing with us...
Why is Big Data Important?
Why Big Data
Impressive blog to be honest definitely this post will inspire many more upcoming aspirants. Eventually, this makes the participants to experience and innovate themselves through knowledge wise by visiting this kind of a blog. Once again excellent job keep inspiring with your cool stuff.

Data Science Training in Bhilai
Wonderful blog found to be very impressive to come across such an awesome blog. I should really appreciate the blogger for the efforts they have put in to develop such an amazing content for all the curious readers who are very keen of being updated across every corner. Ultimately, this is an awesome experience for the readers. Anyways, thanks a lot and keep sharing the content in future too.

Data Science Course in Bhilai
dataanalytics said…
It is perfect time to make some plans for the future and it is time to be happy. I've read this post and if I could I desire to suggest you some interesting things or suggestions. Perhaps you could write next articles referring to this article. I want to read more things about it!
data scientist training and placement
Thanks for bringing such an innovative content which truly attracts the readers towards you. Certainly, your blog competes with your co-bloggers to come up with the newly updated info. Finally, kudos to your efforts.

Data Science Course in Varanasi
Gorish dua said…
Thanks for sharing.
We at Antino Labs believe in redefining and refining our model to suit the industry's requirements. Antino Labs' several years of experience in the market has let us register our global presence. Antino Labs' has the vision to become the world's most trusted partner for digital transformation and we aim to become a brand that defines innovation and the latest technology. We offer clients a one-stop solution for all their interests. Click the below links if you're looking for Web Development Company in Gurgaon, Website Designing Company in Gurgaon, Technology Consulting Services, Ecommerce Account Management Services, Mobile App Development Company in Gurgaonand UI/UX Design Services.
What sets us apart from other security companies is that we put lay a lot of emphasis on personal protection. close protection in UK
We have the latest security gadgets, arms, tracking devices, and all accessories that are necessary to detect threats and protect our clients. This is perhaps the leading reason why we are the first choice for many high-end clients who need protection around the clock.
Edison hope said…
great and nice article lots of information to read...great person keep posting and keep updating guys..thanks to get an approved e-visa electronically linked to your passport via a simple online application form Eligible travelers for Turkey Visa online can apply

Popular Posts