OpenPGP On The Job – Part 1: What is OpenPGP?
Thanks to #efail, email encryption with OpenPGP (and S/MIME) did get quite some attention recently. I do want to take up the opportunity to write a series of round-up articles on OpenPGP usage in my daily work, especially how to set it up and how to use it for maximum benefit including usage of security tokens like Yubikey.
Everyone should do it!
It gets more and more common for customers to ask for encrypted and / or signed data exchange. Industrial espionage is on the rise. A business's success may very well depend on important data being secured from theft or modification. However I noticed that there are still some people out there in the IT struggling or hesitating to use data privacy techniques. This must not be in 2018. Arguably, tool support was lacking and usability not that high in the past, but this has changed quite a bit. There are no excuses anymore to not use any form of encryption. In my opinion everyone working as a professional IT employee should know the basics and have a working setup available.
OpenPGP is my current tool of choice for this due to its wide spread usage, free availability and ease of use.
OpenPGP: What is it?
There is a huge amount of content available on the internet with all sorts of details about the topic, so I try to simplify things as much as possible:
- It's an open standard for signing, encrypting and decrypting any kind of data, especially e-mail and files.
- Signing means plausible convincing a receiver that received data has not been altered and comes from a known source.
- Encrypted data can only be read by receivers that are able to decrypt, thus securing it against eavesdropping from third parties.
OpenPGP: How does it work?
Again there are tons of information on the topic. Understanding the mathematical basics is quite challenging, but not really required to being able to use it. So here is how it works in a very brief nutshell:
You'll always need a so called pgp client which is an application that performs encryption, decryption and signing.
You'll also need a so called key pair, consisting out of two parts: A private key used for decryption and signing and a public key used for encryption and signature validation.
Security is based on the following two principles:
- The private key cannot be calculated out of its counterpart: the public key.
- Every key does only work one way, i. e. it is not possible to decrypt data with the same key with which it has been encrypted.
Keys are locally stored in a so called key ring which is usally managed by the pgp client.
Public keys can be obtained from key servers which are freely accessible throughout the internet.
Private keys are kept secret and stay with their owners.
Encryption of an e-mail is done with the public key of the receiver, thus everyone can encrpyt.
Decryption is done with the private key of the receiver, thus only the receiver can decrypt.
Signatures can be validated with the public key of the sender, thus everyone can validate.
Signatured can be created with the private key of the sender, thus only the sender can sign.
Obviously the privacy of the private key is essential, thus it is additionally "locked" by a passphrase known only to its owner.
OpenPGP: Which client to use?
Windowsgpg4win suits as PGP client and includes GPG command line tool and Kleopatra UI tool. For e-mail the combination of Thunderbird and Enigmail is quite popular.
MacOS and iOS
GPGTools is a fine client for macOS. The app Mail supports GPGTools and is a good choice. Of course the combination of Thunderbird and Enigmail is also very popular on macOS. On iOS, the GPGTools support is not that good. However, there are various apps that serve the purpose of e-mail en- and decryption and do not require GPGTools, such as iPGMail.
LinuxEach distribution should have a package with GNU Privacy Guard available. The combination of Thunderbird and Enigmail for e-mail applies also for Linux.
AndroidThe choice of the PGP client depends on support in your favorite mail app. Not every app supports every pgp client. I do use the combination of K-9 Mail and OpenKeychain. See Posteo Documentation on how to use other clients e. g. Squeaky Mail, R2Mail2 or MailDroid.
Browser OnlySome webmailers like Posteo do support e-mail encryption with Mailvelope browser plugin.
Be aware: Using Mailvelope means that you need to store your private key in the browser's storage which comes with a high security risk.
Isn't OpenPGP broken by EFail?
No, it is not. The same holds for S/MIME. Although EFail can be used to break encryption, it does so by exploiting e-mail client's faulty handling of HTML tags and external content. So the bug is in the tools, not in the standard. Tool providers will provide updates soon.
As security precautions it is sufficient to:
- Keep your pgp client and e-mail tool of choice up to date and watch out for efail specific fixes.
- When using Thunderbird, activate the "Simple HTML" mode (or plaintext only) under View -> Message body as -> Simple HTML and consider the advice from the Mozilla blog.
For more details see also Protonmail.