Email Encryption the Easy Way
We're going to learn Email Encryption the easy way
A lot of times on Hak5 we go really in depth for weeks at a time on a complex subject like SSH exploring every nook and cranny. That's not this segment. Today we're taking a high level, practical approach at Email Encryption. This is the segment you send to all your friends, techy or not, who should be using strong encryption on their email.
The Basics: In 1991 Phil Zimmermann created PGP, or Pretty Good Privacy. It's a program for encrypting and decrypting texts, emails, files - even whole hard drives. There's a pretty good read on wikipedia so I encourage you to check it out.
PGP uses various methods for encryption - one in particular we're interested in called Public Key Cryptography.
Rather than simply having a single password used to encrypt and decrypt data, it uses a combination of a public key and private key. The idea basically breaks down to this:
- The public key is used to encrypt the message and can be freely given to anyone
- The private key is used to decrypt the message and is stored securely
On Linux you can setup GnuPG (or GPG) and OpenPGP compliant open source tool, along with Enigmail, a plugin for Thunderbird -- and that's great -- but in the world of webmail there's an easier alternative:
If you're wondering why this is important or how it applies to you keep in mind that the ECPA or Electronic Communications Privacy Act states that "email stored on a third party server for more than 180 days is considered by the law to be abandoned, and all that is required to obtain the content of the emails by a law enforcement agency is a written statement certifying that the information is relevant to an investigation" -- there is absolutely no judicial review. no need for a warrant. nothing. The ECPA was written in the 80s, and the world has changed. So while the lobbyist, activists, civil rights organizations and our government quibble over the law we can protect ourselves using strong encryption. In fact we should encrypt all the things regardless -- it's simply good practice.
Setting up PGP encryption for webmail with Mailvelope
- Get Mailvelope
- Generate your key pair
*3. Send friend your public key
4. Get public key from your friend and install it
*5. Send your first encrypted email
6. Decrypt your first encrypted email
*Note - General > Always add primary key to list of recipients. This way you'll be able to open mail you've sent later....say if you backup your email to your computer and want to read it in the future
That's all folks. What do you use? Email email@example.com or leave a comment.
In a bit Shannon will be backing up Gmail on Ubuntu
How to Backup Your Gmail Account Using Your Ubuntu PC
Apocolypse! What do you do if Google's mail servers go down? Unlikely, but could happen...
Use this tool in Ubuntu to backup Gmail acct!
Getmail avail. in Ubuntu Software System. Works in any Linux distro though. Install.
Make a directory for the mbox (gmail inbox) file. -m 0700 changes the permissions. 7= read, write, execute for owner. 0= no permissions for group or other users.
mkdir –m 0700 $HOME/.getmail
Second command sets up directory for the .mbox file to store your inbox messages.
mkdir –m 0700 $HOME/gmail-archive
Third command creates the .mbox file in the gmail backup directory. Touch creates new files easily.
In gedit, create config file to tell Getmail to get your Gmail mail:
[retriever]type = SimplePOP3SSLRetriever
server = pop.gmail.com
username = firstname.lastname@example.org<-- change this
password = yourpassword<-- change this
[destination]type = Mboxrd
path = ~/gmail-archive/gmail-backup.mbox<-- change this if needed.
verbose = 2
message_log = ~/.getmail/gmail.log
Save as .getmail/getmailrc in your new directory.
Close, open terminal and run 'getmail'. Script may take a while to download inbox. When done close out.
New mbox file can be saved for use in Thunderbird, Outlook, etc. Create a shell script w/ timed cron job to enhance efficiency and automatically download at timed intervals.
If it stops before finished, restart w/ the same getmail command to run it. Gmail Labels are supposed to be a part of the .mbox download. Archived messages are downloaded as well. Deleted msg are not backed up. I suggest using two-factor auth with app specific pw, because your pw is saved in clear text.
Frozen Java sends in this video of his Texting WiFi Pineapple: ""This is just a PoC video of my texting pineapple. The goal here is to be able to activate karma, dns spoof, or what ever from your phone's texting app so If you are in a location where you can't pull up ssh or the web interface you can just look like you are having a normal conversation with a human.