- Some organizations are concerned that their adversary has access to their emails (because of local or country-based internet providers or email providers).
- Do you trust technical ability of administrators of the hosting company to protect your emails?
- Some staff are concerned about their identity being connected to their employer. To address this, an organisation might use a function-based email account instead of a name-based email account.
- Some organizations are concerned that their staff's email accounts are easy to hack into. Enabling 2fa can be a good step to securing email.
Organisational Email Encryption
Email encryption tools
- GPG Tools for Mac OS
- Thunderbird for Mac, Linux or Windows
- Enigmail for Mac, Linux or Windows
- Mailvelope – this is a browser-based email encryption tool that uses your PGP key. Note: As of May 11, 2016 this tool allows for encrypted email attachments. You can find instructions here: https://www.mailvelope.com/en/help#files
- Resource: https://emailselfdefense.fsf.org/en/
Considerations
Centrally storing PGP keys and/or revocation certificates
In some situations, organizations may want their staff to use PGP email encryption, but they are concerned that some staff may lose their private key and/or their passphrase to decrypt email. To address this concern, some organizations centrally store the PGP keys of their staff.
Some reasons why this approach might make sense for an organization:
- If staff leave, the organization still has access to their email.
- If staff forget their passphrase, the key is not lost (which saves a lot of time and headache to revoke the key).
- If staff lose their private or public keys, there is a backup.
How would this approach be implemented?
- Centrally storing this information creates a valuable target. Therefore, you'll want to consider hosting this information offline. It's a lot of hassle to keep updated, but it's more secure than storing online. You'll want to identify someone who will be responsible for this, and identify a process that will work for the organization.
Considerations related to centrally storing revocation certificates
Having access to the staff's revocation certifications will ensure that even if staff lose access to their emails because they lose their passphase or keys, the organization will be able to revoke the faulty PGP key on the key server. If the organization didn't keep a backup of the revocation certificate and the staff lost access to their key, there would be no way to revoke this key which causes confusion for those who want to use this person's key.
How would this approach be implemented?
One way to do this is require that staff email their revocation key to revocation@organization.org once they set up their PGP keys. If this (PGP protected) email get compromised, the damage is still within bounds: the attacker cannot read or access email, and the only thing needed to be done is create a new key.
Note: This is not a replacement for good backup strategies!
Organizational vetting and authentication of staff PGP keys
- It is good practice to publish (and link to) the staff's public PGP keys on the organization's website.
- It is good practice to sign all staff PGP keys with the organizational (long term offline) master key.
- It's also good to have staff sign each others' keys.
Secure email policies
- Require full disk encryption for any device that has a staff's private PGP key.
- You may want to prohibit decryption of organizational email on mobile phones. If this is the case, there are additional policies that could be instituted to make communication easier, such as:
- use email subject lines to communicate urgency
- clear escalation path for urgent mobile communications (like using Signal)
Common challenges
The organization uses MS Exchange Servers
Many organizations use Microsoft Exchange (as opposed to Linux) servers. Unfortunately, Thunderbird doesn't play well with Exchange. Here's why:
There are two mail protocols: IMAP and POP3.
- IMAP syncs your mail client with the server - this is preferred by people who want to access their email on multiple devices. Supports folder structure.
- POP3 pulls the email from the server to your computer. Does not support folder structures.
For more info on POP3 vs IMAP: http://www.hyperoffice.com/pop3-vs-imap/
MS Exchange does not by default support IMAP which is why it doesn't work well with Apple Mail or Thunderbird. It "can" support IMAP but does so very poorly (a lot of timeouts and throttling of connections) leading to a very annoying mail experience.
Note: Some tech teams prefer to use POP3 because they may feel that they have more support over the email information (it isn't on multiple devices). But it's important to consider all of the other consequences, such as the ability to back up the information if it only lives on each staff's computer, and difficulties using email encryption.
If you're working with an organization on MS Exchange, here are some options:
- Change from MS Exchange to an open mailserver (that supports IMAP), either run it with the help of a trusted provider (think about jurisdiction & data retention) or run it yourself.
- Enable IMAP support on the MS Exchange mailserver (might increase serverload, check if your machine is still 'fit' enough) .
- Make mail from MS Exchange server accessible in Thunderbird by using the Exquilla Plugin for Thunderbird.
- Make PGP encryption possible in Outlook email client using:
GPGOL (GPG for Outlook) in addition to GPG4Win - this is a complicated solution and often doesn't work right. This solution can't send/receive PGP/MIME (Note: PGP/MIME is the next generation of PGP that encrypts the entire message so you can't see the name of attachment) . (https://dejavusecurity.github.io/OutlookPrivacyPlugin/)
- Outlook Privacy Plugin – this solution can't send PGP/MIME .
- DAVmail - is a well-maintained translation system - it speaks Outlook Web Access (OWA) or Exchange Web Services (EWS) to the exchange server and offers LDAP/CardDav/CalDav/IMAP for standards-based client
Training staff on PGP email encryption
For in-person trainings, it will likely take at least one day to get people on to PGP (minimum 2 hours). You could have people working in small groups, so they could help each other out and practice sharing and receiving keys, etc.
Your training process may include the following components:
- Preparation: Create a how-to document, with the organization's information (server address, etc). Include Thunderbird installation.
- Explain the concept of email encryption
- Install gpg (gpg4win, gpgtools, etc)
- Install and configure Thunderbird (connect your work email to your Thunderbird)
- Install and configure Enigmail
- Create PGP key pair
- Create revocation certificate
- Share PGP public key with colleagues to demonstrate the process of sharing your key
- Import a PGP public key from your colleagues, to demonstrate how to get someone else's key
- Send an encrypted email (demonstrate with colleagues)
- Decrypt an encrypted email (demonstrate with colleagues)
- Share public key on key server
Mobile phones and encrypted email
In general, this is a bad idea. Mobile OS platforms are still immature. Mobile phones are inherently insecure because the baseband processor on your phone always has potential access to your data. And here are some other reasons why this is a bad idea:
- software/OS updating of Android
- easier to lose key
- Android: K9 mail OpenKeychain
- inline PGP support (can't read/send PGP/MIME)
- challenges around automatic encryption even when dealing with time-sensitive, but not non-content-sensitive content (meeting in 5 minutes, new call-in number at;...)
Resources