Securing your email so nobody else can read it is very important. Even if you have, “nothing to hide,” the security of your email is paramount; just about every website out there with a login can reset passwords via email. If somebody can read your email, they can effectively take over your complete online identity.
I host my own email. I have an IMAP server, and I access my email from my laptop, PC and phone. If any one of these four hosts is compromised, then my email, and by extension my online identity, is also compromised. There is an obvious solution to this problem in PGP, but most of the emails I receive aren’t even PGP signed, let alone encrypted. So I’ve started encrypting them myself as soon as they arrive.
The MTA I am using is Exim, although the encryption methodology I am using probably translates to other servers quite well too. I built a small Perl application which takes an email on STDIN and spits out the encrypted version on STDOUT. You can download it from my Github repository here. I integrated it with Exim using the transport_filter option. I simply updated my transport which does local delivery with the following:
transport_filter = /etc/exim4/scripts/gpgit.pl firstname.lastname@example.org
The user that the delivery runs as needs to have GnuPG set up and must have the public key for email@example.com (in this case) installed. The email address in the arguments exists purely to identify which public key to encrypt as. Because we’re only encrypting, and not signing, the host running the MTA doesn’t need the private key installed at all.
The script uses inline encryption when the message contains a single text/plain part. If the message contains more than one part or something other than text/plain it uses PGP/MIME instead. The reason I have done it this way is because I’m using K-9 on my Android phone with APG, and K-9 doesn’t yet support PGP/MIME. If a message is already encrypted, it is not re-encrypted.
So what does this get me? If somebody steals my laptop or phone, they can’t access my email from my IMAP clients local store because it’s all encrypted and my private PGP key is password protected. If somebody guesses my IMAP password, or uses an exploit to gain access to my account, they can’t read my email because what they retrieve is encrypted. If somebody at my hosting provider or a government wants to access my email, simply taking my server wont help them.
There are obvious caveats to this solution though. If somebody gets root on my server or access to the network, they can sniff the emails on the way in before they’re encrypted. This wont help them access historical email which was encrypted before they started though. Also, if somebody installs a trojan on my laptop it’s game over; they can grab my private PGP key, and use a keylogger to get the password for the key. Another thing to note is that if the email is written to disk unencrypted (eg in a spool directory) before being encrypted, then it’s likely someone with sufficient skills would be able to undelete it. The best protection for this is to either use a ram disk for the spool, or disk encryption.
Of course, another important thing to note is that PGP only encrypts message bodies. It wont protect you from an adversary finding out who sent the message, what the subject line was, and what date/time it was sent. This method also doesn’t encrypt your Sent Items folder. My personal solution to this is: Delete email, regularly and without mercy.
I’ve resolved the problem of the contents of the Sent Items folder not being encrypted. See part 2 to see how.