How can I use PKI encryption for personal stuff?
March 27, 2014 2:15 PM   Subscribe

At work, I can digitally sign and encrypt emails using digital certificates on my ID (and a card reader attached to my laptop). It integrates decently with Outlook and Acrobat. It's 2014. What are my PKI options for personal use?

I generated my first PGP key almost two decades ago and regularly use Truecrypt, but I haven't kept up with all of the technology and what's been widely adopted (or not). No one I currently correspond with for personal matters or personal business uses strong crypto.

If I want to dip my toe back into crypto, what products should I be looking at? I currently use Gmail, and it would certainly be nice to be able to digitally sign PDFs the same way I do at work.
posted by QuantumMeruit to Computers & Internet (12 answers total) 3 users marked this as a favorite
It sounds like you are talking about comms crypto as you say crypto, yes?

The reason I clarify is that the crypto tech itself is now used fairly widely to protect other kinds of transmissions and assets, as well as to do other things (ex. signing stuff, vouching for it, etc.).

I actually haven't used PGP or GPG in a long time. I agree that you sort of need a reason to, like someone who wants to correspond with you with encrypted mail. I would recommend you look into GPG for comms crypto.

But honestly what I use most in crypto-land these days is SSH or SSH-enabled FTP. These are tools you can use to protect file transfers and telnet sessions.

Also I use products like LastPass and CrashPlan which do encryption in a sort of invisible way (to me).

I also (at work) administer and distribute our code signing key, which is another way business have come up with for applying PKI toward things important to business.
posted by kalessin at 2:20 PM on March 27, 2014

If you want to dip back in, I'd start by looking at two-factor authentication for home use with something like a yubikey.
posted by bfranklin at 2:40 PM on March 27, 2014

Also, if you're going to go back in, make sure you understand pass the hash or pass the token attacks before you decide on how to implement two-factor in a network environment.
posted by bfranklin at 2:41 PM on March 27, 2014

I'm just a consumer. I'm looking for a tool / product that would give me the benefit of being able to sign emails and PDFs (for purposes of nonrepudiation, integrity verification, authentication, etc.), and potentially for encrypting emails and other correspondence with others.

LastPass (which I use) stores and encrypts passwords. I suppose I could store a private key in LastPass but I don't see how that integrates with any email clients. Yubikey seems to be a hardware authentication fob, not something that manages private keys. Or am I misunderstanding some of its possible uses?

I'm not looking at implementing anything myself. I just want a product I can use.
posted by QuantumMeruit at 3:01 PM on March 27, 2014

I think for personal use encryption is dead. I had hoped after the NSA/Snowden revelations that people would start using it, but no one I know has.

On Android the K-9 Mail app will use APG (An Android implementation of GPG) for encryption in email (signing, encrypting, storing and verifying keys). I will sign emails to some friends, but as no one else I know has keys of their own it isn't really of much use.

You can put GPG4USB onto a USB flash drive, or something like Dropbox, and then use that to encrypt the text of your email before it gets to Gmail. It is nice because you have access to it wherever you go. Thunderbird (the mail client made by Mozilla) has integration with GPG through OpenPGP if you want something permanently installed on a computer.
posted by any portmanteau in a storm at 3:21 PM on March 27, 2014

Well, okay, but that's not what your original question asked. If you want to sign emails and pdfs, all you need is a certificate with the appropriate uses enabled from a CA that is chained to the root certs in most OSs root certificate stores. More simply, you need an appropriate cert from the same places you'd buy an SSL cert. Most mail clients will play nice with that out of the box. I don't know anything about applications that sign PDFs, but I'd be willing to bet they'll happily grab a key out of your cert store if it has signing capability.

Note that this would be encrypting email with S/MIME. PGP is a separate beast that uses keys you generate. PGP Desktop is a pretty passable consumer product for simplifying PGP usage.

You can put your certs or keys on a smartcard if you want, but that's hardly required, and will probably require reading both the manual for the software that comes with your smartcard and the manual for whatever application you want to integrate it with. It's not something I'd particularly recommend for a home use scenario.
posted by bfranklin at 3:49 PM on March 27, 2014

I expect that the approach I used to use GPG in mail would work with Gmail:
- Use Thunderbird with Enigmail and GPGShell to use and administer keys with a POP3 or IMAP integration to Gmail
- Store private key(s) in an encrypted volume with TrueCrypt on a USB Key or if you're not risk averse, you could cloud-base the encrypted volume and put it on any cloud storage solution.

I don't think there's a good extension for using directly with Gmail. My concern is really key management and secure key storage. A bit of Googling gives me Mailvelope.

A Yubikey is a 2-factor authentication widget and doesn't, as far as I know, provide storage.

You could potentially look at one of the biometrically secured USB keys but honestly unless they reengineered the storage to be truly authentication-bound, I would worry that one could just break physical storage, extract the solid state memory and retrieve data from it in a new physical matrix. That's the problem with biometrics in general - not security integrated, but usually tied to the physical access layer which is pretty trivially broken into if physical possession is assumed.
posted by kalessin at 3:53 PM on March 27, 2014

TBH, the real issue here is convenience over security. I only ever had one real committed PGP correspondent. Once he stopped e-mailing, it just wasn't worth the hassle to do all that secure protocol. Easier, when talking about stupid one-off, non-sensitive stuff, to ignore all that stuff and communicate in cleartext.
posted by kalessin at 3:55 PM on March 27, 2014

S/MIME message signing and encryption works out of the box in Apple Mail on OS X and iOS as well as Mozilla Thunderbird on all of its platforms. It's not too hard to set up. You can get a free S/MIME certificate from Comodo or StartSSL. Basically, once you have S/MIME set up, when you email someone else with S/MIME with a signed email, they automatically get your public key. They're then able to email back to you, fully encrypted.
posted by zsazsa at 4:18 PM on March 27, 2014

For PDFs specifically, you'll want editing or 'writer' software, rather than the usual free 'reader' software most people have. Adobe's Acrobat software is kind of an industry standard, and it's used all the time for 'this PDF is 128-bit AES encrypted, and cannot be opened without entering a 16 character password, and once opened, cannot be printed; in addition, my digital signature is linked to a CA, and introduces a watermark throughout the file, making any modifications to the version I signed obvious' use cases. The fact that most people have, or have access to, the free Adobe Reader software at the receiving end, makes most compatibility issues go away.
Foxit also makes software with most of the same compatibility at a lower price point. And I think that both have the ability to integrate with many email clients (Outlook especially), at least as a bolt-on.

That takes care of encrypting your PDF files, and attachments to email. For encrypted communications, like protecting the body of a message and not just attachments, both ends have to be in cooperation (key-swap) in advance, and that's not always convenient or possible .

I'm not sure what your needs are, but would they be covered by a relatively convenient way of securing attachments, that's compatible with most platforms?
posted by bartleby at 9:11 PM on March 27, 2014

PortableSigner signs PDF files. Cross-platform, no Adobe software required. The big issue with signed PDFs, though, is making sure that the recipient has the root CA that you used.

OpenSSL has some tools to use X.509 to sign/encrypt documents in an analogous way to PGP.

PKI is great, but it requires that you and the other guy both understand how to set up and manage keys. This makes its usefulness very limited.
posted by scruss at 5:10 AM on March 28, 2014

A Yubikey is a 2-factor authentication widget and doesn't, as far as I know, provide storage.

The Yubikey actually does allow you to reconfigure the device with your own private key, to create your own one-time-use numbers based on that key. However this is unlikely to be relevant to your goal.
posted by odinsdream at 8:23 AM on March 28, 2014

« Older Personal project or professional development?   |   smart moves Newer »
This thread is closed to new comments.