How can I use PKI encryption for personal stuff?
March 27, 2014 2:15 PM Subscribe
At work, I can digitally sign and encrypt emails using digital certificates on my ID (and a card reader attached to my laptop). It integrates decently with Outlook and Acrobat. It's 2014. What are my PKI options for personal use?
I generated my first PGP key almost two decades ago and regularly use Truecrypt, but I haven't kept up with all of the technology and what's been widely adopted (or not). No one I currently correspond with for personal matters or personal business uses strong crypto.
If I want to dip my toe back into crypto, what products should I be looking at? I currently use Gmail, and it would certainly be nice to be able to digitally sign PDFs the same way I do at work.
I generated my first PGP key almost two decades ago and regularly use Truecrypt, but I haven't kept up with all of the technology and what's been widely adopted (or not). No one I currently correspond with for personal matters or personal business uses strong crypto.
If I want to dip my toe back into crypto, what products should I be looking at? I currently use Gmail, and it would certainly be nice to be able to digitally sign PDFs the same way I do at work.
Also, if you're going to go back in, make sure you understand pass the hash or pass the token attacks before you decide on how to implement two-factor in a network environment.
posted by bfranklin at 2:41 PM on March 27, 2014
posted by bfranklin at 2:41 PM on March 27, 2014
Response by poster: I'm just a consumer. I'm looking for a tool / product that would give me the benefit of being able to sign emails and PDFs (for purposes of nonrepudiation, integrity verification, authentication, etc.), and potentially for encrypting emails and other correspondence with others.
LastPass (which I use) stores and encrypts passwords. I suppose I could store a private key in LastPass but I don't see how that integrates with any email clients. Yubikey seems to be a hardware authentication fob, not something that manages private keys. Or am I misunderstanding some of its possible uses?
I'm not looking at implementing anything myself. I just want a product I can use.
posted by QuantumMeruit at 3:01 PM on March 27, 2014
LastPass (which I use) stores and encrypts passwords. I suppose I could store a private key in LastPass but I don't see how that integrates with any email clients. Yubikey seems to be a hardware authentication fob, not something that manages private keys. Or am I misunderstanding some of its possible uses?
I'm not looking at implementing anything myself. I just want a product I can use.
posted by QuantumMeruit at 3:01 PM on March 27, 2014
I think for personal use encryption is dead. I had hoped after the NSA/Snowden revelations that people would start using it, but no one I know has.
On Android the K-9 Mail app will use APG (An Android implementation of GPG) for encryption in email (signing, encrypting, storing and verifying keys). I will sign emails to some friends, but as no one else I know has keys of their own it isn't really of much use.
You can put GPG4USB onto a USB flash drive, or something like Dropbox, and then use that to encrypt the text of your email before it gets to Gmail. It is nice because you have access to it wherever you go. Thunderbird (the mail client made by Mozilla) has integration with GPG through OpenPGP if you want something permanently installed on a computer.
posted by any portmanteau in a storm at 3:21 PM on March 27, 2014
On Android the K-9 Mail app will use APG (An Android implementation of GPG) for encryption in email (signing, encrypting, storing and verifying keys). I will sign emails to some friends, but as no one else I know has keys of their own it isn't really of much use.
You can put GPG4USB onto a USB flash drive, or something like Dropbox, and then use that to encrypt the text of your email before it gets to Gmail. It is nice because you have access to it wherever you go. Thunderbird (the mail client made by Mozilla) has integration with GPG through OpenPGP if you want something permanently installed on a computer.
posted by any portmanteau in a storm at 3:21 PM on March 27, 2014
Well, okay, but that's not what your original question asked. If you want to sign emails and pdfs, all you need is a certificate with the appropriate uses enabled from a CA that is chained to the root certs in most OSs root certificate stores. More simply, you need an appropriate cert from the same places you'd buy an SSL cert. Most mail clients will play nice with that out of the box. I don't know anything about applications that sign PDFs, but I'd be willing to bet they'll happily grab a key out of your cert store if it has signing capability.
Note that this would be encrypting email with S/MIME. PGP is a separate beast that uses keys you generate. PGP Desktop is a pretty passable consumer product for simplifying PGP usage.
You can put your certs or keys on a smartcard if you want, but that's hardly required, and will probably require reading both the manual for the software that comes with your smartcard and the manual for whatever application you want to integrate it with. It's not something I'd particularly recommend for a home use scenario.
posted by bfranklin at 3:49 PM on March 27, 2014
Note that this would be encrypting email with S/MIME. PGP is a separate beast that uses keys you generate. PGP Desktop is a pretty passable consumer product for simplifying PGP usage.
You can put your certs or keys on a smartcard if you want, but that's hardly required, and will probably require reading both the manual for the software that comes with your smartcard and the manual for whatever application you want to integrate it with. It's not something I'd particularly recommend for a home use scenario.
posted by bfranklin at 3:49 PM on March 27, 2014
S/MIME message signing and encryption works out of the box in Apple Mail on OS X and iOS as well as Mozilla Thunderbird on all of its platforms. It's not too hard to set up. You can get a free S/MIME certificate from Comodo or StartSSL. Basically, once you have S/MIME set up, when you email someone else with S/MIME with a signed email, they automatically get your public key. They're then able to email back to you, fully encrypted.
posted by zsazsa at 4:18 PM on March 27, 2014
posted by zsazsa at 4:18 PM on March 27, 2014
For PDFs specifically, you'll want editing or 'writer' software, rather than the usual free 'reader' software most people have. Adobe's Acrobat software is kind of an industry standard, and it's used all the time for 'this PDF is 128-bit AES encrypted, and cannot be opened without entering a 16 character password, and once opened, cannot be printed; in addition, my digital signature is linked to a CA, and introduces a watermark throughout the file, making any modifications to the version I signed obvious' use cases. The fact that most people have, or have access to, the free Adobe Reader software at the receiving end, makes most compatibility issues go away.
Foxit also makes software with most of the same compatibility at a lower price point. And I think that both have the ability to integrate with many email clients (Outlook especially), at least as a bolt-on.
That takes care of encrypting your PDF files, and attachments to email. For encrypted communications, like protecting the body of a message and not just attachments, both ends have to be in cooperation (key-swap) in advance, and that's not always convenient or possible .
I'm not sure what your needs are, but would they be covered by a relatively convenient way of securing attachments, that's compatible with most platforms?
posted by bartleby at 9:11 PM on March 27, 2014
Foxit also makes software with most of the same compatibility at a lower price point. And I think that both have the ability to integrate with many email clients (Outlook especially), at least as a bolt-on.
That takes care of encrypting your PDF files, and attachments to email. For encrypted communications, like protecting the body of a message and not just attachments, both ends have to be in cooperation (key-swap) in advance, and that's not always convenient or possible .
I'm not sure what your needs are, but would they be covered by a relatively convenient way of securing attachments, that's compatible with most platforms?
posted by bartleby at 9:11 PM on March 27, 2014
PortableSigner signs PDF files. Cross-platform, no Adobe software required. The big issue with signed PDFs, though, is making sure that the recipient has the root CA that you used.
OpenSSL has some tools to use X.509 to sign/encrypt documents in an analogous way to PGP.
PKI is great, but it requires that you and the other guy both understand how to set up and manage keys. This makes its usefulness very limited.
posted by scruss at 5:10 AM on March 28, 2014
OpenSSL has some tools to use X.509 to sign/encrypt documents in an analogous way to PGP.
PKI is great, but it requires that you and the other guy both understand how to set up and manage keys. This makes its usefulness very limited.
posted by scruss at 5:10 AM on March 28, 2014
This thread is closed to new comments.
posted by bfranklin at 2:40 PM on March 27, 2014