Linux - SecurityThis forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here.
Notices
Welcome to LinuxQuestions.org, a friendly and active Linux Community.
You are currently viewing LQ as a guest. By joining our community you will have the ability to post topics, receive our newsletter, use the advanced search, subscribe to threads and access many other special features. Registration is quick, simple and absolutely free. Join our community today!
Note that registered members see fewer ads, and ContentLink is completely disabled once you log in.
If you have any problems with the registration process or your account login, please contact us. If you need to reset your password, click here.
Having a problem logging in? Please visit this page to clear all LQ-related cookies.
Get a virtual cloud desktop with the Linux distro that you want in less than five minutes with Shells! With over 10 pre-installed distros to choose from, the worry-free installation life is here! Whether you are a digital nomad or just looking for flexibility, Shells can put your Linux machine on the device that you want to use.
Exclusive for LQ members, get up to 45% off per month. Click here for more info.
I use StartMail, which uses gnupg for encryption. It's convenient for encrypting email to someone for whom you have the public key, and it's possible to also encrypt using a shared secret. It's not free, but I'm happy to pay for the license. It's based in Europe, so the US government cannot subpoena anything from it.
I use Hushmail at work, ProtonMail personally. I've had no issues with either, and find that they both seem to work quite well for what they're intended purpose is.
HushMail and ProtonMail both offer encrypted email services.
Do any LQ members use either of these and if so what is your experience.
Is there an alternative I could build myself with the normal range of Linux utils like ssl, pgp and mailservers?
A quick ddg has found a few pages I thought would help, but before delving in too far I'd like a few opinions from you guys.
My leaning is to ProtonMail - it's free to try and if I like it I would probably buy and annual licence .
I know a little about ProtonMail: it does not work with standard Email clients (although I believe Evolution and/or Thunderbird plugins exist), you need to use the web interface.
And, AFAIK, all these services cannot overcome the biggest hurdle: if a recipient is not on board with the program, you cannot send them encrypted mail.
Beyond that, e.g. Evolution (and I guess all serious mail clients) integrate PGP signing & encryption pretty well, and that should beis enough if both parties put in the extra effort.
All in all that makes it very doubtful to me whether sth like ProtonMail is even necessary at all, unless you plan to convince all your contacts to use it too.
That said, I see that there's a problem that cries for a solution.
Is there an alternative I could build myself with the normal range of Linux utils like ssl, pgp and mailservers?
You could evaluate PrivateBin and see if it is what you want. There are a lot of PrivateBin instances already online, but installing the software on your own server should not be a big problem.
And, AFAIK, all these services cannot overcome the biggest hurdle: if a recipient is not on board with the program, you cannot send them encrypted mail.
How do you mean that? You can send anyone encrypted emails regardless through proton mail or Hushmail, they simply get emailed a link to read it online, it doesn't work in a client (for obvious reasons).
If you mean that if someone is too lazy to click a link they won't read your email, by the same token, if someone clicks delete when they see it's from you, they won't read your email, so doesn't really change anything in terms of how well they can read your email or not. As long as they have a modern browser installed, they can read it.
Last edited by Timothy Miller; 12-18-2020 at 08:45 AM.
I use StartMail, which uses gnupg for encryption. It's convenient for encrypting email to someone for whom you have the public key, and it's possible to also encrypt using a shared secret. It's not free, but I'm happy to pay for the license. It's based in Europe, so the US government cannot subpoena anything from it.
You can send anyone encrypted emails regardless through proton mail or Hushmail, they simply get emailed a link to read it online, it doesn't work in a client (for obvious reasons).
Thank you for correcting me there.
So how exactly does that work? Where's the security if it can be decrypted by any random mail recipient (who does not have the keys)?
And since the emailed link is sent unencrypted, it can be seen by many eyes.
In Hushmail, you receive a link, following that link you set up a password to access the email if you haven't received Hushmail before. Once you have a password set up, you can actually access other emails from hushmail sent to your email address using that same password, although if at any point you forget the password and set a new one, any email still there is deleted. After setting up the password you can read the email online. It expires after 2 weeks. Protonmail is more or less the same, although you have to set up the password yourself and send it to the recipient in some way for them to read it. And it expires after 1 month.
Last edited by Timothy Miller; 12-18-2020 at 12:51 PM.
I'm not familiar with Proton Mail nor Hushmail, but I know how it works on Startmail. It uses standard gnupg encryption/decryption for sending and receiving encrypted email, and will generate keys for you if you want. That works fine in Thunderbird, which also uses gnupg. You can use the same keys.
If the recipient does not use gnupg, you an send an encrypted message using a shared secret, set up in advance. Something along the lines of "What is your middle name", but preferably harder to guess. It's up to you as to what you use. The email is encrypted, and can only be encrypted by the word or phrase you agreed upon. It's just a password, and it can be anything you both know. The email is encrypted on the server, and only decrypted by the password. Anyone with the password can decrypt the message, so like any other password, it should be reasonably secure.
^ & ^^ Ok so that's how it works.
Correct me if Im'wrong but there's nothing there that doesn't already work on a decent email client like evolution? The public key is the password?
On an email client, you use gnupg with public/private keys. However the big problem with that is that so few people use gnupg, and most don't have any keys. The preshared secret method is for exchanging secure messages with the people who don't have them. It's not part of the usual gnupg/pgp process. ideally, everyone would have key pairs, with the public keys readily available, and the encryption/decryption would be seamless and easy to use. We do not live in ideal world, however. Therefore workarounds are sometimes necessary. You can read the details for Startmail here: Password protected messages
With PrivateBin, the key is in the URL that you ... give to the recipient.
I would not use it for stuff which “must stay secret”; but then, email may not be the right thing to do anyway. Web-based anonymizing – or encrypting services are much less than a workaround. They are bad remedies for bad conscience and replace knowledge and comprehension, that you either seek or have to condone.
Personally, I use these services (PrivateBin only) to communicate to people whose mail-service I avoid contacting. Privacy is not really the issue.
Startmail is pretty solid and seems reliable and there are good advanced options.
I've been testing protonmail (free account) recently and it seems good too.
Looking into the topic a bit recently, there seems to be about 2-4 commonly mentioned alternatives as well, that I don't personally know:
tutanota
mailbox.org
LinuxQuestions.org is looking for people interested in writing
Editorials, Articles, Reviews, and more. If you'd like to contribute
content, let us know.