Encrypt your incoming mails!

Do you get private mail to your email address at work? Or do you access your private email account with the computer at work? Would it bother you if your employer read your private mail? Do you sometimes recieve mail with sensitive data, that you don't want anybode else to read, even if they got access to the computer where you read email?

Even if the sender of your mail does not encrypt it with your public encryption key, it still makes sense for you to encrypt it before it touches your harddisk (or even your main email provider, if you use have email accounts on different servers).

By using the following procmail recipe incoming emails are encrypted before they even touch the harddisk (and if used to forward mail, the mail never touch the harddisk).

While this is great for private mail, it's normally unnecessary for list mail, so the first condition in .procmailrc below forwards list mail unencrypted. Headers and in particular the subject-line is unencrypted, so the contents of list mail can be read from the archives by an attacker. Thus, unless you are on very private lists, encryption does not add privacy here.

For a guide on how to encrypt old mail that were incoming before you implemented this mechanism, see Encrypt unencrypted local mail

##### .procmailrc #########
SENDMAIL=/usr/sbin/exim
SENDTO=my.email@gmail.com

:0
* List-Id
! $SENDTO

:0
| encrypt.sh - | $SENDMAIL -oi $SENDTO
##### end of .procmailrc #######
##### bin/encrypt.sh #######
#!/bin/bash

boundary="cWoXeonUoKmBZSoM"

MESSAGE=$(cat /dev/stdin)
headers=`echo -n "$MESSAGE" | formail -X ""`
ctype=`echo -n "$headers" | formail -X "Content-Type"`
cdisp=`echo -n "$headers" | formail -X "Content-Disposition"`
cencoding=`echo -n "$headers" | formail -X "Content-Transfer-Encoding"`

# IF message is already encrypted then don't change it
if echo $ctype | grep -q encrypt ; then
    echo "$MESSAGE";
    exit;
fi

if [[ -n $ctype ]] ; then
    oldcontentheaders=$ctype;
fi
if [[ -n $cdisp ]] ; then
    oldcontentheaders="$oldcontentheaders
$cdisp";
fi
if [[ -n $cencoding ]] ; then
    oldcontentheaders="$oldcontentheaders
$cencoding";
fi

body=`echo -n "$MESSAGE" | formail -I ""`

newheaders=`echo -n "$headers" | formail -I "Content-Transfer-Encoding:" -I "Content-Type: multipart/encrypted; protocol=\"application/pgp-encrypted\";
        boundary=\"$boundary\"" -I "Content-Disposition: inline"`

echo "$newheaders"

# fill in the new boundary stuff here

echo "

--$boundary
Content-Type: application/pgp-encrypted
Content-Disposition: attachment

Version: 1

--$boundary
Content-Type: application/octet-stream
Content-Disposition: inline; filename=\"msg.asc\"\

"

# Here comes the encrypted part

# Todo: add the old content-type headers here

echo -e "$oldcontentheaders\n$body" | gpg --encrypt --default-recipient my.email@gmail.com --armor

echo -ne "\n"

# And here comes the final boundary
echo "--$boundary--"


##### end of bin/encrypt.sh #######

Now, even if your employer might read the mail files on the harddisk of your workstation, the employer will not be able to understand the contents of the mail since the files will be encrypted.

And have you ever hesitated to give gmail the possibility to read your mail? Give gmail the encrypted mails for backup purpose!

DISCLAIMER: Information on the sender and receiver address is not encrypted, only the body of mail (and the attachments, if any). So don't use the subject-line for sensitive data!

comments powered by Disqus


Back to the index

Blog roll

R-bloggers, Debian Weekly
Valid XHTML 1.0 Strict [Valid RSS] Valid CSS! Emacs Muse Last modified: 2008-07-10