Encrypted Emails In Secure-K

Security and protection of your privacy are the main drivers behind Secure-K OS. Everything is designed to allow users to interact with the digital world in complete safety and tranquillity but without having to learn complex and lengthy procedures nor being a security expert.

The use of e-mail today is one of the main tools for interaction between users and, therefore, it is very likely that personal communication with sensitive and very important information transit over the Internet (clear text) without any protection (encryption). This is normal because, unfortunately, the tools to encrypt emails are complex and difficult to install and configure, which usually discourages users from early research on the web to gather information.

In Secure-K OS, we have simplified the adoption of this fundamental protection instrument, encryption, making it easy to configure and especially usable by any user!

Once the configuration process and your keys have been encrypted, you can communicate freely and without additional complications through the pre-installed email client available in Secure-K!

Before beginning, however, we will explain the emails encryption mechanism based on public and private keys in a simple way.

In a public-key cryptosystem, anyone can encrypt a message using the recipients’ public key and the message can only be decrypted by the recipients with the use of their own private key [1].

../_images/privatekey.png

More information: https://en.wikipedia.org/wiki/Public-key_cryptography

First Configuration Procedure

Online Accounts

In order to set up a Gmail account quickly and thoroughly, we suggest using the Online Account application on the Settings panel (instead of using the Secure-Mail client directly). Doing so you can automatically configure mail, contacts, calendar, etc. which will be immediately available on Secure-Mail.

../_images/onlineaccount.png ../_images/onlineaccount2.png

Secure-Mail

The email client pre-installed in Secure-K OS is called Secure-Mail , which is a modified Evolution client, and must be configured with your own e-mail account parameters.

Click the lock icon, located in the bottom panel in the lower left corner of your desktop, to launch the Secure-Zone that gives us access to Secure-Mail.

../_images/securezone1.png

You can now configure your email account as you normally do.

Note that all the major e-mail providers require you to enter only your email address to automatically complete the configuration of the client program.

In case of problems, please read the specifications of your vendor for more information and details.

Successfully completed this step, proceed with the creation of your pair of asymmetric encryption keys combined with your e-mail address.

Key Manager, encrypted email setup wizard

Click the lock icon again to launch the Secure-Zone and then the bigger lock icon to the right of Secure-Mail to open the Key Manager interface.

The Key Manager program will open.

The image below is an overview of its menus, which will be referred to in this guide often:

../_images/keymanager.png

Key pair generation

../_images/keygeneration.png

Generate your key pair: a private key, which must be kept secret, and a public key, which will be automatically sent to Mon-K’s key server in order to be shared with the Secure-K community of users.

By typing in your name and email address and pressing the OK button to confirm, the program will generate your PGP key pair (together with a revocation certificate) and will save the related files in your local keychain. The following screen is showing the successful completion of the procedure:

../_images/keysuccess.png

As stated before, the procedure will also send your public key to Mon-K’s key server.

Thus, you will receive an automatic email verification on your e-mail address to confirm (with the use of Secure-Mail) that the address belongs to you and to verify that the encryption mechanism is running.

../_images/mon-kkeyserver.png

Just have to click the “click here to verify your key” link.

If you are not new to email cryptography and you have previously generated your key pair on another system, you can import your public and private key pair into Secure-K operating system by using the Key Manager as well; the topic will be covered later in this guide.

Saving the key pair and the revocation certificate

You can now launch the Key Manager again and click Action -> Manage local keys.

By clicking on List, you see all the keys available in the local keyring, of course, for now, you only see your own key’s entry.

The asterisk indicates that a row refers to your key pair, both private + public keys.

All rows without an asterisk indicate imported public keys of other user.

You can select our key, i.e. click on the corresponding row, then click Save in order to save your pair of keys in a safe place, for example an inserted USB device – to keep then in a safe.

../_images/localkey.png

After choosing the location where to save the compressed archive, click Select at the top right of the opening window.

Congratulations, you are ready to send and receive encrypted emails easily and quickly with all the users of the Community of Secure-K!

Sending encrypted emails

Send emails within the Secure-K community

You can now send an encrypted email with Secure-Mail to another Secure-K user easily: launch the Secure-Mail client and create a new e-mail message; then go to the Options menu and click PGP Encrypt; remember to check the box every time.

../_images/pgpencrypt.png

Write a message and press Send.

../_images/encryptmassage.png

If the recipients of your e-mail had accomplished the initial setup on their Secure-K, they will receive your encrypted email and their Secure-Mail client will transparently decrypt it, to a clear-text message.

Anyone else - for example a cracker (during a “network data sniffing”-based attack) and your email provider’s servers as well - can only treat the email as an unintelligible and useless stream of characters:

../_images/encryptmassage2.png

Finally, as a result of sending the email to the Secure-K user, the system will import the recipients’ public key, which is safely stored in Mon-K’s key server and validated by it, into your local keychain:

../_images/localkeychain.png

For a definitive level of security, in order to be sure that the key really belongs to the recipients, you should ask them to recognize the (short) fingerprint shown, via a secure phone call, chat or in person.

If the recipients of your e-mail had not yet set up the email encryption process on their Secure-K, you will receive the following error message:

../_images/errormassage.png

Sending emails outside the Secure-K community

The same error message appears if you try to send an encrypted email to recipients who do not belong to the Secure-K community of users.

In this case, additional setup is needed; the topic will be covered in this guide later.

Import previously generated keys

In case of theft [2] or loss of your Secure-K or in the case you have already generated the key pair, on other systems, you can use the previously saved key pair file(s) to import the encryption mechanism on a new Secure-K.

Let’s see how to import your previously saved keys: click Action and then Import existing keys… -> From disk in the dropdown menu of the Key Manager.

../_images/importkey.png

Previously generated keys on a Secure-K system

Type in your e-mail address and click on the From bundle file line to select the previously saved tar.gz archive file; you have to choose the file named as/like your e-mail address and ending in .tar.gz, as pictured in the image above.

The name of the file is the name of your mail account but with tar gz extension.

Then set the Sync to keyserver switch to OFF, as in the image above, to not upload your public key to Mon-K’s key server again, because it is already there.

Finally, press OK to confirm the key operation.

Previously generated keys on other systems

Type in your e-mail address and click on the From single files line to select the previously saved files; both private and public keys are usually saved as two single files by the other systems.

Then set the Sync to keyserver switch to ON to upload your public key to Mon-K’s key server. Note that, from now on, your public key is stored both on the public PGP key servers and on Mon-K’s key server, which does not synchronize with the other key servers by design.

Finally, press OK to confirm the operation.

../_images/synctokeyserver.png

All required notions to send and receive encrypted emails easily and quickly with all the users of the Community of Secure-K have been covered.

“Advanced” notions will now follow.

Removal of your private and public keys

If you decide to remove your key pair from both your Secure-K operating system and Mon-K’s key server, proceed as follows.

Launch the Key Manager, click Action -> List, select your key pair line and click the Delete button, then OK. As soon as you click OK to confirm, your key pair in your Secure-K is erased. From this moment, your Secure-Mail client can only receive clear-text emails.

../_images/deletekeys.png

The following screen shows the successful completion of the procedure.

../_images/processsuccess.png

Mon-K’s key server will then send a confirmation email to confirm the request action.

../_images/confirmation.png

You just need to click on the link with your Secure-Mail client in order to confirm the removal of your public key from Mon-K’s key server, too.

Import public keys from foreign key servers

In order to send an encrypted email to recipients who do not belong to the Secure-K community of users, you need to know their public key. Usually the key can be retrieved from one of the public PGP key servers available on the Internet (for example hkps://pgp.mit.edu).

The Key Manager program is able to import the PGP keys from all the foreign key servers in an easy and straightforwardly, as well.

Launch the Key Manager as usual, click Action and finally on Import existing keys… -> From foreign keyservers.

Now type in the email address of the recipients to whom you need to send encrypted emails, then click Search. This will fetch and show all the keys related to that email address. Selecting the right row, you can click Import to import their public key in the local keyring:

../_images/foreignpgpkey.png

Unlike Mon-K’s key server, public key servers do not rely on email verification to check if a key is actually associated with the email: anyone can send keys to a public key server without verification.

So, before importing, you must make sure that the keys really belongs to the recipients. Only the recipients can recognize the fingerprint as their own, so you need to make a phone call, (secure) chat or meeting with them.

The key will be imported into the Secure-K keyring, so that you can send encrypted emails.

../_images/keyring.png

Refresh local keys

Over time, public keys can change their state, for example they can be revoked.

Secure-K OS will automatically refresh all the keys managed by its key server, every time the Secure-Mail client is launched, but this is not true for all the other public keys; you need to use the Refresh all feature for this purpose, as pictured in the image below:

../_images/refreshkey.png

Email signature

In a public key encryption system, anyone can encrypt a message using the public PGP key of the receiver; such a message can be decrypted only with the receiver’s private key. We all know this already.

However, in a public key signature system, you can also combine a message with a short digital signature of your message made using your own private key. Anyone knowing the corresponding public key can verify whether the signature is valid, made by the owner of the corresponding private key.

Changing the message, even adding or replacing a single letter, will cause verification to fail. Thus, the authenticity of a message can be demonstrated by the signature, given the trust upon the sender’s public key.

One can sign a message by checking the PGP Sign flag in the Secure-Mail client; the following image pictures the case that a friend of you sends you an encrypted and signed email.

../_images/pgpsign.png

If you know and trust the sender’s public key, you will be able to read the email and to verify its validity:

../_images/validity.png

Otherwise, Secure-Mail will warn about that you are not still trusting the sender:

../_images/validity2.png

So, let’s see how to sign (trust) a public key with the use of the Key Manager.

Launch the Key Manager, click on Action -> List, select the line where the key you want to trust is listed and click on the Sign button, then finally on OK.

You always need to be sure to sign only the keys which really belong to whom you know.

../_images/signkeys.png ../_images/signkeys2.png
[1]For this to work, it must be computationally easy for a user to generate a public and private key-pair to be used for encryption and decryption. The strength of a private/public key cryptography system relies on the degree of difficulty (computational impracticality) for a properly generated private key to be determined from its corresponding public key. Security then depends only on keeping the private key private; the public key may be published without compromising security.
[2]Please note that in the case of theft of your key, no one can access your data, thanks to the double encryption (hardware and software) of the whole system.