Thursday, May 22, 2014

Securing my digital life

In light of the overreaching surveillance by the NSA I've decided to encrypt most of my important data from snooping. I'm not incredibly paranoid and a bit lazy so I did what I would call the best bang for your buck encryption.

Encrypted Email

I'm going to have to break this out into two sections because there are still many people using insecure connections to their email server. In addition to securing the connection to your mail server, you should also consider encrypting the email messages themselves to prevent the NSA and Google from reading your mail.

Encrypting The Email

As of this writing, I know of no webmail (email through your browser) that works with S/MIME certs. There are plugins available for Chrome with Gmail but they only support PGP which is not as widely supported as S/MIME for email encryption.

I must warn you that most email clients do not provide seamless encryption out of the box. Thunderbird and Outlook support encryption but you must enable it for each email you send. Fortunately there are 3rd party plugins available for automating this. On Android I had to install a 3rd party app that opens the email from my regular email client (Gmail).

Here are the steps to encrypting email:
  1. Create an account with StartSSL Web-of-Trust
  2. Generate an S/MIME certificate
    1. You can trust that this certificate is private because your browser generates it, not StartSSL. They are only signing the public portion of the certificate.
  3. Export your certificate and the StartSSL certificate authority (CA) from your browser using a password.
    1. Internet Explorer or Chrome on Windows
      1. Both of these browsers store the certificate in the windows cert manager. 
      2. Use Windows Key + R to open the run program dialog.
      3. Copy and paste certmgr.msc into it and press enter or click ok
      4. Navigate to Personal -> Certificates in the tree view on the left
      5. Right-Click on the one(s) issued by StartCom
      6. Choose All Tasks -> Export...
      7. Next
      8. Yes, Export private key
      9. Next
      10. Include all certificates in the certification path if possible
      11. Next
      12. Enter a strong password which you'll only to use once more
      13. Next
      14. Keep going, I think you got this now
    2. Firefox
      1. Menu -> Options
      2. Advanced tab
      3. Certificates sub-tab
      4. View certificates
      5. Your Certificate
        1. Select your StartCom certificate(s)
        2. Choose Backup.. from the buttons at the bottom
        3. It will ask you for a password after choosing the filename. Use a strong password that you only need to use one more time
      6. StartCom certificate authority (used to validate their signature)
        1. Authorities tab
        2. Select "StartCom Class 1 Primary Intermediate Client CA"
        3. Choose Export... from the buttons at the bottom
        4. Store it with your cert
  4. Import both your cert and the CA into your email client (Thunderbird in my case). Note that you need a different personal cert for each email address you use.
    1.  Tools -> Account Settings
    2. Select Security under the account that you create a cert for
    3. Click "View Certificates" at the bottom
    4. Click "Import..."
    5. Select all of the personal certs you exported in the previous steps
    6. Open the "Authorities" tab
    7. Click "Import..."
    8. Select the StartCom cert you exported in the previous steps
    9. Click OK
    10. Under "Digital Signing" click "Select..."
    11. Select the personal cert that applies to the current account
    12. A dialogue will ask you if you also want to use the cert for encryption. Accept the offer.
    13. Make sure "Digitally sign messages" is checked and "do not use encryption" is also checked. The second one is counter intuitive but required by the plugin we're about to install.
    14. Click OK
    15. The rest of these steps in this section only need to be done once
    16. Click Tools -> Add-ons
    17. Search for "Encrypt if possible"
    18. Install it
  5. Exchange public certificates with whoever you want to privately correspond with. You need their public certificate to encrypt emails you send to them but don't worry, only their private certificate can decrypt the message.
    1. Easiest way to do this is to send each other an email after setting up encryption. Every email you send will include your public certificate.
      1. Keep in mind that someone could intercept your emails and replace your certificate with their fake one, but this only works if they do it for all the emails, including the first one, because the recipient's email client will detect a change in the cert from the one it stored and warn them.
    2. If you're worried that someone might intercept the initial exchange of certificates then I suggest posting them to a secure file server or putting them on physical media.

Encrypting The Connection

I'll fill this in later but basically you need to make sure that you're using SSL or TLS for both your outgoing and incoming mail servers. If you're using thunderbird it will likely fill everything in correctly for your email server after you choose SSL/TLS. I don't think other email clients have this features so you'll have to use Google or Bing to find the SSL/TLS settings for your particular email server.

Cloud Backup Encryption

Most cloud backup services do not encrypt the data on their servers. They only restrict access and encrypt it while it's being uploaded/downloaded from those server. Most of the ones that actually encrypt your data on their servers do it with a stored key or use a master key encryption algorithm which means they and an adept hacker can still access your data.

I wanted true end-to-end encryption and off-shore storage so I ended up using Wuala, one of very few services that offers this. For a comparison of services available, check out this handy Wikipedia article:


This service has a huge advantage over other services in that it's not a US or UK company and the servers hosting your data aren't in the US or UK. This means that the NSA/GCHQ cannot coerce them into providing access to your data, at least not legally. To top it off they also randomly distribute your encrypted data on multiple servers dispersed throughout Europe so even if someone gained access to one server and somehow decrypted your data stored on that server, they'd have mostly gibberish.

They offer some space for free so if you're selective with what you backup the service is completely free.

Encrypted Notes in The Cloud

The only service I found that offers reasonably secure encryption and note syncing between devices is OneNote from MS. I know, I was shocked too. Not only is it a really good note taking tool but it's also the most secure. Unfortunately it's not free and at least the Android client doesn't support encrypted notebooks so they appear inaccessible on my phone.

The Evernote team thinks they provide encryption but it's a hack at best. You can highlight sections of text and choose to encrypt them using a worthless level of encryption. It might stop your kids from reading your notes... maybe.

Full Disk Encryption

Anyone with a laptop must do this or subscribe to a remote wipe and theft recovery service like LoJack. Your data is extremely valuable in the right hands but fortunately most laptop thieves aren't smart enough yet to steal your identity with your laptop... yet.

For encrypting your HDD (Hard Disk Drive), I recommend using the open source and highly secure TrueCrypt software. If you have installed multiple operating systems on your computer then please read TrueCrypt's limitations in a multi-boot environment.

No comments:

Post a Comment