Home

Published

- 5 min read

Operational Security & Privacy: Email

redteam opsec
img of Operational Security & Privacy: Email

In this article we show to Average Joe, how you can communicate with unbreakable encryption and almost absolute privacy.

Private Email Communication

This isn’t targeted at professionals - if you call yourself a security pro, go and setup your own PGP in a MUA - just kidding, you can of course use this info as everyone else. You’ll find similar guides on pretty much any Webhost’s info pages, like IONOS, AWS, Digital Ocean, …

We’re addressing some questions here that might appear strange but people have asked us these things quite a few times.

Send PGP encrypted email for non-techies

https://proton.me/support/how-to-use-pgp

Proton is by far the easiest privacy-enabled Mail hoster. All free accounts can send and receive PGP-encrypted or signed Emails. You only need to enable one single setting in the Proton webmail interface to attach your Public Key to sent Emails.

You don’t need to know anything about how this works, except: Just do it - Proton has it set up correctly.

How to send encrypted?

One party (you, or the Email receipiant, me) needs the Public Key from the other party. This can be done by any of these ways:

  • send first an unencrypted email with your public key attached (easy)
  • receive first an unencrypted email with the sender’s public key attached (easy)
  • search for the recipient’s address in an online PGP database and import it in the Proton webinterface (medium)
  • acquire the Public Key of the mail partner in another way (see below) and import it in the Proton webinterface* (medium)

For example, on our Identity page you can download our PGP Public Key, or by clicking here

To import our Public Key in Proton Mail you need to:

  • create a contact (little icon in the top right corner)
  • enter our email address contact@network-sec.de and save the contact
  • in the list of contacts, click on me
  • in the following popup window, click on the gear icon
  • in the following popup, click on the link / dropdown “show advanced PGP settings”
  • in the following popup, click on Public Key / Upload
  • click save

You now can directly send us a PGP encrypted email. This also end-to-end encrypts the subject.

Does using E2E Encryption make you look guilty?

No, why? This is used every day, around the world, by millions of people, by Fortune 500 companies and their employees, on a regular basis.

  • Using PGP encryption makes you look guilty as much as browsing to a TLS secured website (like, any website these days)
  • In many, higher-security areas, like Banking / Finance, using End-To-End encryption has become mandatory by legal regulations
  • All nowadays famous messengers, like WhatsApp or Signal use End-To-End encryption

Do I get a virus when I do this?

No. Of course not.

None of the steps shown here, as well as on any other page of our website, will give you a virus. If we would distribute viruses from our website, even if it was in form of code, we’d quickly end up with a lot of legal problems, very likely lose our entire security careers instantly, and our website wouldn’t remain online.

Also Google would probably flag our website, and even your browser or your Anti Virus Software would warn you (some have website checks integrated).

Can we do it more securely?

Sure. You can easily use:

AES encryption (easy)

  • ChatGPT can generate Powershell code for de- and encryption
  • Veracrypt can generate a container through a GUI
  • You can use 7zip with password protection

Then:

  • send encrypted message in an email or via Teams
  • send password for decryption on another channel, e.g. USB stick via mail, or over the phone

Can’t [insert paranoia] crack that?

If you use a long, random password, like 15 random characters: no. Not in a million years, not using Quantum Computers, absolutely nobody else can decipher that.

What can happen are sidechannel attacks - somebody could listen in on your conversation when you hand over the password - but in reality, it rarely ever happens like that.

OpenSSL (hard)

Just google or ask the AI how to use openssl on the command line to generate a public / private key pair and then use your public key to encrypt a message. Send us the encrypted message. Send us the key on another channel.

   $ openssl genpkey -algorithm RSA -out private_key.pem
$ openssl rsa -pubout -in private_key.pem -out public_key.pem
# Save your message to message.txt in the same directory
$ openssl rsautl -encrypt -pubin -inkey public_key.pem -in message.txt -out encrypted_msg.txt

Then:

  • send encrypted_msg.txt in an email or via Teams.
  • send private_key.pem on another channel, e.g. USB stick via mail

Receiver can decrypt it using the private key

   $ openssl rsautl -decrypt -inkey private_key.pem -in encrypted_msg.txt -out message.txt

Note: Usually you would not send your private key to someone else. This is a scenario for a one-time-application, if you toss your private key afterwards, it’s not a problem.

Normally, like with PGP, you would exchange Public Keys with a communication partner, then use your partner’s public key to encrypt, your partner then can decrypt with his private key.

TLS and SMIME

By the way, usually our Email server is setup correctly, so you can send us a Transport Encrypted email without using PGP or SMIME. We wouldn’t trust on it alone when sending the Queen’s Crown Jewels, but for everyday communication it’s good enough. We tend to delete sensitive Emails from our server after reading them.

We support SMIME and PGP - two methods of end-to-end encryption - on our mailserver.