Re: [OT] E-mail security

Here's how I'd do it:

create GPG key with client and show them how to use it with a co-operative email client - say Thunderbird and Enigmail
make them back the private key up onto a floppy or other external medium, and keep it somewhere safe.
when parsing a form, encrypt using the client's public key.
store a copy (encrypted!) on the server and email them a copy.
depending on client, either automatically delete those stored on server after a certain time (one week?), write a web interface to them, or instruct them on how to download them through FTP. This is just a double check for them so that they can check they received all emails mailed to them
If the client has no objections, also keep copies encrypted with your public key - back in the days when I was doing this ('99), I had a few clients who either lost their private key(?) or would buy a new computer and 'forget' to retrieve their key from their old machine. And even if they have backed up their key - well, let's just say you shouldn't be surprised :)

Some new modules look promising - eg Mail::GPG but I have no experience of it.

However you do it, you'll probably get warnings about "using shared memory". A bit hard to do much about though if it's not your box. That's about as safe as you'll get on a shared box IMHO ;-)

cLive ;-)

Comment on Re: [OT] E-mail security

Replies are listed 'Best First'.
Re^2: [OT] E-mail security by mkenney (Beadle) on Aug 16, 2004 at 03:36 UTC
I think that this is an excellent suggestion. The only problem is that generally the people getting the e-mail have no computer knowledge. I deal with HIPAA every day and have found out how scary their lack of the computer side has been. I transmit the new X12-834 standard file out to over 20+ customers, they all require that it be slightly different, nice standard :-) The log-in to each company's website type interface is currently one of the most used, but a real pain since they all use different methods and it takes time. PGP and PGP self-decrypting archives have been the best choice for me. Check into it, it will cover your a$$ if they decide to come for you. It also lets you back away from training every customer to some point. It should be integrated into every mail application and should just be the standard as far as I'm concerned, but others here do know a lot more then me on the subject (I'm not being flip, they really do). I PGP everything that might even look like Protected Information... Good luck, Politicians and computers, SCARRY...	[reply]
Re^3: [OT] E-mail security by hbo (Monk) on Aug 16, 2004 at 05:52 UTC
Good luck, Politicians and computers, SCARRY... Ah, HIPPA. Well, that's a case of having far too detailed requirements! 8) But it does answer the question of how sensitive the data is. I'd have to agree that end-to-end encryption, as one component in an overall security architecture, is probably called for in this case. `"Even if you are on the right track, you'll get run over if you just sit there." - Will Rogers`	[reply]
Re^3: [OT] E-mail security by bradcathey (Prior) on Aug 16, 2004 at 12:17 UTC
Thanks mkenney, nice to see someone dealing with HIPAA. Questions: are your customers receiving encrypted e-mails? And if so, are you encrypting them with PGP and then sending? Or are you sending encrypted attachments? If you wouldn't mind a bit more detail, I'd appreciate it. —Brad "Don't ever take a fence down until you know the reason it was put up." G. K. Chesterton	[reply] [d/l]
Re^4: [OT] E-mail security by mkenney (Beadle) on Sep 10, 2004 at 02:56 UTC
They are not receiving the e-mail encrypted but encrypted files. It is an uphill battle to get them to just get set-up with PGP from start to finish. The encryption technology is now out there. We need a standard that everyone can use. In my opinion EVERYTHING should be encrypted without user interface...	[reply]
Re^3: [OT] E-mail security by nimdokk (Vicar) on Aug 16, 2004 at 12:55 UTC
It should be integrated into every mail application and should just be the standard as far as I'm concerned, but others here do know a lot more then me on the subject (I'm not being flip, they really do). I PGP everything that might even look like Protected Information... I agree with you there. I deal with HIPAA every day, not with email, but with electronic data transfers, primarily the mechanism, not file layouts (thats for someone else with more patience for such things than myself :). One of the tools we use is a product called SilverKey (its not perfect but its pretty decent). It creates a 448-bit encrypted exe that can be extracted with a password (like a self-extracting Zip file). We encrypt just about everything, regardless of whether it is PHI or not, and try to get our customers/vendors to do the same for incoming data. Our security folks just implemented secure email using Zixmail (don't know anything about it) that checks the content of the message and will encrypt if necessary. HIPAA can be a nightmare somedays, but I personally think some of it is a good thing, and about time too :-)	[reply]
Re^4: [OT] E-mail security by mkenney (Beadle) on Sep 10, 2004 at 02:52 UTC
PGP has the self de-crypting archive idea. Whe you get to the password level, the rest is just fluff from what I understand. The password becomes the weak point. Make them long and random...	[reply]
Re^2: [OT] E-mail security by bradcathey (Prior) on Aug 16, 2004 at 02:57 UTC
Good summation and advice, cLive ;-). No matter what I do, it will take so doing by both me and the client. I will look at the modules mentioned here and by responders. —Brad "Don't ever take a fence down until you know the reason it was put up." G. K. Chesterton	[reply]