Skip to main content

This site requires you to update your browser. Your browsing experience maybe affected by not having the most up to date version.

 

How safe is your email?

Each day over 200 billion emails are sent – some contain highly sensitive information and the vast majority is unencrypted with just a little more protection than a postcard in the mail. So how do you improve privacy of your email?

Read post

Each day over 200 billion emails are sent – more than 2 million per second. By the time it has taken you to read this blog post so far, 15 million emails have been sent. That is a staggering number of emails, some of which contain highly sensitive information, and the vast majority is unencrypted with just a little more protection than a postcard in the mail.

In the modern age, privacy is a concern for all of us. And at SilverStripe, privacy is of particular concern for many of our clients. It is an important consideration for us when designing and building websites, especially components that gather personal information.

When handling personal information, we need to be certain that the data has not been tampered with or viewed by other parties. This duty of care often extends to email systems when requirements call for user submitted data to be sent via email to the business for further processing.

GPG Email Encryption

GPG (GNU Privacy Guard) is an open source suite of encryption tools based on the OpenPGP standards. GPG provides a variety of encryption methods (including public key cryptography) which can be used to secure data such as files and emails.

Using public key cryptography to sign and encrypt email data is an excellent method to secure those communications. Once the necessary keys are generated and swapped between sender and recipient, the process is very straightforward and reliable.

The real strength of this approach is that both parties can consistently rely on the integrity of the email contents and attachments, regardless of how and where the email was transmitted.

We found this method and the GPG toolset so useful that we put together a solution for encrypting emails in SilverStripe. With the help and support of the Office of the Privacy Commissioner of New Zealand, we open sourced this solution so that it is freely available for the community.

Encrypting email with GPG Mailer

The GPG mailer module is essentially just a single class that we can use to replace the Mailer class when sending emails from SilverStripe. It is very straightforward to use once all the necessary pieces are in place.

The first part of the puzzle is installing GPG and GPG Agent – this software provides the set of tools. Following this, you can start with a vanilla SilverStripe install and simply pull in the GPG mailer module with composer:

composer require opcnz/silverstripe-gpgmailer ~0.1

Next we need some keys for encrypting, decrypting and signing messages. Generating these keys is actually very easy with GUI tools like GPG Keychain. You generally want two pairs of keys for testing: one for the email sender and the other for the recipient – that way you can both encrypt and decrypt your test messages.

Once you have keys generated and SilverStripe configured to know the paths to your keyrings, you can make use of the new mailer:

// Create email with plain content
$email = new Email(
   '[email protected]',
   '[email protected]',
   $subject,
   $content
);
// Set up encryption mailer
$mailer = new GPGMailer(
   '[email protected]',
   '[email protected]',
   'senderPa55w0rd'
);
$email->set_mailer($mailer);
$result = $email->sendPlain();

That's all there is to it. For decrypting messages I found the Thunderbird Enigmail Add-On very handy.

I've skimmed over some of the details above. For more instructions, please see the module developer documentation. To quickly put together a simple test, please see this example gist.

Embrace email privacy

There are many efforts to improve the privacy of email communications currently underway, including increased awareness of using Transport Layer Security to encrypt email in transit.

Encrypting email contents is another important piece of the puzzle and retains security regardless of where the email may end up on its journey across the web.

Ensuring privacy is a collaborative effort and it's important that we all embrace it, especially in an industry where we are so often handling personal and sensitive information. Please consider email encryption for your next project and let us know how you get on in the comments below!

About the author
Frank Mullenger

Returning from a stint in the UK, Frank had an opportunity to use SilverStripe for his freelance work and hasn't looked back since.

Beginning as a PHP developer in Christchurch after completing his studies at Canterbury University, Frank has since had the opportunity to travel and work with a wide range of businesses and technologies.

Frank's interest in e-commerce led him to participate as a Google Summer of Code mentor for SilverStripe in 2012 overseeing redevelopment of the payment module, as well as creating SwipeStripe - an open source e-commerce module for SilverStripe.

Frank enjoys spending his spare time mountain biking, snowboarding, in the great outdoors or occasionally blogging about web development.

Post your comment

Comments

No one has commented on this page yet.

RSS feed for comments on this page | RSS feed for all comments

Like what you have read?

Sign up for our weekly blog digest sent to your inbox.

Subscribe