Article written by [code name] Tango-05

Email OPSEC – Go Portable!t

This article is a follow-up to the “Communications Measures – Grid Up & Grid Down” article by JJS. In it, John Jacob encouraged us to start using encrypted email and he suggested a few viable email solutions which support encryption. In a nutshell, all of your options for encrypted email boil down to either using a cloud based email service such as Protonmail, Unseen.is or Startmail, or using a locally installed desktop email client such as Outlook or Thunderbird. Both types have their own advantages and disadvantages. There is no “best” solution as it everyone has different needs or requirements.

As for me, I personally have two requirements. The first is off-line access to all of my past sent and received emails. I do not want to have to rely on a working Internet connection, especially in a potential crisis event, to search and access any critically needed information buried in an email. My second requirement is I want complete local control over my email database. Companies come and go, and they are in the business to make money. Can I fully trust any company to protect my data over the temptation to profit from it? Even if I can fully trust the company, can I fully trust every potentially nosey employee to refrain from snooping? For me I cannot. Another serious concern with cloud based email services is government coercion. State-side based email servers can be summoned by the US government, without a warrant, for metadata. And what happened to The Pirate Bay shows all servers, not just email servers, in other so-called free countries are not immune to government interference. Just because a government has a hands-off policy today does not necessarily mean they will tomorrow. Given my top requirements, I clearly ruled out all cloud based email services.

So choosing a locally installed desktop based email client was the right choice for me, and I chose Thunderbird with the Enigmail plugin. But this choice came with one huge disadvantage… my email access and data was now tied to one machine, the one I installed it on. However, there is a “portable” solution which will allow you keep local control over your email but also give you the ability to access your email, including sending and receiving, from any other Windows based PC. By going portable, you have the best of both worlds.

PortableApps to the rescue

PortableApps is a free, front-end menu application you install on a flash, or “thumb” drive. It then allows you to take your own virtual desktop of applications on the go and use it on any Windows based PC having an available USB port. Finally, it leaves no data residue behind on that PC when you eject your flash drive.

Before you proceed, you will obviously need a flash drive. Flash drives have come way down in price in recent years, so don’t skimp. Purchase a new or use a cleaned flash drive of a quality brand such as SanDisk or Kingston. While not necessary, buy a USB 3.0 flash drive for better performance on newer PCs having USB 3.0 ports (it’ll still work on older USB ports). Also, it should be 16GB at a minimum or preferably 32GB. Remember, it will hold your email database and you’ll probably find the wide range of other portable apps very handy. Finally, I recommend a flash drive with a more rugged metal housing or one of the smaller drives such as SanDisk’s “Ultra Fit”. These fit well inside a metal keychain pill fob or similar container for protection while on the go. If you have the cash, get a MIL-SPEC grade hardened flash drive with built-in hardware encryption such as Carbide or IronKey.

Once you have a good flash drive ready, head over to PortableApps.com, read through the introduction and then download and install it on your flash drive. PortableApps itself and all of the listed apps are free. You’ll quickly discover many portable apps which you’ll find useful.

At this point, you can run the PortableApps program (run the Start.exe program on your flash drive). You’re now ready to install the portable app version of Thunderbird and the GPG Plugin. They are available from the “Apps” menu in PortableApps or via direct download for manual installation here:

http://portableapps.com/apps/internet/thunderbird_portable

http://portableapps.com/apps/security/gpg-plugin-portable

After installing the above 2 apps to your flash drive, run Thunderbird Portable and select “Tools > Add-Ons” from the menu. Select the “Extensions” tab. In the “Search all add-ons” bar, search for “Enigmail”. It should find the latest version of the Enigmail plug-in, which is currently 1.8.2. Install the Enigmail plug-in.

All the components needed for running secure, encrypted email are now installed on your flash drive. All you need to do now is configure your email account(s) and create or import your GPG public and private keys inside the Enigmail plug-in. All the email data, settings and GPG keys will reside on your flash drive and travel with you as you move from PC to PC. There are several good tutorials and YouTube videos available to get you started in configuring it all. I recommend this YouTube video as a good overview, except you can ignore the first section on downloading and installing the components. You’ve done the portable version of that part!

Some final thoughts

· Back up your flash drive at least weekly! With all of your email data now stored locally and literally at your fingertips instead of on a cloud based server, it’s your responsibility to protect it. Today’s flash drives are surprisingly reliable and durable. But as with any hardware, they can break. Fortunately, the PortableApps program has a nice backup feature to back up your entire flash drive, or just the data, to your desktop PC. This makes it simple to restore a clone of your entire flash drive on to a replacement or newer flash drive.

· Going portable requires diligent OPSEC. It’s very easy to lose or forget your flash drive by leaving it in a PC at an Internet café. If you are not currently using it, it should be on your person, either in your purse or pocket. Don’t neglect it and let it out of your sight, or let it go through the wash. Diligence always.

· When using a desktop based email client such as Thunderbird, it’s important to configure your IMAP or POP email server account settings to delete emails off of email server as soon as they are viewed. In Thunderbird, make use of “Local Folders” and subfolders to save your email messages. In the Settings dialog for your email account, use the appropriate options on the “Server Settings”, “Copies & Folders” and “Synchronization & Storage” tabs to move your emails to local folders and scrub them off of the email server wherever possible.

· Choose your GPG public identity carefully. Your own GPG public encryption key is based on your current email address. If you have to switch email addresses, maybe because you changed to a different Internet Service Provider, you will need to generate a new GPG key for your new address and then send out your new public key once again to all of your contacts. All of your contacts will then need to update their GPG keyrings with your new public key. What a pain! Instead, register your own domain name using a registration service such as 1&1 or GoDaddy. For just a few dollars per year, these services give you your own domain name and 1 or more email accounts which are compatible with Thunderbird.

· Flash drives like the one you just configured with Thunderbird also work very well with TrueCrypt 7.1a to hold an encrypted container file. Inside this container, you can store other personal or sensitive documents which can now travel with you in a secure fashion. Note that TrueCrypt will first need to be installed on any host PC you visit. Some flash drive makers, such as SanDisk, provide their own portable encrypted “vault” programs already installed on their flash drives. But these are not security vetted as well as TrueCrypt. It should be fine for casual use in case you lose your flash drive, but don’t assume it’s free from any back-door access methods.