You are here

Good way to have secure drive and email through portableapps

1 post / 0 new
rolfwolf
Offline
Last seen: 13 years 9 months ago
Joined: 2010-09-08 03:56
Good way to have secure drive and email through portableapps

I've been working on way to secure both portableapps & email conveniently. The next method makes a good solution:

Instructions for installing secure flash drive with encrypted mail
- software used: PortableApps, TrueCrypt, CryptableApps, Google OpenSSL, Thunderbird Portable

I. Installation preparation

1. Software acquisition
1.1 acquire software:
1.1.1 TrueCrypt: http://www.truecrypt.org/downloads
1.1.2 CryptableApps: http://www.interiority.org/geekstuff/images/cryptableApps.zip
1.1.3 PortableApps: https://portableapps.com/
1.1.4 Thunderbird Portable: https://portableapps.com/apps/internet/thunderbird_portable
1.1.5 OpenSSL: http://openssl-for-windows.googlecode.com/files/openssl-0.9.8k_WIN32.zip

2. OpenSSL installation
2.1 extract OpenSSL from archive to drive where you will generate keys, to a directory named OpenSSL, i.e.; F:\OpenSSL
2.2 in the OpenSSL directory, create a CNF directory; in CNF directory create a BASE directory
2.3 move the openssl.cnf file to F:\OpenSSL to F:\OpenSSL\CNF\BASE
2.4 in the OpenSSL directory, create a CA directory; within that create directories: certs, crl, newcerts, private
2.5 modify the F:\OpenSSL\CNF\BASE\openssl.cnf file in a text editor with these changes:
dir = F:/OpenSSL/CA # Where everything is kept (should be drive letter and path of installation)
certificate = $dir/certs/cacert.pem # The CA certificate
serial = $dir/serial.txt # The current serial number
default_days = 365 # how long to certify for
default_crl_days= 30 # how long before next CRL
default_md = sha1 # which md to use.
preserve = no # keep passed DN ordering
email_in_dn = yes
countryName_default =
stateOrProvinceName_default =
0.organizationName_default =
organizationalUnitName_default =

3. TrueCrypt installation
3.1 install TrueCrypt to a drive where you will generate keys, perform work, etc., i.e.; F:\TrueCrypt
3.2 if you need language other than English, acquire it here: http://www.truecrypt.org/localizations
3.3 install your language pack by copying the file to the TrueCrypt program directory, i.e.; F:\TrueCrypt\Language.de.xml

5. PortableApps installation
5.1 acquire PortableApps and Thunderbird Portable
5.2 acquire other PortableApps applications you wish to use
5.3 install PortableApps and its applications to your work drive, i.e.; F:\PortableApps Prep

4. CryptableApps installation
4.1 extract CryptableApps from the archive to a drive where you will generate keys, perform work, etc., i.e.; F:\CryptableApps
4.2 copy the files from your TrueCrypt installation, i.e.; F:\TrueCrypt, and place in F:\CryptableApps\TrueCrypt, replacing the files in the target directory (in order to update CryptableApps with the latest version of TrueCrypt)
4.3 in a text editor, create a file called autoRun.lst in the root of the PortableApps installation, i.e.; F:\PortableApps Prep\autoRun.lst
4.4 edit autoRun.lst to point to those PortableApps to auto-run, i.e.;
StartPortableApps.exe
\PortableApps\ThunderbirdPortable\ThunderbirdPortable.exe
(etc.)
4.4 modify F:\CryptableApps\autorun.inf for your own label information, icon, etc.

II. Create encrypted drives

1.1 acquire flash drive(s)
1.2 format & name flash drives: if you need to use files larger than 4GB, or encrypt drive larger than 4GB, then format drive using NTFS, not FAT

2. Create TrueCrypt file
2.1 open TrueCrypt and press "Create Volume", or run the file TrueCrypt Format.exe
2.2 press "Create an Encrypted File Container"
2.3 press "Standard TrueCrypt Volume"
2.4 check option "Never Save History" so that it is checked
2.5 choose a file path and file name; do this directly on the root of the flash drive to be encrypted
2.6 leave defaults for encryption options (you may change this to suit your security encryption preference)
2.7 enter volume size; it's a good idea to make the size the same as the flash drive size minus 100-500MB - please remember that to create encrypted volume greater than 4GB you needed to format the flash drive under NTFS!
2.8 enter a good password, including mixed case and numbers, and of a length at least 14 characters
2.9 leave default volume options, but choose NTFS if you will work with files greater than 4GB
2.10 when prompted, move your mouse over the window for about 3 minutes
2.11 press format
2.12 exit when finished

3. Prepare CryptableApps
3.1 copy CryptableApps directories and files from installation (F:\CryptableApps) to root of the flash drive
3.2 run (double client) CryptableApps.exe and configure:
3.2.1 drive X (default)
3.2.2 no key file (leave blank)
3.2.3 enter encrypted file volume - no path as it's on the root
3.2.4 say 'no' to cache password
3.2.5 say 'no' to remove extra files
3.3 CryptableApps will automatically run, enter the password you used to create TrueCrypt encrypted file container (above)

4. Prepare PortableApps
4.1 copy PortableApps directories and files from installation (F:\PortableApps Prep) to the encrypted drive, Secret

5. Test installation
5.1 right client on the TrueCrypt icon in the system tray, and dismount drive Secret (make sure Explorer or something else is not accessing it)
5.2 in My Computer or Windows Explorer, right click on the CryptableApps drive and choose Exit all apps from Crypt and Dismount
5.3 safely remove the flash drive via Windows' system tray
5.4 put the flash drive back in the computer, in XP or lower, CryptableApps should start automatically (this won't happen in Vista)
5.5 enter the TrueCrypt password
5.6 those apps defined in autoRun.lst should start automatically - close Thunderbird without configuring it
5.7 you may change the language of PortableApps by clicking on the PortableApps icon in the system tray and navigating to Options, Language

6. Repeat for each user
6.1 repeat all of section II for each user

III. Create user email accounts

1. Create user email accounts
1.1 make new pop3 email accounts for each user, for instance at hotmail.com or live.com
1.2 put each email account created in the spam safe address list of all the other email accounts

IV. Create user SSL email certificates

1. Prepare company certificate defaults
1.1 copy F:\OpenSSL\CNF\BASE\openssl.cnf to F:\OpenSSL\CNF\openssl.cnf
1.2 edit F:\OpenSSL\CNF\openssl.cnf with a text editor, and modify the following as you see fit:
countryName_default = # should be the two-digit country code
stateOrProvinceName_default = # should be the two-digit state or province for the US and Canada, or name of city / province
0.organizationName_default = # should be the company / organization name
organizationalUnitName_default = # should be the internal name of the company / organization creating the key

2.1 Navigate to OpenSSL
2.1 open the command line / DOS screen
2.2 change directory to the OpenSSL installation (F:\OpenSSL\)

3. Prepare certificate database
3.1 cd to F:\OpenSSL\CA\
3.2 command: TYPE nul>index.txt
3.3 command: ECHO 100001>serial.txt

4. Prepare company certificate
4.1 cd to F:\OpenSSL\bin\
4.2 command: openssl req -new -x509 -extensions v3_ca -keyout F:\OpenSSL\CA\private\cakey.pem -out F:\OpenSSL\CA\certs\cacert.pem -days 7300 -config F:\OpenSSL\CNF\openssl.cnf
4.3 Enter PEM pass phrase: (choose a good password for the company certificate - enter twice for verification)
4.4 Country Name: (accept default from openssl.cnf by hitting [ENTER], or re-enter)
4.5 State or Province Name: (accept default from openssl.cnf by hitting [ENTER], or re-enter)
4.6 Locality Name: (enter a city, town, or province here)
4.7 Organization Name: (accept default from openssl.cnf by hitting [ENTER], or re-enter)
4.8 Organizational Unit Name: (accept default from openssl.cnf by hitting [ENTER], or re-enter)
4.9 Common Name: (enter a descriptive name, usually a short form of the Organization Name)
4.10 Email Address: (enter an email address, usually an admin address or something fake, but use the same domain as for your email accounts, i.e.; admin_joecorp@hotmail.com)

5. Prepare user certificate request (replace [user@hotmail.com] with the actual user email account)
5.1 command: openssl req -new -nodes -out F:\OpenSSL\CA\certs\[user@hotmail.com]_req.pem -keyout F:\OpenSSL\CA\private\[user@hotmail.com]_key.pem -days 7300 -config F:\OpenSSL\CNF\openssl.cnf
5.2 Country Name: (accept default from openssl.cnf by hitting [ENTER], or re-enter)
5.3 State or Province Name: (accept default from openssl.cnf by hitting [ENTER], or re-enter)
5.4 Locality Name: (enter a city, town, or province here)
5.5 Organization Name: (accept default from openssl.cnf by hitting [ENTER], or re-enter)
5.6 Organizational Unit Name: (accept default from openssl.cnf by hitting [ENTER], or re-enter)
5.7 Common Name: (enter a descriptive name, usually a short form of the user name)
5.8 Email Address: (enter the email address - [user@hotmail.com] - created for this user)
5.9 A challenge password: (leave blank by hitting [ENTER])
5.10 An optional company name: (leave blank by hitting [ENTER])

6. Create user certificate
6.1 command: openssl ca -out F:\OpenSSL\CA\certs\[user@hotmail.com]_cert.pem -days 7300 -config F:\OpenSSL\CNF\openssl.cnf -infiles F:\OpenSSL\CA\certs\[user@hotmail.com]_req.pem
6.2 Enter pass phrase for .... cakey.pem: (enter company certificate pass phrase as created above)
6.3 Sign the certificate? [y/n]: y
6.4 1 out of 1 certificate requests certified, commit? [y/n]: y

7. Export the user certificate
7.1 command: openssl pkcs12 -export -in F:\OpenSSL\CA\certs\[user@hotmail.com]_cert.pem -inkey F:\OpenSSL\CA\private\[user@hotmail.com]_key.pem -certfile F:\OpenSSL\CA\certs\cacert.pem -name [user@hotmail.com] -out F:\OpenSSL\CA\certs\[user@hotmail.com]_cert.p12
7.2 Enter Export Password: (choose a good password for the user's certificate - enter twice for verification)

8. Repeat for each user
8.1 repeat sections IV.5 to IV.7, above, for each user email account

V. Configure Thunderbird

1. setup user email account in Thunderbird
1.1 insert CryptableApps drive, when Thunderbird opens, configure it (example with hotmail.com)
username@hotmail.com & hotmail password
POP server: pop3.live.com
POP Port: 995
POP SSL?: yes (also in Tools - Account Settings - Server Settings)
SMTP server: smtp.live.com
SMTP Port: 587
SMTP Authentication?: yes
SMTP TLS/SSL?: yes (also in Tools - Account Settings - Outgoing Server (SMTP))
(to finish / adjust this you may need to go into Tools - Account Settings - Server Settings and Outgoing Server (SMTP)
1.2 edit Tools - Account Settings - Composition & Addressing: uncheck: compose messages in HTML format
1.3 Tools - Address Book - New Contact: enter name and email address of all the user email accounts which will exchange secure mail

2. install user email security certificates
2.1 copy the cacert.pem file to the user's flash drive
2.2 copy the [user@hotmail.com]_cert.p12 file for a given user to that user's flash drive
2.3 copy the [user@hotmail.com]_cert.pem files for all other users to the given user's flash drive
2.4 Thunderbird - Options - Advanced - View Certificates - Authorities - Import - cacert.pem
2.5 Click on the new CA, then Edit - "This certificate can identify mail users" is checked - OK
2.6 Thunderbird - Options - Advanced - View Certificates - Your Certificates - Import
2.7 select the given user's own [user@hotmail.com]_cert.p12 file
2.8 enter the export password of the user certificate
2.9 Thunderbird - Options - Advanced - View Certificates - People - Import
2.10 select the [user@hotmail.com]_cert.pem files of all of the other user email accounts which will exchange secure mail

3. configure user email security settings
3.1 Thunderbird - Account Settings - Security - Encryption - Select
3.2 select the user email account's own certificate
3.3 'yes' to pop-up box option to use same certificate to encrypt and decrypt messages sent
3.4 select option to Digitally sign messages
3.5 Thunderbird - Account Settings - Security - Digital Signing - Select
3.6 select the user email account's own certificate
3.7 Thunderbird - Account Settings - Security: select option Required (can't send message unless all recipients have certificates)

4. Repeat for each user
4.1 repeat all of section V for each user email account

5. Test installation
5.1 test by sending and receiving email to/from each user email account with and without attachments, make sure that the digital signature (envelope) and encryption (lock) icons appear in all emails

VI. Security, limitations, and best practices

1. security may be compromised or broken if passwords are weak, or by using flash drives on computers without adequate firewall and antivirus protection
2. security may be increased by using different company certificates for different batches of users:
2.1 delete all files in F:\OpenSSL\CA and in all subfolders
2.2 delete F:\OpenSSL\CNF\openssl.cnf
2.3 repeat steps IV.1 to IV.4
3. when deleting files, it is best to use a secure delete program such as Eraser Portable

Have fun! Be secure! Smile