GPG Lacre project
Best effort encryption of mail flows with OpenPGP
This project is the continuation of the work on providing open source, GnuPG based email encryption for emails at rest. All incoming emails are automatically encrypted with user's public key before they are saved on the server. It is a server side encryption solution while the control of the encryption keys are fully at the hands of the end-user and private keys are never stored on the server.
The scope of the project is to improve on the already existing code, provide easy to use key upload system (standalone as well as Roundcube plugin) and key discoverability. Beside providing a solution that is easy to use we will also provide easy to digest material about encryption, how it works and how to make use of it in situations other the just mailbox encryption. Understanding how encryption works is the key to self-determination and is therefore an important part of the project.
GPG Mailgate will be battle tested on the email infrastructure of Disroot.org (an ethical non-profit service provider).
- The project's own website: https://lacre.io
Why does this actually matter to end users?
Email was designed without privacy or security in mind, which is amazing for such a popular service. When you send an email, anyone that can gain access to your mail server or the mail server of the recipient can read your mail, from top to bottom. And copy it, for later usage. It is often compared to sending a post card, and of course in many cases there may be little harm in others reading what the weather is like in Paris. But what if you want to use email to send something confidential, something you do not want to share with others? Like a love letter, a political rant or an important contract? And what if you can't actually trust the mail man, for instance because the other party is using a free email service known to search through everything? Or what if you don' t like the fact that your writings are stored in a country you have never been, with different laws that may not be compatible with your thoughts about the world? Or what if you live in a country that has an unhealthy interest in bringing down certain political voices, or are part of a cultural minority that is at risk?
Computer specialists have been protecting their email with encryption for decades. This is the equivalent of putting your message very carefully in the blender, pressing the button before anyone else has read your mesage, shredding it up and sending a packet of shreds over to the other end. The amazing thing about cryptography is that you can magically (or rather mathematically) make it possible for your secret love - and not anyone else - to recreate the message from the shreds, and know it was you - and not anyone else - that sent it. For the rest of the world, the message would be meaningless garble pretty much forever.
However, the solution they came up with is not easy for normal people to work with. You need a lot of patience and technical skill to make use of it. Many people have tried, and could not get it to work or gave up because it hindered them. It was in fact too hard to turn it on by default. This means that most people are probably not even aware that it is possible to protect the contents of their email with cryptography. And so, unfortunately, normal citizens and business have been left behind - exposed to people reading their email messages, and (in the absence of other security measures) potentially also receiving fake or manipulated messages.
The encryption issue is especially important for sensitive emails, like the messages and documents we get from all sorts of institutions and civic services. Whether you apply for a new drivers license, buy a house, or need healthcare services, a lot of personal and sensitive information needs to be sent back and forth. That communication should be well-protected, which encryption can do. This project aims to use open source technology for email encryption to protect messages on the server. Incoming emails are automatically encrypted before they are saved on the server, where only the person who sent the message can decrypt the contents. This can help take away an important point of failure and attack in email communication, namely the server, and ultimately make email more safe.
Run by Stichting Disroot.org (https://disroot.org)
This project was funded through the NGI0 PET Fund, a fund established by NLnet with financial support from the European Commission's Next Generation Internet programme, under the aegis of DG Communications Networks, Content and Technology under grant agreement No 825310.
