[Eug-lug] sending encrypted emails from a webserver

Ben Barrett stircrazyben at gmail.com
Wed Nov 29 10:55:32 PST 2006 

Good point, yes I agree.

If anyone has experience or even ideas about using Open Source software
(like GPG) to send encrypted info from a server via email
(or otherwise, but in my case to one recipient, not arbitrary recipients),
please reply to this thread.  I am not looking for a security howto,
just some more specific experience or advice on these toolchains.

thank you,

    Ben


On 11/29/06, Michael Miller <mike.mikemiller at gmail.com> wrote:
>
> Ben,
>
> There are a number of ways to get this done.  It's a question of what
> you are tyring to protect and for how long.  The other component of
> this is how to pass a message on a public network with out everyone
> reading it.  As for HIPAA, no I would not give advise on a mailing
> list.  HIPAA is a big ugly monster that requires lots of checking and
> rechecking to make sure your not doing something wrong.  I hate
> auditors.
>
> Mike Miller
>
> On 11/29/06, Ben Barrett <stircrazyben at gmail.com> wrote:
> > Yes, the data comes from an SSL session, and no data is in the URL.
> > I'm not sure, I think a simple text field.
> > Thank you for helping me assess the "big picture", I am just looking for
> a
> > small answer in this case.
> > I know about files and databases, for instance, and chose to ask about
> > encrypted emails.
> > I don't expect anyone to give hipaa advice on the mailing list!  IANAL,
> > neither are you?
> >
> > OT:  I heard on the radio, that Vermont is the last state where you can
> take
> > the bar & then practice law without going to law school,
> > the last place where they let you self-study, so to speak....
> interesting.
> >
> >
> >     Ben
> >
> >
> > On 11/29/06, Michael Miller < mike.mikemiller at gmail.com> wrote:
> > > Ben,
> > >
> > > Are you then SSL encrypting the users session while the type in the
> > > secrets?  What type of text box or form is the user presented with?
> > > You can take the data spit it into a text file that is then encrypted
> > > with PGP/GPG or with SSL.  I would go with SSL because public private
> > > key cypher works when you have two party's.  You could also redirect
> > > the user too a secure site via SSL and then stick the data into a
> > > database table.  I'm guessing this is going to be a user who is on the
> > > Internet and connects too your server via a public network?  Or is the
> > > user on a LAN?  You said HIPAA, is this environment held by the HIPAA
> > > standards?  This does make a difference because of how HIPAA is
> > > written.
> > >
> > > Mike Miller
> > >
> > > On 11/29/06, Ben Barrett < stircrazyben at gmail.com> wrote:
> > > > Secrets are to be moved from the webserver to one specified inbox,
> > securely.
> > > > Small secrets, similar in length to a phone number.  It could be
> hipaa
> > > > delivery
> > > > of client info or a financial transaction, for instance.
> > > >
> > > >     Ben
> > > >
> > > >
> > > >
> > > > On 11/29/06, Michael Miller <mike.mikemiller at gmail.com > wrote:
> > > > >
> > > > > What are you trying to do?  I think you might get an answer if you
> > > > > explain what your tyring to do or list of requirements.
> > > > >
> > > > > Mike Miller
> > > > >
> > > > > On 11/28/06, larry price <laprice at gmail.com > wrote:
> > > > > > Does it absolutely have to be GPG or would any block cipher
> encoding
> > > > work?
> > > > > >
> > > > > > I've used openssl for encrypting database backup files and the
> same
> > > > > > technique could be applied here.
> > > > > >
> > > > > > for example:
> > > > > >
> > > > > > script_with_secret_output.sh |  openssl aes-256-ecb -e -a -salt
> > -pass
> > > > > > env:SALEPASS |mail -s`date +%Y%m%d; echo accountsummary`
> > > > > > offshore_email at example.com
> > > > > >
> > > > > > and then once it's at it's destination and you've stripped it
> out of
> > > > > > the mail body into a file with the subject as it's name:
> > > > > >
> > > > > > openssl aes-256-ecb -d -a -salt -pass pass:f00bar <
> > > > 20061128accountsummary |less
> > > > > >
> > > > > > to read it.
> > > > > >
> > > > > > That's a quick and dirty hack, if you were setting up something
> more
> > > > > > robust you would probably use your favorite scripting languages'
> > > > > > openssl binding to do pretty much the same thing and package it
> up
> > > > > > with a proper mime/type and make sure that the passphrase
> couldn't
> > be
> > > > > > read anywhere but at the keyboard.
> > > > > >
> > > > > > (OR just scp whatever to it's destination)
> > > > > > On 11/28/06, Ben Barrett < stircrazyben at gmail.com> wrote:
> > > > > > > Has anyone used
> > > > http://www.awtrey.com/software/gpgsend.php
> > > > > > > or found better or similar solutions?  Rot-13 need not apply
> :)
> > > > > > >
> > > > > > > thanks,
> > > > > > >
> > > > > > >    Ben
> > > > > > >
> > > > > > >
> > > > > > > _______________________________________________
> > > > > > > EUGLUG mailing list
> > > > > > > euglug at euglug.org
> > > > > > > http://www.euglug.org/mailman/listinfo/euglug
> > > > > > >
> > > > > > >
> > > > > > >
> > > > > > _______________________________________________
> > > > > > EUGLUG mailing list
> > > > > > euglug at euglug.org
> > > > > > http://www.euglug.org/mailman/listinfo/euglug
> > > > > >
> > > > > _______________________________________________
> > > > > EUGLUG mailing list
> > > > > euglug at euglug.org
> > > > > http://www.euglug.org/mailman/listinfo/euglug
> > > > >
> > > >
> > > >
> > > > _______________________________________________
> > > > EUGLUG mailing list
> > > > euglug at euglug.org
> > > > http://www.euglug.org/mailman/listinfo/euglug
> > > >
> > > >
> > > >
> > > _______________________________________________
> > > EUGLUG mailing list
> > > euglug at euglug.org
> > > http://www.euglug.org/mailman/listinfo/euglug
> > >
> >
> >
> > _______________________________________________
> > EUGLUG mailing list
> > euglug at euglug.org
> > http://www.euglug.org/mailman/listinfo/euglug
> >
> >
> >
> _______________________________________________
> EUGLUG mailing list
> euglug at euglug.org
> http://www.euglug.org/mailman/listinfo/euglug
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://euglug.org/pipermail/euglug/attachments/20061129/c0fe61ea/attac=
hment-0001.htm

More information about the EUGLUG mailing list