Tantum Email Encryption & Security
This article covers Tantum Staff Email Security, a brief overvew of our Users Security, as well as how to Secure your own email.
Tantum Technologies Staff Emails
All Tantum Technologies Team Members are always connected via Strict SSL encryption meaning any email cannot be intercepted at our team's level, however communication outside our own network & mail servers is out of our hands as it is up to the other receiving/sending parties email provider, mail server(s), and the receiver or sender of the email themselves (ie SSL or not). Additionally all Staff are equipt with digital signatures/PGP capabilities, which is recommended and the preferred method for email communication. If you have PGP capabilities simply send us a signed email so that we receive your Public Key and can send you a signed email back, allowing for end-to-end encryption of communication from that point onward. Alternatively you can find our Public Keys on most typical PGP key servers. If you do not have PGP Capabilities, or do not know what those are, we highly recommend you read 'How to Secure your Email' below.
Tantum Staff also have Trusted/Verified S/MIME certificates however we have opted to move to PGP unless requested/need otherwise due to the more widely available, utilized, and community-driven PGP. If you only support S/MIME feel free to send us a signed message, as we are duely setup for both (we just perfer and default to the former).
Our Hosting Servers
All hosting & email servers are secured using military grade encryption, are strictly monitored, and are managed using top of the line security measures and policies. We utilize physical smart cards, multi-layered security, and strict access policies for all of our internal services and connections - no one on our servers can, nor has the ability to, read emails whether stored or in transit. The only email information we can access is the header information for spam processing and debugging in the case of an issue with your email, and even then only when a request is submitted and approved allowing only access to the needed information. What is header information? The header information is just the to, from, date sent, date delivered, what type of delivery (local/internet), spam score, validation tests, and other misc debugging information such as the server route it came through and originated from - the header information does not contain any information on the subject or content of the email nor any identifying information with the sole exception of the To and From fields, upon request we can provide an example of such a lookup.
We offer SSL Encrypted Connections to our Mail Servers for all of our hosting users to utilize, as well as support in setting those up if needed. We highly recommend all users whether hosted with us or not to read about and utilize PGP encryption especially when sending sensitive emails as well as with the recent revelations of the government sucking up and storing pretty much the majority of the internet. The Tantum Network Security Team is highly educated and experienced, we are constantly working on and upgrading our systems to ensure our users and ourselves are as secure as possible. We continue to expand upon our policies, methods, and tools to stay as far ahead of the curve as possible - did you know you can utilize Yubikey's to protect your Client Center login? YubiKeys are physical security keys which cannot be duplicated and make it so that even with a password being known by an attacker, access can not be achieved without the physical key plugged into the accessing computer - we utilize YubiKeys, Smart Cards, and many other tools across our network both internally and externally.
Email Security & You
Email often contains extremely valuable and sensitive communication as well as can be a gateway into your other accounts so it must be protected. A lot of people do not realize just how easy email can be intercepted. When you are on a wireless hot-spot or network, and not secured, your emails are transmitted through the air in plain-text viewable to anyone else connected to that wireless network. This is a huge issue at public hot-spots like Coffee Shops, Airports, and even in your own home where it is done all the time and you do not even realize it is happening - and that is just one place where it can be intercepted along the long route it travels. There are some steps you can take to help prevent and even ensure your emails, if intercepted, are unreadable. Not interested in the rundown of email vulnerabilities? Skip ahead to "How to Secure your Email"
Your email mailbox is essentially a folder (JohnDoe, for example) with folders for your Inbox, Drafts, etc. and files within each folder which are your emails. These folders and files are held on a Server (a computer) ran by your email provider, when you check your email you are connecting to that server and asking if you have any new messages, which if so are then downloaded to your computer or device to be shown to you - those emails usually stay on the server for your other devices (IMAP), that way you see the same emails whether you check your email on Webmail, your Phone, or your Computer.
Email passes through many different servers/places/locations which are not owned by you or your email provider, and technically any point which passes on your email can intercept/access/record it as it goes through. Here are some of the many points it can be intercepted:
- Wireless Networks (both ends): John sending the email from his Coffee-Shop WiFi, anyone else on that WiFi can view the email as it transmits through the air to the Wireless Router - whether it is sending or receiving email this is VERY common and can expect it to happen at a large number of Public (and even some Private) Wireless Hotspots such as Coffe Shops, Schools, Libraries, Hotels, Airports, etc. Furthermore even if you are not connected via wireless, the person you are sending to or receiving from could be and unsecurely.
- Internet Service Providers: While more rare, it is worth noting that Internet Service Providers can view all unencrypted traffic between your computer and the internet and often log it for a certain amount of time, they would be able to view all your sent/received emails as well (when unecrnypted) and this also goes for every computer/server your data passes over so the person you are sending to or receiving from's ISP can do the same as well as every Service Provider for every server your email passes through - this can be a large list depending on geographical distances and traveling over different networks/service providers.
- Email Service Provider: While also more rare, it is worth noting that your Email Service Provider just like your ISP can view any data transmitting on or through their servers especially on IMAP connections because of course the emails are on their server.
It can be surprising that email is so widely available to those beyond just you and your recipient - so what can you do? Read on
How to Secure your Email:
There are many options to securing your email, we will cover two of the most widely used and effective methods. We highly recommend our users (and everyone else) at least utilize SSL Connections, but also to go the extra bit and learn/setup PGP for truely secure email communication.
#1: SSL - Quick & Easy
Most email providers offer SSL configurations for their mail servers, what this does is when you make a connection to your mail server it creates a secure SSL encrypted 'tunnel' so that all the communication between your device and your mail server is fully encrypted and therefore protected, looking like jibberish to anyone looking at it from outside the 'tunnel' aka your connection. This would protect John's email at in the first (Wireless Networks) example above, meaning you can send/receive emails from public hotspots without having to worry that it is being viewed as well as preventing your ISP from seeing it. It is worth keeping in mind you never know how your recipient/sender is connected, so it may be exposed on their end as well as everywhere from your email provider to theirs. Also in regards to Public Hotspots, even with SSL for your email being secure, other data you send over the air (like web traffic) can be insecure so be careful. SSL is also widely used on websites, by checking that you are on a website with httpS:// - the S meaning Secure, you know that data is protected as well.
How to Setup SSL?
You must ask your Email Provider for the SSL connection information, sometimes they also publish the information with your setup/instructions for your account. All you have to do is change/enter the corect incoming and outgoing mail server settings on your email client/device and you are covered. Typically this only requires 4-6 quick changes in your Email Account Settings on your device and you are all set, if you are unsure the best thing to do is just ask your provider!
Are you hosted with us? Simply follow the normal setup instructions for your device or software, but use the SSL/Secure information for the Incoming & Outgoing Server Addresses, Incoming & Outgoing Ports, and Incoming & Outgoing Security Type/SSL Eanbled. You can find the Secure Connection Information to use in those fields by clicking here - Keep in mind you are most likely setup on IMAP so follow those instructions for an SSL Connection which is located at the bottom of that page.
#2: PGP/OpenPGP/GnuPG - End to End Encryption
PGP Encryption is by far the best and most secure solution, plus it is FREE and EASY! While SSL Connections to your mail server are definitely important and help to secure you from the most common vulnerabilities, it still does not help protect your communication once it is outside your own email Provider's Mail Server(s) - the 2nd, 3rd, and 4th vulnerabilities in the above example may remain insecure. Your Email Provider, their ISP, the other parties Email Provider, other parties ISP, and other party in general (not on SSL for example) can still pose risks. PGP Encryption is pretty simple, each person gets a Public and Private key which are 'made for each other,' so to speak - the Public Key is just that, public, it is given out to anyone and everyone - people who have your public key can send encrypted emails that ONLY your Private Key and therefore you can decrypt/view. Basically put, a Public Key can encrypt anything and only the matching Private Key can decrypt/open it. So you pass outYOUR public key which lets people encrypt emails to YOU, you get THEIR public keys so you can send encrypted emails to THEM, and youalways keep your Private key PRIVATE/protected/never share or send to anyone.
Once setup, it is pretty easy going and automatic to utilize, you can digitally "sign" emails with your public key which essentially sends your public key along with that email which is an easy way to send your public key to someone and in addition you can submit your public key to popular PGP Keyservers so others can simply check your email and get your public key from there not requiring you to send them it at all. On the other end, when you receive a signed email you know that user supports PGP/encryption and it imports/stores their public key making it so that when you email them next you can encrypt it; you can additionally use PGP Keyservers to lookup and download people's public keys so you can send an encrypted message right off the bat! It can be a little intimidating/confusing at first glance, and there are definitely other aspects of using PGP (trusting keys/etc), however we would recommend everyone check out and utilize PGP Encryption as is becoming more and more important every day.
How to Setup PGP for Email (End-to-end Encryption)?
We have linked a few guides on setting up PGP which also can explain it a bit better with visuals and the like, to setup your PGP keys in your device or software can vary based on the device or software you are using so if it is not covered below you can simply Google "how to setup PGP in <software or device name>" or alternatively, just open a Support Ticket and we would love to assist you getting secured and setup, that goes for help or questions about any aspect of PGP!
Full Guide/About (Long & Detailed) from Gnupg4win General Guide & Information on PGP/GnuPG for Novices
Easy Step-by-Step (Short & Simple) for Windows & Mac Users using MAC MAIL or THUNDERBIRD
Great Guide from Mozilla, this is for Windows, Mac, or Linux using THUNDERBIRD
Step-by-Step (Simple) for Windows Setup & Configuration of GnuPG (Setup/Generate Keys only)
Linux User? You have gpg built-in most likely, download Kleopatra or use instructions above for Thunderbird, most linux email clients support PGP out-of-the-box (KMail/Kontact, Evolution) and you only have to select them under settings, Thunderbird requries Enigmail addon (instructions above).
Need help or have questions? Just let us know and good luck!