Email is a complex software and service stack, but even so the technological complexity amounts to little compared to social, ethical and other complexities. Email is mission critical and confidential - yet a large number of small businesses trust their email to global entities who read and process every email stored on their networks. Worse of all - you do not know who else receives your emails by mistake or by design!
FourOh-LLC email is provided with the capacity to fully encrypt all your emails which are stored on our network or sent from our network - so nobody, including FourOh-LLC administrators or attackers penetrating into our network, are able read or process them. Encrypted email may only be read by those who has both the public key and the passphrase, otherwise the text and all attachments with the email are both stored and transmitted in encrypted format. Read here about the details.
The following describes the easiest configuration: the emails are sent from one account on the FourOh-LLC network to another - as is the case on the Corporate Extranet where Suppliers, Customers and Visitor are all logged in and are all issued Corporate resources, email accounts / aliases included.
When you send your encrypted email to external sources such as Gmail, it is necessary to configure an external service such as OpenPGP on Gmail. We do not cover that here: If you REALLY need that functionality FourOh-LLC is willing to configure that with a visit to your plant or office - and for extra charge.
You access this screen from Setting on the upper right, then PGP Keys, and click the + sign. You may generate standard or strong keys, and you may generate different keys for each of the Identities (aliases). Then provide a password.
Once you generate the keys you end up with a Private Key, and a Public Key. While these are stored on YunoHost they are protected using the passphrase - so having access to it by administrators and attackers is not a security issue. You may generate new ones anytime you need to do so. To fully understand this you should read here.
Once Goldy Locks, the CEO of Goldilocks Property Management, Inc. generated her keys she sends an email to a number of people: Dusty Gold, May Flowers, Pete Greens - these people often send her sensitive and urgent information about prices, floor-space availability, and so on.
To be 100% safe, share your Public Key with only those who exchanged their keys with you. A person who was your employee might become your business competitor - so be ready to generate a new pair and stop using the old one.
Goldy also turns on the option to attach her Public Key. The other two options cannot be used at the moment as Goldy does not yet have the Public Keys of the recipients - Dusty, May and Pete.
Since the recipients are on the same host Goldy gets an almost instant confirmation that the email service in charge of the recipient network accepted the delivery. This does not mean the email is delivered: it means that the mail service who is responsible for the actual delivery agreed to deliver it. When you send to a Gmail account this is going to be the Gmail service, telling FourOh-LLC “All in order, I will take it from here”.
If you mistype an account or when the account does not exists you get a receipt about that (could not deliver). Mail routing agents keep trying for a few days, then they give up and they send a separate email notification to the postmaster address listed by the FourOh-LLC DNS service - in this case to email@example.com, and we are going to look into it.
When Dusty logs into web-mail she imports Goldy's Public Key by simply clicking on the link, and now she can send a fully encrypted reply! Once she clicks “send” Roundcube finds Goldy's public key and encrypts the message and all the attachments. After the encryption the email can be opened only by the person with the Private (not the public) Key, and only after providing the passphrase.
Just a reminder - you now have three different passwords: one to login to Web Forms, one to log into YunoHost, and the one to encrypt / decrypt your email. You MAY keep them the same, but to maintain maximum security all passwords should be different. In any case - DO NOT LOSE THEM!
Once Goldy logs into her web-mail she should see two new emails. One is the receipt of Dusty actually opening the email for read - proving the email was delivered as promised. The other is the encrypted reply from Dusty, with her Public Key attached.
If you decide to use full encryption please do understand the following: There is no way to recover lost keys and passphrases, and when you lose them your encrypted email remains inaccessible to everyone permanently. There is no amount of resources - time, money, knowledge - going to help you recover them.
For this reason it is recommended you use encryption on a few special emails only. You memorize, copy, save and then you delete the encrypted email right away. This, of course may change when you own the FourOh-LLC Software Stack and you have expert, dedicated staff to manage this for you.
If you are forced to delete a compromised key pair (ex-employee using it, or you left your account open in a public library) you ARE going to lose all your emails encrypted with that key. Again, have a plan beforehand how to deal with all these details.
This encryption is using the same process government agencies such as the IRS, the FBI or the Military use to exchange highly sensitive information. Granted, they do not use Roundcube but something else, the algorithm they use is different (not PGP-based), and the key size is much bigger than the 4096-bit.. but the round-exchange of trusted keys, the passphrase, the DNS-based routing, and all other parts of the service and software stack is the same.
There is no protection against carelessness, social engineering, and other human factors. Again, FourOh-LLC has no access to your decrypted email and attachments, we do not have access to your PGP passphrase. The FourOh-LLC technology stack is sound and secure as far as technology is concerned, and that is the minimum we hope you clearly understand from this guide.