What is securemail?
Enabling SSL encryption on your site is the first step to protect sensitive information. However, data can still be stolen by hackers if the data is stored on the server or transported from the server in an insecure manner such as unencrypted email. To further protect sensitive information, we provide a script we call "securemail" that takes the data input on a web form, encrypts it, and sends it the encrypted data by email.
How does it work?
securemail is designed as a drop in replacement for our cgiemail script. The difference is that when a web form posts to our securemail script, it encrypts the data using the OpenPGP encryption standard before it is emailed to the website owner. This standard uses a two key pair, a public key and a private key. The public key is installed on the server and used to encrypt the data, but only the holder of the private key can decrypt it. Because the private key is kept safe by it's owner (and never stored on our server), the encrypted data can only be decrypted by the owner of the key.
Here are the steps for implimenting securemail on your website:
Step 1: Read this disclaimer.
ActionWeb makes NO warrantees, either express or implied, including, but not limited to, implied warrantees of merchantability and fitness for a particular purpose, with regard to securemail, and any accompanying hardware or software. In no event shall ActionWeb or it's owners or employees be liable for any special, incidental, indirect, or consequential damages whatsoever, including, without limitation, damages for loss of business profits, business interruption, loss of business information, or any other pecuniary loss which may arise out of the use of or inability to use securemail. In other words, while we believe that when securemail is properly used that it will substantially increase the security of data, we do not guarantee that it will.
Step 2: Generate your key pair and install the public key on the server.
To get you through this part, see the Using Cryptophane to Create an OpenPGP Key Pair tutorial.
Step 3: Create a web form using cgiemail script.
Create a form that works with our cgiemail script first. If your form does not work properly using the cgiemail script, it will not work with the securemail script.
Step 4: Convert your form to use securemail.
There are potentially three changes that you will need to make to convert your form that works with cgiemail so that it works it works with securemail:
- Change where the form posts to by editing the FORM ACTION line. Specifically change this line:
<FORM ACTION="/cgi-bin/cgiemail/template-path-and-filename" METHOD=POST>
<FORM ACTION="/cgi-tools/securemail" METHOD="POST">
- Add a hidden field to your form that points to the template you created for cgiemail, such as the following:
<input type="hidden" name="template" value="/template-path-and-filename">
Note that the /template-path-and-filename path is relative to the root directory of your website.
- Edit your cgiemail template so that the To: line matches your OpenPGP user id exactly.
For example, if your To: line looks like this:
Change it to one that matches the OpenPGP key you generated:
Step 5: Test your form.
Assuming everything goes as it should, after you fill out your form and submit it, the designated email account should receive an encrypted email message. To decrypt the message in Cryptophane, go to the File -> Message option and paste the encrypted portion of the message in the box like so:
Click "OK" and enter the passphrase for your key, which should immediately decrypt the message.