views:

493

answers:

2

I have a rails application that triggers Emails on certain events. These emails are sent to a separate company who will add some additional data to the email when replying. This is all understood and working, I am parsing the replies, extracting the data and it works fine.

I have now been asked to encrypt the emails.

Does anyone have any experience/ideas on the best way to do this?

I can not guarantee what Email client the 3rd party will be using so I need a solution that would work generically across many email clients. The encryption must be made both by my application when I send the email and by the client application (Outlook, Thunderbird, Entourage etc) when it replies. I will then need to receive the encrypted email, decrypt and parse it to extract the new information I need.

Can anyone point me at plugins/documents that would help me achieve this?

+3  A: 

If the other end doesn't use your application, you should use S/MIME or PGP.

Most desktop email clients support S/MIME out of the box, and PGP is usually available as a plugin (for Thunderbird there's Enigmail, for Apple Mail there's GPGMail, etc.).

Also, S/MIME needs certificates, which you can create yourself or purchase from a Certificate Authority (like Verisign or Thawte), depending on your needs.

I'm sure there are S/MIME and PGP libraries for Ruby, but a quick search didn't reveal the "one true library" for me. However, you can always let OpenSSL (for S/MIME) or GPG do the heavy-lifting for you.

Can Berk Güder
http://github.com/bendiken/openpgp
Jonas Elfström
A: 

I think Güder's answer is excellent, but keep in mind that all that necessitates that the user already have something like GPG installed and an associated key available. This grueling setup process is about 95% of the obstacle to getting email encryption more widespread.

Are you certain that the individuals who commissioned this project understand that it's not as simple as flipping a switch in the code to send encrypted emails?

One option is to incorporate in the install process for your program a key management routine that depends on (and includes) GPG. Then the user could select a very difficult passphrase (make sure to run checks on it so it's at the very least alphanumeric, etc.), a public key could be generated from that, and uploaded to the popular keyservers.

The generated key could be used for the emails the program generates, and most importantly, the key would be unique to each user. Then you can do a regular external call to the default email client on the user's OS to open the email.

To make sure that the email gets opened up encrypted, I would check on the environment and get the default email client, then send the email from your program with the necessary flags necessary to have the generated email be encrypted. This means it's going to be different for Thunderbird's Enigmail than it is for Apple's Mail, for example.

But don't forget about OpenSSL, certainly....

ronocdh