Menu

Decrypt-encrypt-sign on an airgapped offline machine

Feature Requests
Guido Alfano
2018-10-25
2018-10-28

  • Guido Alfano

    Guido Alfano - 2018-10-25

    It would be a great security enhancement IMO to be able to only keep keys on a permanently offline machine, and be able to use two instances of Thunderbird+Enigmail communicating with each other, screens-to-webcams through automated sequences of QRcodes, or through audio cables with something like minimodem (see Debian package).

    At present, to keep your keys offline you need to use gpg on the command line and transfer between the two machines via CD. (Saving on some USB device is not recommended, see "bad USB exploit". Maybe an USB device encrypted with a very strong passphrase can make a difference but it couldn't be considered an airgapped machine any more.)

    Plan B, or first step, implying less modifications on Thunderbird+Enigmail: being able to save/load a message ready for encryption/signing, or already encrypted/signed and ready to be sent. (Then use of some external app for the communication between the offline and the online machines, or burn CD.)

     

  • Patrick Brunschwig

    Patrick Brunschwig - 2018-10-26

    Plan B is easy. Use menu File > Save As > File and store the file. Transport the file to your offline device and drag the file into Thunderbird.

     

    • Guido Alfano

      Guido Alfano - 2018-10-28

      Thank you very much @pbrunschwig

      Detailing the saving procedure

      I've seen three possibilities (of course after selecting one message in the messages list):

      • Top right menu button | Save As
      • Message contextual menu (right-click button on the message line in the list of messages) | Save As...
      • More button at the top right in the message window.

      For what I see, the format is always .eml, so it could as well be a Save menu item (unless changing the suffix selects another format, just as GIMP does when exporting an image, but I have no idea what other suffixes would be valid, I read no docs admittedly on that).

      I tried with short messages with a few attachments and saving-loading via .eml worked just great.

      (I haven't tried the full procedure yet, transporting to-from a separate permanently offline machine, signing-encrypting-decrypting with the offline instance and sending-receiving with the online instance.)

      Detailing the loading procedure.

      The receiving Thunderbird instance can be offline provided I drag the file into a local folder, the most appropriate one probably being the LOCAL 'Drafts' folder, otherwise Thunderbird complains that it can't reach the server and does not load the message (because it's trying to store it into the remote folder into which you are drag&dropping the message file).

       

      Last edit: Guido Alfano 2018-10-28

Log in to post a comment.

Want the latest updates on software, tech news, and AI?
Get latest updates about software, tech news, and AI from SourceForge directly in your inbox once a month.