In all the discussion about using encryption, a critical point keeps getting lost: It's difficult to work with, and it's even harder to deploy it at scale. Nowhere is the challenge more evident than in sending secure email.
There are many ways to interact and collaborate -- instant messaging, Slack, and so on -- but email still dominates in enterprises. Even as encryption goes mainstream with secure messaging tools, more websites adopting HTTPS by default, and cloud storage services allowing easier file encryption, sending an encrypted email message is still a challenge.
While GPG Sync, a new open source project from First Look Code, doesn't simplify the process of sending encrypted messages, it does "make using encrypted email within an organization less obnoxious for everyone," wrote Micah Lee, a technologist with First Look Code, the software arm of First Look Media.
GPG Sync is designed for organizations already doing the heavy lifting by using the public key cryptography implementation GPG (Gnu Privacy Guard) to encrypt email messages. Using GPG is a multistep affair, first creating the user's key, then regularly importing the keys of other users, and verifying the keys actually belong to the correct person.
Making sure everyone has the most current key for everyone else is an unwieldy task. New keys are issued to new users as they join, so they need to be imported. If existing users revoke keys and transition to new keys, other users need to refresh the keys to make sure they are not accidentally using the older keys. This is the problem GPG Sync solves, by making sure each of the users have up-to-date public keys as defined by a centrally managed list.
The project takes a very straightforward approach. A single trusted person maintains a list of GPG fingerprints used by the organization, which is digitally signed by an "authority key." Each user's copy of GPG Sync recognizes the authority key's fingerprint and knows the URL of where the signed list is stored. The software automatically makes sure the user has the most current list and references it to refresh all of the nonrevoked keys from a key server.
"Now each member of your organization will have up-to-date public keys for each other member, and key changes will be transitioned smoothly without any further work or interaction," Lee wrote on the project's GitHub page.
GPG Sync plays a similar role as S/MIME or certificate authorities in many organizations and is a simpler alternative for organizations that don't want to set up a central authority.
It's hard enough using GPG for encrypting emails, so simplifying key management is a real benefit.
The caveat is that organizations must already have users set up to encrypt messages with PGP. While there are teams using open source security implementations like OpenPGP, many organizations concerned about encrypted email often prefer commercial offerings, such as Virtru. The platform sits on top of the organization's existing email system, making it possible for users to send and receive encrypted messages without changing their workflow. Virtru also provides a secure process for non-Virtru users to access encrypted messages.
Projects like GPG Sync are beneficial for the overall open source security ecosystem because they simplify parts of an existing workflow. Making it easier to handle different steps makes the prospect of adopting GPG less daunting.
Secure communications suffer from the chicken-and-egg problem. Users like the idea of sending secure messages, but they need to make sure the people they are communicating with are on the same service. In the world of secure text messaging, users wind up with multiple apps on their mobile devices and have to remember which contact is on which platform to be able to communicate. Apple encrypting iMessage end-to-end solved that problem for a lot of iOS users, and services like ProtonMail offers free encrypted webmail, but there's still a lot left to do to bring encryption to the masses.