||Tip: This script replaces the pgpmail.cgi script. If you are still using the pgpmail.cgi script, you can find the documentation for pgpmail.cgi here.|
What is securemail?
Enabling SSL encryption on your site is the first step to protect sensitive information. However, data can still be stolen by hackers if the data is stored on the server or transported from the server in an insecure manner such as unencrypted email. To further protect sensitive information, we provide a script we call "securemail" that takes the data input on a web form, encrypts it, and sends it the encrypted data by email. How does it work?
securemail is designed as a drop in replacement for our cgiemail script
. The difference is that when a web form posts to our securemail script, it encrypts the data using the OpenPGP encryption standard
before it is emailed to the website owner. This standard uses a two key pair, a public key and a private key. The public key is installed on the server and used to encrypt the data, but only the holder of the private key can decrypt it. Because the private key is kept safe by it's owner (and never stored on our server), the encrypted data can only be decrypted by the owner of the key.Implimenting securemail
Here are the steps for implimenting securemail on your website:Step 1: Read this disclaimer.
ActionWeb makes NO warrantees, either
express or implied, including, but not limited to, implied warrantees of
merchantability and fitness for a particular purpose, with regard to
securemail, and any accompanying hardware or software. In no event shall
ActionWeb or it's owners or employees be liable for any special,
incidental, indirect, or consequential damages whatsoever, including,
without limitation, damages for loss of business profits, business
interruption, loss of business information, or any other pecuniary loss which may arise out of the use of or inability to use securemail. In
other words, while we believe that when securemail is properly used
that it will substantially increase the security of data, we do not
guarantee that it will.Step 2: Generate your key pair and install the public key on the server.
To get you through this part, see the Using Cryptophane to Create an OpenPGP Key Pair
tutorial.Step 3: Create a web form using cgiemail script.
Create a form that works with our cgiemail script
first. If your form does not work properly using the cgiemail script, it will not work with the securemail script.Step 4: Convert your form to use securemail.
There are potentially three changes that you will need to make to convert your form that works with cgiemail so that it works it works with securemail:
1. Change where the form posts to by editing the FORM ACTION line. Specifically change this line:
<FORM ACTION="/cgi-bin/cgiemail/template-path-and-filename" METHOD=POST>
<FORM ACTION="/cgi-tools/securemail" METHOD="POST">
2. Add a hidden field to your form that points to the template you created for cgiemail, such as the following:
<input type="hidden" name="template" value="/template-path-and-filename">
Note that the /template-path-and-filename path is relative to the root directory of your website.
3. Edit your cgiemail template so that the To: line matches your OpenPGP user id exactly.
For example, if your To: line looks like this:
Change it to one that matches the OpenPGP key you generated:
Step 5: Test your form.
To: Some Name <firstname.lastname@example.org>
Assuming everything goes as it should, after you fill out your form and submit it, the designated email account should receive an encrypted email message. To decrypt the message in Cryptophane, go to the File -> Message option and paste the encrypted portion of the message in the box like so:
Click "OK" and enter the passphrase for your key, which should immediately decrypt the message.