Last year I wrote an article bemoaning the lack of security for emails, particularly with companies sending personal data to confirm quotations. After the recent revelations that the US are quite happily running as much information as they can through a system through Prism, and the UK government wanting to introduce a Snooper’s charter to track your every online movement, our personal data is now not only at risk from interception by crooks, but also by the very people who are supposed to be looking after us.
After I had written the article, I was made aware of a product called MKryptor, developed by a company called Fresh Skies, but it’s taken me around a year to get round to doing a full test of the product. The concept is simple: Any email that you send is passed through the MKryptor service which encapsulates the email in an AES 256 encrypted PDF or ZIP, password protected using key phrases that only the recipient could possibly know.
It seems such an obvious solution, that I can’t think why it hasn’t already been adopted by companies around the world. The answer to that is simple: They don’t care if your personal data is available to all and sundry; just that you buy their product.
I initially wanted to set MKryptor up on a Windows virtual machine so that I could play around with it without affecting my other systems. This fell at the first hurdle, but it wasn’t until I had had a few technical discussions with Toby Bisco of Fresh Skies, that we worked out what the problem was. Understandably, Fresh Skies have tested that MKryptor will install on virtual machines, since most companies are likely to use VMs in this day and age, and sensibly they had validated that it would install successfully on VMWare and Amazon EC2. Unfortunately, I had plumped for Oracle VM VirtualBox. The registration for MKryptor creates a hash key based on the hardware it is installed on, and it seems that VirtualBox doesn’t provide all the information required. With that in mind, I fired up a Windows instance in VMWare, and I was ready to go.
Installation and configuration
Configuring the SMTP relay
Setting up security
The install of MKryptor itself is fairly straightforward: select the 32- or 64-bit executable and run it on your Windows instance. It needs .NET Framework 4.0, but will prompt you to download it if it isn’t installed. From there on, it installs the product and then opens up the configuration manager. Fresh Skies quite reasonably give you the option of a trial licence to try the product out of 60 days, which is more than enough for a proof of concept.
For my configuration I set the service up to relay any emails to my ISP rather than through my local email server, but you can also leave MKryptor to send emails directly from your domain. The only additional changes needed were to add an Administrator name and email address, and to configure your email client (in my case just using Windows Mail on the VM itself) to point to the MKryptor service. This can be configured to listen on any port on the server (the recommended port is 2525 to avoid conflicts or firewall issues).
Additional configuration can be carried out, particularly on the Security tab, where you can choose the encryption levels (set to AES-256 by default) and how the email will be sent – by PDF or ZIP. It also gives options for emails that you specify not to be encrypted, perhaps when the emails should be sent internally. As the defaults suited me, I initially left them as they were. Configuring MKryptor to send emails by default in an encrypted ZIP file is a matter of clicking a radio button, or you can just add the following command to your email:
##Encrypt:ZIP
Once that was done, I was ready to start sending emails out.
Sending Emails
I must admit that sending emails was not straightforward, and I had to delve into the user guide to understand the requirements. For the first email you send to any recipient, MKryptor requires you to set at least two known facts (or however many you define in the security section of the Configuration Manager). The first email you ever send also needs a personal password which can be used to respond to you securely. Once these are added to the first email, you can then send emails to the same recipient with a simple tag to indicate it needs encrypting.
Email received with instructions
For my first test, I set the “Known Facts” as my first and last name – not very secure, but then it’s just a test with no secure data in it. The advantage of this system is that only the sender and the recipient will be aware what the “Known Facts” are, providing you use details that aren’t in the common domain. The first lines of the email are therefore in the following format:
##First Known Fact: {fact}
##Second Known Fact: {fact}
##My Password: {password}
You then write the rest of your email, add attachments and so on. Once sent, the recipient gets an email, either with the default email template provided by MKryptor or one that you (or your email administrator) has set up, together with a PDF attachment. The email tells you to open the PDF and enter a number of characters from your known facts without any spaces and in lower case. For example the image on the left asks for the last four of the first fact, and the first four of the second fact: in my case, the password would have been “thewcunl”. Opening the PDF prompts you for that password. Enter it as directed, and the content of the original email is displayed.
The final email
If you are sending your emails in an encrypted ZIP file, the only difference is that a ZIP is attached which requests the password. The PDF email and any attachments are then displayed inside the ZIP file itself.
Pricing
The pricing structure is quite complicated, depending on the number of users, the number of servers you want to install the service on, how many email domains you want to send from, and so forth. There are also five different plans, depending on which options you want available: Business, Business+, Enterprise, and two cloud-based options: Stratus and Nebula. The full price list is available on their website, but a simple breakdown is below, excluding VAT:
| Seats | Included Server Licenses | Business Basic £ |
Business+ £ |
Cloud Stratus |
|---|---|---|---|---|
| 1 | N/A | – | – | 9.99/month |
| 5 | N/A | – | – | 49.95/month |
| 10 | N/A | – | – | 89.91/month |
| 20 | 1 | 1250 | 2500 | 179.82/month |
| 50 | N/A | – | – | 399.60/month |
| 100 | 1 | 2500 | 5000 | 799.20/month |
| 250 | 1 | 5000 | 10000 | – |
| 500 | 2 | – | 15000 | – |
| 1000 | 2 | – | 20000 | – |
Verdict
There were a few minor niggles with MKryptor. The fact it wouldn’t install on VirtualBox was slightly irritating, but understandable: it’s unlikely that VirtualBox is used in mainstream businesses for VMs. For some reason, it wouldn’t let me configure the SMTP relay through the Configuration Manager, so I had to edit the configuration file itself. This wasn’t too complicated, as it’s a standard .NET xml file, but not something you’d want to see in a professional product. For someone in the testing business, I also had a quibble in that the tab order of the fields on the Configuration Manager screens was all over the place, jumping from a field at the top of the screen to the bottom and back again. Again, for a professional product, this should have been picked up before release.
However, as a concept it’s an exciting one. Emails can now be sent securely and automatically to anyone, using a private key method which doesn’t require any expertise or specific software (apart from a PDF reader or ZIP program) to view it. PGP has been around for years, but it isn’t user friendly to set up, and is something that your typical consumer would reject in an instant. By contrast, this is straightforward, and users can open the secure emails with any number of free products (providing your PDF viewer is able to view PDF attachments and the ZIP program supports AES-256 encryption).
For an SME, the Business option is probably sufficient and for a one off cost of £1250 for 20 users, is good value. Naturally, the more seats you buy, the cost per seat drops. Unfortunately, for the average private user even the “Stratus” cloud option is expensive, and whilst not out of everyone’s league, it’s not going to entice the consumer in.
Understandably the product is aimed at businesses who are keen to protect their commercial information, and if only a few would start using it when they send quotes, confirmation emails, or invoices to consumers, then I would be happy.
Maybe there will be a time when all email conversations can truly be private, and not eavesdropped upon, or misappropriated by a nefarious sysadmin. As this is unlikely, consumers can but hope that our ISPs will take up the mantle and offer this kind of product as optional extras at a lower rate.
I’ve recently found another potential secure email option called Lockify, although it requires data to be stored in the US. More coming up in a future article once I’ve assessed it.