Knowledge Base

What options are available for encryption and decryption?

 

 

General

Mail server address: The ip address for your mail server (i.e., the server running postfix or exim for your mail).

GoodCrypto server url: The full url, including port, to access your GoodCrypto server.

 

 

Metadata and Traffic Analysis Protection

Encrypt metadata: When enabled, GoodCrypto protects all the metadata, except the date, the domain address for each group, and basic email header details (like originating server) when it sends messages to recipients with compatible software Learn more about how metadata protection works.

Padding and packetization: If enabled, then GoodCrypto holds messages for each domain it has a special "metadata key". On a regular schedule it combines the individual messages going to a domain, pads them to a standard size to create a single message, encrypts the message that protects all the messages and hides all individual metadata, and sends it.

If there are no messages that need to be sent to a domain, then a message is still sent at the regular schedule.

Learn more about traffic analysis protection.

Packet size: The minimum size of the message containing one or more messages. If the total of pending outgoing individual messages are too big for a single standard group message, unsent messages are queued for later. If a message is bigger than the group message size it is returned to the sender with an explanation.

Frequency: The schedule packetized messages will be sent.

 

 

Tighter security

Require outbound encryption: If enabled, then GoodCrypto requires all outbound mail be encrypted. This means that if someone sends a message and there is no key for the recipient, then the message will bounce to the sender.

Require verify new key: If enabled, then GoodCrypto requires that you must log into your GoodCrypto private server after you verify a new key and add a check mark that they key has been verified. If someone tries to send a message to a contact with an unverified key, then the sender's message is returned to them with details about how to proceed.

Require login to view fingerprint: When enabled, GoodCrypto requires that you login to your GoodCrypto private server to view a fingerprint, also known as a key id. Your GoodCrypto private server should be behind your firewall configured so only your own people can reach it. But if you do not require login, it is possible that an unauthorized person could learn which individuals communicate securely.

Require login to export keys:If enabled, then you must login to your GoodCrypto private server to export a fingerprint, also known as a key id. Your GoodCrypto private server should be behind your firewall configured so only your own people can reach it. But if you do not require login, it is possible that an unauthorized person could learn which individuals communicate securely.

Filter HTML: When enabled, GoodCrypto removes known malware vectors from encrypted, inbound email. This is not a replacement for spam and virus filters.

We strongly recommend that you run anti-spam and anti-virus software after GoodCrypto runs so unencrypted messages can be checked and filtered.

 

 

Signatures

Clear sign mail: If enabled, then GoodCrypto adds a GPG signature after an outbound message is encrypted. If you're not protecting your metadata, then clear signing makes it easier to track your messages.

All encrypted messages are also signed as part of the encryption if the sender's key exists at the time of encryption. When signing is done as part of the encryption, instead of clear signed, then the recipient will know the message was encrypted by the sender, but not someone who intercepts the message will not be able to determine the sender's signature.

Add DKIM signature: When enabled, GoodCrypto adds a DKIM signature to each outbound message. Many large companies rely on DKIM signatures to identify whether a message originated from the sender. We'd also advise that you add SPF support to your DNS configuration to add further credibility to your messages.

Verify DKIM signatures: If enabled, then GoodCrypto verifies the first DKIM signature of each signed message. If the message passes verification, then a tag is added to the bottom of the message and the signature is removed from the header so other filters don't inacurrately report the signature was bad.

DKIM delivery policy: If an inbound message contains a DKIM signature and you enabled verify DKIM signatures, but the key does not verify for any reason, then you can decide whether to drop the message or delivery it with a warning.

If the message is dropped, then it is not delivered and the sender is not informed about the error. The reason that GoodCrypto does not report the error to the user is because some spammers use bounced messages as a way to abuse mailing systems.

DKIM public key: The public key for your domain used by DKIM. You must include this key in a TXT record for your domain. The selector is mail, the hash code is rsa-sha256, the key type is rsa>, and the key length is 2048 bits.

 

 

Other

Use keyservers: If enabled, then GoodCrypto will check the active keyservers to find keys for contacts without keys. If a key is found, then the first user who tried to send a message to that contact receives email alerting them about the new key.

This option does not impact whether someone can import a key from a keyserver.

Enable diagnostic logs: If enabled, then GoodCrypto logs the encryption and decryption process.

We strongly recommend that you only enable this option if you're having trouble with GoodCrypto or processing messages. Logs may contain sensitive data.