Knowledge Base
How do I access my GoodCrypto private server?
Your GoodCrypto private server has its own web site. This is not on GoodCrypto, but on the computer where you installed GoodCrypto.
Ask your administrator for the correct URL for your GoodCrypto server website.
Use your browser to connect to your server's website. We recommend that you use a secure connection (i.e., https). The https key for your site is dynamically generated to be unique just for you. The first time you access your new site, you'll need to approve its self signed key. When your browser says it can't verify the site, that is normal. It's a private site so no public certificate authority knows about it.
Secure access: Prefix the IP address for your GoodCrypto server with https: and add :8443 after the IP address. Don't forget the colon (:) between the IP address and the port number.
Insecure access: Prefix the IP address for your GoodCrypto server with http: and add :8080 after the IP address. Don't forget the colon (:) between the IP address and the port number.
For example, if your private server's IP address is: 192.168.10.200, then the url for your server would be:
-
https://192.168.10.200:8443 (example only)
http://192.168.10.200:8080 (example only)
Is my GoodCrypto private server preconfigured?
Yes.
GoodCrypto is distributed as a preconfigured, bootable ISO. It contains all the software that you need to protect your group's mail and browsing, including full source. You simply need to integrate it with your mail server and browsers.
As years of experience with TLS, SSH, and GPG have shown, configuring crypto is hard. GoodCrypto is preconfigured to remove the hassles and improve security.
The smaller your group is, the less you can afford to install and configure your own crypto. The larger your organization is, the less you can afford users to install and configure their own crypto.
How do I run my GoodCrypto ISO on a new computer?
To reduce the possibility of hidden malware, GoodCrypto will reformat the system data drive.
- Save the iso to a bootable device. We recommend you burn to readonly media such as a DVD. If you choose to use a usb drive, you can just copy the iso straight to the drive.
- System requirements:
- Intel 64 bit processor with virtual machine support
- 4+ GB RAM + mail needs (8 GB or more suggested)
- 10 GB drive + mail space (500 GB or more suggested)
The drive must be empty. - Bootable from ISO (DVD recommended, USB, etc.)
- DHCP access
- Internet access
- Back up any data from the hard drive. GoodCrypto will reformat the drive to reduce the possibility of hidden malware.
- Boot the new computer from the iso. GoodCrypto needs a dedicated data drive. If it can't find an empty one to format, it will say so and not boot. You might see an error message about the wrong file type which you can ignore. GoodCrypto will automatically format the drive with the correct type. On the first boot, you may notice a delay. GoodCrypto is reformatting the empty drive and creating unique keys.
- Configure and maintain your GoodCrypto server on your private website. Browse to the new computer's IP address using port 8443 if you're using https, or 8080 if you're using http. Examples: http://199.18.0.50:8080 or https://199.18.0.50:8443. We recommend you use https, but remember that your private server has a self-signed cert so you'll need to have your browser accept the cert. If your browser says it can't contact the site, wait a few minutes and try again.
- Enter the administrator's address for the domain you want to protect on your GoodCrypto private server. This address will be used to find your mail server, and to receive admin messages from your GoodCrypto private server. You may also opt to receive security alerts from GoodCrypto at this address.
- Follow the rest of the instructions provided on your GoodCrypto private server.
We strongly recommend that you:
- Maintain your GoodCrypto Server in a secure location.
- Limit access to authorized users.
- Maintain a correctly configured firewall.
How do I run my GoodCrypto private server in a virtual machine?
Here's the configuration for VirtualBox
Start VirtualBox. Click New. Use these settings in the wizard.
This is for Virtualbox 4.3.14. Other versions should be similar.
Name and operating system
- Name: GoodCrypto Private Server
- Type: Linux
- Version: Debian (64 bit)
Memory size
- 2048
This is the minumum, but more is better if you have it.
Hard drive
- Create a virtual hard drive now
Hard drive file type
- VDI (VirtualBox Disk Image)
Storage on physical hard drive
- Dynamically allocated
File location and size
- goodcrypto_private_server.vdi
You can also select the path on your system where you want the vdi file. - 10 GB
This is the minumum, but more is better if you have it.
That's all for the New wizard.
There are a few adjustments to the regular settings. Select GoodCrypto Private Server.
Storage
- Remove the check mark from Enable IO APIC
Storage
- Highlight Controller: IDE
- Under Controller: IDE, highlight the Empty item and click the icon with the blue disk and a red minus sign.
- Click the small icon with a round circle and a plus sign. When you pass your cursor over the icon it shows "Add CD/DVD Device"
- In the pop up window, click the Choose disk button.
- Move to the directory where you saved goodcrypto_private_server.iso, highlight the filename, and click the Open button.
- Under Controller: IDE, goodcrypto_private_server.iso should appear. Click on the name.
- In the Attributes, add a check mark to Live CD/DVD
Network
-
Configure the VM to forward the following ports by clicking Advanced and then
Port forwarding.
Name Protocol Host IP Host Port Guest IP Guest Port Rule 1 TCP 9350 9350 Rule 2 TCP 8398 8398 Rule 3 TCP 8080 8080 Rule 4 TCP 8443 8443 Rule 5 TCP 11371 11371 Rule 6 TCP 10027 10027
Final Steps
- Change your firewall to permit access to the forwarded ports.
- Start the GoodCrypto private server..
- Configure and maintain your GoodCrypto server on your private website. Browse to the new computer's IP address using port 8443 if you're using https, or 8080 if you're using http. Examples: http://199.18.0.50:8080 or https://199.18.0.50:8443. We recommend you use https, but remember that your private server has a self-signed cert so you'll need to have your browser accept the cert. If your browser says it can't contact the site, wait a few minutes and try again.
- Enter the administrator's address for the domain you want to protect on your GoodCrypto private server. This address will be used to find your mail server, and to receive admin messages from your GoodCrypto private server. You may also opt to receive security alerts from GoodCrypto at this address.
- Follow the rest of the instructions provided on your GoodCrypto private server.
We strongly recommend that you:
- Maintain your GoodCrypto Server in a secure location.
- Limit access to authorized users.
- Do not run other programs on the same computer as the VM. Encryption can use a lot of resources plus you would be opening yourself up to additional security risks.
How do I configure my postfix server to work with GoodCrypto?
- Connect to your Goodcrypto Server website
- Sign in with the credentials for the administrator
- Click the Mail menu
- Click the MTA configuration button
- Click the For your Postfix server tab
- Copy and paste your postfix configuration to your GoodCrypto private server.
- Then copy the changes back to your mail server.
- Restart postfix and you're done.
If you have multiple servers, you may prefer to run a script on each mail server. You can automate this alternative.
To make sure you don't lose any mail while you test the new configuration, GoodCrypto configures postfix to "soft bounce" messages. This means that if there are issues after you change your configuration, your mail server will tell the sender's mail server to try again after a few hours. Once you're happy that the configuration is working as expected, you can remove the soft bounce configuration line.
What is the most secure way to configure postfix to work with GoodCrypto?
- Connect to your GoodCrypto private server website.
- Sign in with the Administrator credentials.
- Click on Mail.
- Click on Postfix changes. This button only appears if you're logged in as the administrator. (If you don't see this button, then we recommend you download the latest ISO or run the script to update postfix.)
- Enter the IP address for your GoodCrypto private server.
- Copy the full contents from your postfix server's configuration files into the matching fields.
- Click Generate config changes.
- Review the changes and then copy the full contents from each field into the appropriate file on your mail server.
- On your mail server, issue the command newaliases
- Restart postfix.
- Send a message to someone outside of your domain to verify that postfix is working.
- Once you are comfortable, you can remove the "soft_bounce = yes" line from /etc/postfix/main.cf
We strongly recommend that you configure your SMTP/IMAP/POP servers and clients to default to TLS.
Is there a script to configure postfix to work with GoodCrypto?
Yes.
- Verify your mail server has the requirements. If not, then use the cut and paste method to configure your server.
- Download the postfix configuration script. The program automatically makes a backup copy of your existing postfix configuration before making any changes to the configuration files. It also configures postfix to "soft bounce" any messages in case of unexpected issues.
- Verify the downloaded file:
- Filesize: 26,445 bytes
- SHA512(/var/local/projects/goodcrypto/website/src/server/goodcrypto-postfix.tgz)= 4f86f2fdf8ac00da8a4126e2e269c5d56b96d9f410d91af45b47f794c81242f831f81ab42a9dd7dd0251f0e43c5a807704fee76e915c716bba9eac020fb8cd28
- SHA256(/var/local/projects/goodcrypto/website/src/server/goodcrypto-postfix.tgz)= 8d85dc214f50a32d98ce864dd58b310f7e64eab42b720887c5e78c7cb571ae47
- MD5(/var/local/projects/goodcrypto/website/src/server/goodcrypto-postfix.tgz)= 3102f0409cd2e284798157272644b405
- PGP signature: tgz sig
- Move the downloaded file to the computer that runs postfix for your mail server
- Expand the file using the command: tar xvzf goodcrypto-postfix.tgz
You will see a new subdirectory named config-postfix. - Change to the config-postfix subdirectory.
- The postfix-gc script makes a backup before changing anything.
With root or admin privileges, run
postfix-gc IP_ADDRESS_FOR_YOUR_PRIVATE_GOODCRYPTO_SERVER
Replace IP_ADDRESS_FOR_YOUR_PRIVATE_GOODCRYPTO_SERVER with the IP address of your GoodCrypto private server. - Review the postfix configuration files. If everything looks ok, then restart postfix. If you have any problems, you can restore your original configuration by copying the original files from the Backup directory in /etc/postfix.
- Send a message to someone outside of your domain to verify that postfix is working.
- Once you are comfortable, you can remove the "soft_bounce = yes" line from /etc/postfix/main.cf
We strongly recommend that you configure your SMTP/IMAP/POP servers and clients to default to TLS.
Requirements
- a working postfix configuration with TLS support. If you don't have postfix configured for TLS. Learn more at postfix.org
- postfix's configuration files are in /etc/postfix. If your files are in a different location, let us know.
- python 2.7 or later installed. If you're running on Windows and you do not have it installed already, then you can https://www.python.org/downloads/windows/ Unix and Mac users should already have python installed.
- you can run the program with root or admin privileges
How do I configure exim to work with GoodCrypto?
Exim4 support is experimental.
- Edit /etc/exim4/update-exim4.conf.conf so the dc_local_interfaces line includes ; GC_PRIVATE_SERVER_IP.10028 before the closing quote mark. Change GC_PRIVATE_SERVER_IP to the IP address of your GoodCrypto private server.
- Download the GoodCrypto router and save it in /etc/exim4/conf.d/router directory
- Download the GoodCrypto transport and save it in /etc/exim4/conf.d/transport directory
- Restart exim and you're done
How do I configure the mail server to work with GoodCrypto and other filters?
GoodCrypto's filter should be the first filter for inbound mail and the last filter for outbound mail.
If you want other content filters to run (e.g., an antivirus filter), then we recommend you either follow Wietse Venema's (the author of postfix) advise configure a separate instance of postfix for each filter or use a third party product like Amavisd-new.
How do I configure my firewall for GoodCrypto?
GoodCrypto comes with a preconfigured firewall. Your own firewall needs to allow access to the server.
You'll need to open the following ports for the GoodCrypto machine:
Port | Interface | Direction | Purpose |
---|---|---|---|
9151 | tcp | in | tor |
8398 | tcp | in | web proxy |
8080 | tcp | in | server website |
8443 | tcp | in | https for website |
10025 | tcp | in | milter port |
10026 | tcp | out | milter port |
11371 | tcp | in | hkp port (used by keyservers) |
The directions in and out are from the viewpoint of your GoodCrypto Server.
Also, if you run GoodCrypto in a VM, we recommend a firewall on the computer that runs the VM with the same ports open. These ports assume the hypervisor is not running as root.
How do I configure my browser to reduce tracking?
We strongly recommend that you ask your administrator to help configure your browser using the proxy settings:
Proxy Settings
HTTP Proxy: | Your GoodCrypto private server IP address | 8398 |
SSL Proxy: | Your GoodCrypto private server IP address | 8398 |
FTP Proxy: | leave blank | 0 |
SOCKS Host: | Your GoodCrypto private server IP address | 9350 |
Chrome
- Click on the menu and select Settings
- Click on the Show advanced settings link
- Under the Network section, click Change proxy settings
- Select "Manual proxy configuration"
- Fill in the proxy settings
- Uncheck "Use this proxy for all protocols" after "HTTP Proxy".
- Select "SOCKS v5".
Firefox
Edit / Preferences / Advanced / Network / Settings
- Select "Manual proxy configuration"
- Fill in the proxy settings
- Uncheck "Use this proxy for all protocols" after "HTTP Proxy".
- Select "SOCKS v5".
How do I import my GoodCrypto private server's web certificate?
We strongly recommend that you ask your administrator to help configure your browser.
After saving the certificate from your GoodCrypto private server and verify the fingerprint, then follow the detailed instructions for your browser:
If you're using a browser not listed above, then search online for instructions about importing a root certificate.
Chrome
- Click on the wrench icon, select Options, and select Under the Hood
- Scroll down to Security section and click on the Manage certificates button.
- Click on the Import button and use the Certificate import wizard to import a certificate.
- Click Next, use the Browse button to locate the file that you saved in Step 1 of these instructions, and highlight the filename.
- Click Next to continue with Certificate Import Wizard.
- Select the Trusted Root Certification Authorities store.
- Click the Finish button to complete the process.
- Close all the windows and dialog boxes until you have returned to your main browser window.
 
Internet Explorer
- Navigate to any site that uses TLS/SSL (i.e., https).
- IE will display a warning that, "There is a problem with this web site's security certificate."
- Click the, Continue to this website (not recommended) link.
- Once the page has loaded, look to the right of the address bar. A red/pink button, labeled Certificate Error, should be visible. Click that button.
- A pop-up, titled Untrusted Certificate, will appear. Click the View certificates link at the bottom of the pop-up.
- Another pop-up, titled Certificate, will appear.
- Click the Install Certificate… button.
- The Certificate Import Wizard will be started. Click the Next button.
- For XP: Leave Automatically select the certificate… option selected, and click the Next button.
- For Vista/Windows7/Windows8:
- Choose Place all certificates in the following store option, and click the Browse button.
- Choose the Trusted Root Certification Authorities store and click OK.
- Click the Next button.
- This should display the Completing the Certificate Import Wizard dialog. Click the Finish button.
 
Firefox
- From the menu, select Preferences / Advanced / Certificates.
- Click the Import button.
- Locate the certificate file that you saved earlier. Click the filename and Open it.
- If Firefox pops up the warning, "This certificate is already installed as a certificate authority", then click here
- Another dialog will pop up that asks, "Do you want to trust "CA Cert Signing Authority" for the following purposes?".
- Add a check mark in the Trust this CA to identify web sites box and click the OK button.
- Close all the windows and dialog boxes until you have returned to your main browser window.
- Select Preferences from the Edit menu.
If you're running Firefox on Mac, then select Preferences... from the Firefox menu. - Click the Advanced icon at the top of the dialog box.
- Click the Encryption tab, and then the Authorities tab.
- Click the View certificates button.
- Continue from Import above.
 
Safari
- Navigate to any site that uses TLS/SSL (i.e., https).
- Safari will pop up a window that says, "Safari can't verify the identity of the website "???".
- Click the Show Certificate button.
- Verify the information is for ???
- Add a check mark in the Always trust "???" when connecting to "???" box.
 
Android
- Copy the certificate file to the /sdcard folder. You can use the file manager or adb push.
- Go into adb shell ( adb shell from commandline), or open the 'terminal'-application on your android device. You will get a command prompt similar like shell@android:/ $ Gain superuser/root rights, neccessary to perform privileged actions: su Make the /system folder writable (will return to read-only upon reboot): mount -o remount,rw /system Copy the new certificate files to the correct folder on your Android device: cp /sdcard/5ed36f99.0 /system/etc/security/cacerts/ cp /sdcard/e5662767.0 /system/etc/security/cacerts/ Correct the file permissions to u=rw, g=r, o=r: cd /system/etc/security/cacerts/ chmod 644 5ed36f99.0 chmod 644 e5662767.0
- Look for the Preferences or Options for your browser.
- You'll likely find a tab or button which lets you manage certificate or
- Close all the windows and dialog boxes until you have returned to your main browser window.
 
Opera
- Click on the wrench icon, select Options, and select Under the Hood
- Scroll down to Security section and click on the Manage certificates button.
- Click on the Import button and use the Certificate import wizard to import a certificate.
- Click Next, use the Browse button to locate the file that you saved in Step 1 of these instructions, and hightlight the filename.
- Click Next to continue with Certificate Import Wizard.
- Select the Trusted Root Certification Authorities store.
- Click the Finish button to complete the process.
- Close all the windows and dialog boxes until you have returned to your main browser window.
How do I sign in to my GoodCrypto Server?
- Connect to the Goodcrypto Server website.
- Click the Sign in menu
- Enter the email address and password that you received via email from your GoodCrypto Server or if you're the administrator, then the email address and password you supplied when configuring your GoodCrypto Server.
Reminder: GoodCrypto never receives a copy of passwords used by your GoodCrypto Server so keep them in a safe place.
How do I install my GoodCrypto private server?
- Download the ISO
- Install the ISO on a new computer or in a virtual machine
- Use your browser to go to the IP address at port 8080 for the computer where you installed the ISO. If your browser reports the site it not accessible, wait a few minutes and try reloading.
-
It's better to go connect via https with port 8443, but remember that your private server has a self-signed cert so you'll need to have your browser accept the cert.
- Enter an email address that uses the domain you want to protect on your GoodCrypto private server.
This address will be used to receive notices (e.g., error messages) from your GoodCrypto private server. You may also opt to receive security alerts from GoodCrypto at this address. - Follow the instructions on your private server to finish the integration.
How do I secure my GoodCrypto private server?
Your GoodCrypto private server reduces the vectors of attack by limiting the software installed on the server to the bare minimum. For example, the server does not include ssh and includes a firewall to restrict access.
Your primary concern should be securing the computer running GoodCrypto and keeping up-to-date with security releases.
The most secure way to operate GoodCrypto is on a headless machine. Regardless where you've installed your server it should be behind a well secured network firewall and with limited physical access.
Keeping all security software current is essential so you're not exposed to vulnerabilities.
Other suggestions...
- You should not add any other software to your server
- If you're running GoodCrypto in a VM, then don't have any other software running on the computer.
- Change the Mail | Options on your GoodCrypto server's so users must sign in to verify fingerprints and export keys. This will reduce unauthorized users from figuring out your group's contacts.
How do I backup the data from my server?
Your backup procedure depends on where you've installed your GoodCrypto private server.
Stand alone computer
It's best to back up the entire drive where you installed GoodCrypto. This will make restoration quick and easy. If you are limited in space and you have physical access, then you can just backup /media/drive/persistence.Virtual machine
You simply need to back up the the VDI file that you created when you set up the virtual machine.
How do I trouble shoot my GoodCrypto server?
Regardless how many tests we run or how long we operate a GoodCrypto private server, there are times when something goes wrong. If you're experiencing any difficulties, we're eager to resolve them.
The best way to trouble shoot is to review the knowledge base to see if this is a known issue.
Forbidden (403) CSRF verification failed. Request aborted.
Allow cookies for the site you're trying to access.
GoodCrypto uses cross-site request forgery (CSRF) verification to prevent someone from exploiting the trust that a site has in a user's browser.
EXT4-fs (sda): VFS: Can't find ext4 filesystem
You may see this message while booting the the GoodCrypto private server.
It may take a few more minutes for the server to boot, but if it boots with a message about "What to do next", then you can safely ignore this message.
How do I know if a message I send will be encrypted?
Check if you have an encryption key for your contact.
- Browse to your GoodCrypto private server.
- Click "Mail"
- Under "Keys" click "View ID"
- Enter your contact's email address.
How do I verify a message arrived privately?
GoodCrypto adds a tag with a unique validation code at the bottom of each message it decrypts.
It would be easy for someone else to fake a message so it appears that the message arrived privately when it didn't. Only the recipient of the message can verify that it was received privately.
If your administrator entered the URL for your GoodCrypto private server in the GoodCrypto private server options, then a URL is included at the bottom of the message which lets you confirm the message was received privately by your GoodCrypto private server. You must sign in with the email address of the recipient of the message to verify the status.
If you only see the unique validation code, then connect to your Goodcrypto Server website, sign in with the credentials for the user that received the message, click the Mail menu and then the Verify button next to Private messages, and enter the validation code.
If you do not know the validation code, then click the Received button next to Private messages. You'll see a list of all messages that you received securely. The list shows the sender's email address, date, message id, and validation code.
How do I confirm a message was sent privately?
Only the sender of a message may confirm if a message was sent privately.
- Connect to your Goodcrypto Server website
- Sign in with the credentials for the user that sent the message
- Click the Mail menu
- Click the Sent
- Scan for the recipient's email address, date, and message-id from the header of the message
What do I do with a key someone sent me?
If you encounter one of those rare, brave people who isn't using GoodCrypto Mail but is using encryption, you'll need to import their public key before mail to them will be protected.
- Ask them to send you their public key as an attachment.
- Browse to your GoodCrypto server website.
- Click Mail menu.
- Click the Import button.
- Click the Browse button and select the file name.
- Verify their key
Of course, the easiest way to exchange keys is to suggest the other person install GoodCrypto Server, too. Keys are automatically exchanged.
How do I send my key to someone?
If the recipient isn't using encryption yet, then ask them to install GoodCrypto, exchange messages with them until you both receive email letting you know future communication will be private. That's it. GoodCrypto automatically exchanges keys for both of you unless your administrator configured GoodCrypto not to exchange keys.
If the other person isn't using GoodCrypto or your aren't using the auto-exchange featuren, then you can still exchange keys manually. Export your key and email the file to them. Ask them to send you their key, and then import it.
How do I verify a key, or a fingerprint?
For safety, verify keys in at least two ways.
The most common way is when your contact appears to have successfully read a message you encrypted to them, but you need at least one more verification to be safe.
Ask the contact to provide their public key or its fingerprint through a channel other than email. The key or fingerprint must match your own copy. Compare fingerprints as described below.
Best is face to face. Other examples are for them to publish their key's fingerprint on a public site or service, or provide it by phone, SMS (if encrypted), or snail mail.
If you are verifying by hand, the longest version of the fingerprint is best. You don't have to verify the whole key by hand. A fingerprint is a really good summary of a key. If you verify the key's fingerprint, you have verified the key.
If you got a public key from a web site, it doesn't help much to verify using a fingerprint from the same web site. An attacker can spoof the web site and provide a matching fake fingerprint.
To compare a fingerprint using GoodCrypto:
- Browse to your GoodCrypto server website.
- Click on the Verify fingerprint; if the button is not on the screen, then click the Mail menu
- Type in the email address and click the Verify button.
- A fingerprint and a key summary are the same thing. Compare the Key summary with the other person's Key summary. Ignore spaces and whether a character is upper or lower case. Otherwise they must match.
- If they don't match, do NOT use that key to communicate.
- If the fingerprint is not flagged as verified and you have verified it, then you should flag the fingerprint as verified in the database
If the other person is also using GoodCrypto Mail, then they should follow this same procedure. Otherwise, they must use their encryption software program to get the key summary, known as the fingerprint in most encryption software, for the matching email address.
How do I mark a key as verified?
You must be logged in to mark a key as verified.
- Connect to the Goodcrypto Server website.
- Sign in
- Click on Mail in the menu
- Click on Fingerprint
- Enter the Email address and select the type of encryption
- Add a check mark to Verified
- Click OK
How do I import a key?
You have two options: import a key from a file or import it from a keyserver. It's probably most reliable to ask your contact to export their key into a file and send it to you.
If your contact has stored their key on a public keyserver, then you can import the key from the keyserver. You can use their email address to find their key, but it's more reliable if you use their fingerprint. If your GoodCrypto private server can't find the key on the keyserver, then ask which keyserver the key is on. Then ask your mail administrator to add that server to your private server.
How do I import a key from a file?
- Connect to your Goodcrypto private server website.
- Sign in
- Click on Mail in the menu
- Click on Import key
- Click on From file tab
- Click on Browse
- Select the key file that you want to import
- Select the type of key (PGP and GPG are the same for this purpose)
- Optionally, enter the user's name
- Optionally, enter the fingerprint if you'd like it automatically marked as verified
- If you're importing a private key, then you must enter the matching passphrase. Otherwise, leave the field blank.
- Click on Import
- If successful, a message appears with the email address of the key and you're ready to import another key if you want
You can also import a key from a keyserver.
How do I import a key from a keyserver?
- Connect to your Goodcrypto private server website.
- Sign in
- Click on Mail in the menu
- Click on Import key
- Click on From keyserver tab
- Enter the email address or the key's fingerprint
- Select the type of key (PGP and GPG are the same for this purpose)
- Click on Search and import
- The process can take a long time depending how many keyservers must be searched. You'll receive email with the results. Connecting to keyservers can be unreliable so you may need to try a few times.
You can also import a key from a file.
How do I import a private key?
- Export your public and private key into one file. The public key must be the first key in the file.
- Import the key into your GoodCrypto private server.
Be sure to enter the matching passphrase when you fill out the form to import your key.
How do I export a public key?
- Connect to the Goodcrypto Server website. You may need to sign in if the administrator is using tight security for your server.
- click on the Mail menu
- click on Export key
- type in the Email address
- select the Encryption software (GPG and PGP are the same for this purpose)
- click on Export
- select a location and name for the file that will contain the key
- click on Save
How do I simplify managing keys?
Use the defaults for auto exchanging keys and creating keys.
- Connect to the Goodcrypto Server website.
- Sign in
- Click on Mail in the menu
- Click on Options. This button only appears if you sign in as an administrator.
- Click on the MTA address
- Add a check mark to Auto-exchange keys if there isn't one
- Add a check mark to Create private keys if there isn't one
- Click Save
How do I manage the keyservers?
- Connect to the Goodcrypto private server website.
- Sign in with the administrator credentials
- Click on Mail in the menu
- Click on Keyservers button. This button only appears if you're logged in as the administrator.
- You can add, change, or delete keyservers. If you don't want to delete a keyserver, but no longer use it, then simply remove the Active check mark while editing it.
How do I configure GoodCrypto to create private keys automatically?
- Connect to your Goodcrypto private server website.
- Sign in
- Click on Mail in the menu
- Click on Options button. This button only appears if you're logged in as the administrator.
- Click on the MTA address
- Add a check mark to Create private keys if there isn't one
- Click Save
GoodCrypto will automatically create a private key, if one doesn't exist, whenever a user sends email to anyone.
Key generation can take a minute or more so after the first message is sent, the user probably wants to wait a few minutes before sending another.
If you elect to turn off automatic key generation in the Options. If you elect to do this, then you'll need to generate the keys manually.
How do I manage contacts?
Your GoodCrypto private server adds a record in the database every time someone sends or receives private email. Each record shows the type of encryption the contact uses and their fingerprint.
Also, the administrator can flag each contact so email must always be encrypted or never be encrypted. This allows you to maintain the appropriate level of security on a person by person basis.
If there's a contact that you know you never want to send encrypted email, then you might want to add that contact and select the "Never encrypt" option.
- Connect to the Goodcrypto Server website.
- Sign in with the credentials you supplied when you configured your GoodCrypto Server
- Click on the Mail menu item
- Click on Contacts
- Don't forget to sign out when you're finished.
How do I manage users?
Your GoodCrypto private server automatically creates a user every time someone in your company sends or receives email. Each user receives a message with their credentials when their account is ready. Of course, the administrator can also add or delete users manually, too.
- Connect to the Goodcrypto Server website.
- Sign in with the credentials you supplied when you configured your GoodCrypto Server.
- Click on the Mail menu item.
- Click on Users
- Click on Add user
- Fill in all the information, including the email address field for the user
If you'd like to follow the convention that GoodCrypto uses, then the username and email address will be the same. - Don't forget to sign out when you're finished.
Can I change the mail options?
Yes.
You must be logged into your GoodCrypto private server with administrative privileges to see or change any of the options.
How do I change options for GoodCrypto Mail?
You must have administrative privileges to change options.
- Connect to your Goodcrypto Server website.
- Sign in
- Click on Mail in the menu
- Click on Options button. This button only appears if your signed in as an administrator.
- Click on the MTA address
What options are available for encryption and decryption?
Mail server address: The ip address for your mail server (i.e., the server running postfix or exim for your mail).
GoodCrypto server url: The full url, including port, to access your GoodCrypto server.
Metadata and Traffic Analysis Protection
Encrypt metadata: When enabled, GoodCrypto protects all the metadata, except the date, the domain address for each group, and basic email header details (like originating server) when it sends messages to recipients with compatible software Learn more about how metadata protection works.
Padding and packetization: If enabled, then GoodCrypto holds messages for each domain it has a special "metadata key". On a regular schedule it combines the individual messages going to a domain, pads them to a standard size to create a single message, encrypts the message that protects all the messages and hides all individual metadata, and sends it.
If there are no messages that need to be sent to a domain, then a message is still sent at the regular schedule.
Learn more about traffic analysis protection.
Packet size: The minimum size of the message containing one or more messages. If the total of pending outgoing individual messages are too big for a single standard group message, unsent messages are queued for later. If a message is bigger than the group message size it is returned to the sender with an explanation.
Frequency: The schedule packetized messages will be sent.
Tighter security
Require outbound encryption: If enabled, then GoodCrypto requires all outbound mail be encrypted. This means that if someone sends a message and there is no key for the recipient, then the message will bounce to the sender.
Require verify new key: If enabled, then GoodCrypto requires that you must log into your GoodCrypto private server after you verify a new key and add a check mark that they key has been verified. If someone tries to send a message to a contact with an unverified key, then the sender's message is returned to them with details about how to proceed.
Require login to view fingerprint: When enabled, GoodCrypto requires that you login to your GoodCrypto private server to view a fingerprint, also known as a key id. Your GoodCrypto private server should be behind your firewall configured so only your own people can reach it. But if you do not require login, it is possible that an unauthorized person could learn which individuals communicate securely.
Require login to export keys:If enabled, then you must login to your GoodCrypto private server to export a fingerprint, also known as a key id. Your GoodCrypto private server should be behind your firewall configured so only your own people can reach it. But if you do not require login, it is possible that an unauthorized person could learn which individuals communicate securely.
Filter HTML: When enabled, GoodCrypto removes known malware vectors from encrypted, inbound email. This is not a replacement for spam and virus filters.
We strongly recommend that you run anti-spam and anti-virus software after GoodCrypto runs so unencrypted messages can be checked and filtered.
Signatures
Clear sign mail: If enabled, then GoodCrypto adds a GPG signature after an outbound message is encrypted. If you're not protecting your metadata, then clear signing makes it easier to track your messages.
All encrypted messages are also signed as part of the encryption if the sender's key exists at the time of encryption. When signing is done as part of the encryption, instead of clear signed, then the recipient will know the message was encrypted by the sender, but not someone who intercepts the message will not be able to determine the sender's signature.
Add DKIM signature: When enabled, GoodCrypto adds a DKIM signature to each outbound message. Many large companies rely on DKIM signatures to identify whether a message originated from the sender. We'd also advise that you add SPF support to your DNS configuration to add further credibility to your messages.
Verify DKIM signatures: If enabled, then GoodCrypto verifies the first DKIM signature of each signed message. If the message passes verification, then a tag is added to the bottom of the message and the signature is removed from the header so other filters don't inacurrately report the signature was bad.
DKIM delivery policy: If an inbound message contains a DKIM signature and you enabled verify DKIM signatures, but the key does not verify for any reason, then you can decide whether to drop the message or delivery it with a warning.
If the message is dropped, then it is not delivered and the sender is not informed about the error. The reason that GoodCrypto does not report the error to the user is because some spammers use bounced messages as a way to abuse mailing systems.
DKIM public key: The public key for your domain used by DKIM. You must include this key in a TXT record for your domain. The selector is mail, the hash code is rsa-sha256, the key type is rsa>, and the key length is 2048 bits.
Other
Use keyservers: If enabled, then GoodCrypto will check the active keyservers to find keys for contacts without keys. If a key is found, then the first user who tried to send a message to that contact receives email alerting them about the new key.
This option does not impact whether someone can import a key from a keyserver.
Enable diagnostic logs: If enabled, then GoodCrypto logs the encryption and decryption process.
We strongly recommend that you only enable this option if you're having trouble with GoodCrypto or processing messages. Logs may contain sensitive data.
How do I know whether my mail's metadata will be protected and traffic analysis stopped?
- Go to your GoodCrypto private server.
- Sign in
- Click the Mail menu item or button.
- Click the Protection button to see which options your administrator has configured.
- Check if your contact's company is also ready to protect metadata and stop traffic analysis.
How do I know if a contact is ready to protect metadata and stop traffic analysis?
- Go to your GoodCrypto private server.
- Sign in
- Click the Mail menu item or button.
- Click the Metadata button.
- If you see the domain for the contac's email (i.e., the portion to the right of the @ sign) in the list, then you know that messages to this company will be protected if your company is protecting your metadata and stopping traffic analysis.
- If you don't see the domain for the contact's email, then you can exchange one or two messages with them (which will not have metadata protection) and then recheck if the domain is in the list. Or, you can use another form of communication then email, and exchange keys manually for the _no_metadata_ key for each domain.
Remember that until other packages implement the open source protocol for metadata protection, you will need GoodCrypto on both ends. Encourage others to use GoodCrypto so your mail is fully protected.
How do I verify an outgoing message will be protected
- Go to your GoodCrypto private server.
- Click the Mail menu item.
- Click the View ID button. If your administrator requires you to sign in, then use the credentials you received via email from the GoodCrypto Mail Daemon.
- Enter your contact's email address and click OK.
The message will be sent privately if:
- you see the contact's fingerprint
- the key is active
- the key is verified or the key is not required to be verified
Your message may still be sent privately if the contact's company is protecting metadata via GoodCrypto. Any messages sent to a domain that has metadata protection have the body of the message protected, too. Learn how to see if a company is ready to protect metatdata.
How do I control whether an outbound message is encrypted or not?
The administrator has a lot of flexibility about when encryption is used. Of course, the recipient or the recipient's company must also being using encryption for any messages to be encrypted.
You can require all outbound message be encrypted by going to the Mail | Options and adding a check mark to the appropriate field. Of course, it's not likely that everyone you exchange messages will also be using encryption so you can add each email address to the Mail | Contact list and select Never to the Encrypt to contact field.
You can also decide that there are particular individuals that you only want to exchange encrypted message. Again, add a Contact and select strong>Always to the Encrypt to contact field.
Here's a chart showing how the global option Require outbound encryption, and a Contact's Encrypt to contact fields impact which messages are sent as plain text, which are encrypted, and which will bounce to the sender.
Of course, if the recipient's system is also using GoodCrypto and you are protecting metadata, then all messages to the recipient's system will be encrypted regardless of the other global or contact's settings.
Require outbound encryption
|
Encrypt to contact
|
Have public key for contact
|
Action
|
---|---|---|---|
No | Always encrypt | No | Bounce to sender |
No | Never encrypt | No | Send plain text message |
No | Use global setting | No | Send plain text message |
Yes | Always encrypt | No | Bounce to sender |
Yes | Never encrypt | No | Send plan text |
Yes | Use global setting | No | Bound to sender |
No | Always encrypt | Yes | Send encrypted message |
No | Never encrypt | Yes | Send plain text message |
No | Use global setting | Yes | Send encrypted message |
Yes | Always encrypt | Yes | Send encrypted message |
Yes | Never encrypt | Yes | Send plain text message |
Yes | Use global setting | Yes | Send encrypted message |
"Your system has already been customized."
The GoodCrypto Server has already been configured. You cannot configure it multiple times.
You can adjust the MTA address after the initial configuration.
- Go to your GoodCrypto Server's website.
- Sign in
- Click on Mail in the menu.
- Click on Options. This button only appears if you log in as an administrator.
- Change and save the MTA address.
- Logout.
"Unable to configure GoodCrypto Mail"
Something unexpected has happened and we'd like as much information about the computer you're running your GoodCrypto private server to help us identify the challenge.
Why aren't private keys created?
There are a few possibilities so check:
- Is GoodCrypto Mail active? Go to the GoodCrypto Server's website and click the Status menu item.
- Do you have the Mail Options set to create private keys? If not, enable this option from your GoodCrypto Server's website. Click the Mail menu item, and then click "Options".
- If there was an error while the key was being created, then a semaphore might have been left in the queue.
Postfix log shows "Relay access denied"
Check the mail server address, also know as the MTA address, is set correctly.
- click on Mail in the menu
- click on Options button
- login
- verify the MTA address so it matches the address of the computer where postfix runs
- if the MTA address is wrong, then click on it and adjust it
What do I do when postfix reports, "Cannot assign requested address"?
You should remove the IP address before the port in your /etc/postfix/master.cf. For example, if the line now reads:
12.167.295.8:10026 inet n - n - 10 smtpdChange the line to look like this:
:10026 inet n - n - 10 smtpdIf you are running multiple instances of postfix, then you should also consider adding the following line to the main.cf for the postfix configuration that is reporting the error:
smtp_bind_address = 0.0.0.0
Message contained a bad GPG key in header
If you receive this message, you should look very carefully at the attachment. It's possible that someone has included a key for another user in the header. GoodCrypto will only import a key if the sender matches the key. If you participate in a mailing list, then you might see this message because some mailing list servers forward messages with the original headers. You can simply ignore it.
Undelivered Mail Returned to Sender. This is the mail system at host goodcrypto.private.server.
You should only receive this message if something unexpected happened on your GoodCrypto private server.
We would love you to forward the message to us after you replace any personal email addresses and IP addresses with XXX.
If you look at the bottom of the message you may find some details that you can act upon. For example, if the GoodCrypto private server runs out of memory, the message will include, "Cannot allocate memory". You'll need to add memory to the server.
I got a message from a GoodCrypto user. Why didn't I get their key?
Their key probably hasn't been generated yet.
It takes a while to generate and exchange keys.
Your messages from someone aren't encrypted until they have your key. They get a message from you with a line added by GoodCrypto saying "You received a new public key." After that, messages from them to you will be encrypted. Not before.
"Secure Connection Failed . . . Your certificate contains the same serial number as another"
Restart your browser
This appears to be a false alarm that happens when your GoodCrypto Private Server is rebooted.
If the error shows again after you restart your browser, reboot your own system.
If you see the same error again right after you reboot, it's probably real. Follow the instructions on the screen.
Sometimes this error is temporary. It disappears when you restart your browser or reboot. Or it may be a real attack.
"This Connection is Untrusted . . . because no issuer chain was provided."
Firefox says no issuer chain.
See "Secure Connection Failed . . . Certificate . . . is invalid."
"Secure Connection Failed . . . Certificate . . . is invalid."
Firefox claims certificate is invalid.
Try IBM's simple fix:
- Type about:config in the Firefox address bar to access Advance settings. Read the warning presented, and then click the "I'll be careful, I promise" prompt to accept and proceed.
- Scroll down to security.use_mozillapkix_verification and set it to false. Double-click to toggle its value (or, right-click on it and select Toggle)
IBM has more suggestions.
Firefox Error codes:
- sec_error_extension_value_invalid
- sec_error_ca_cert_invalid
- sec_error_unknown_issuer
"Broken pipe" in browser
Try to load the page again.
A broken pipe while sending data usually means the browser quit listening. The browser may have timed out or the user may have canceled the request.
Example:
2013-10-22 19:09:21,655 DEBUG self.request.sendall(self.mitm_response(res)) 2013-10-22 19:09:21,655 DEBUG File "/usr/lib/python2.7/ssl.py", line 229, in sendall 2013-10-22 19:09:21,659 DEBUG ---------------------------------------- 2013-10-22 19:09:21,660 DEBUG v = self.send(data[count:]) 2013-10-22 19:09:21,660 DEBUG File "/usr/lib/python2.7/ssl.py", line 198, in send 2013-10-22 19:09:21,661 DEBUG v = self._sslobj.write(data) 2013-10-22 19:09:21,661 DEBUG error: [Errno 32] Broken pipe
"Secure Connection Failed . . . Peer's certificate has an invalid signature."
Import the new web certificate.
- In your browser, delete the "GoodCrypto Private Server" certificate.
- Import the new certificate. See How do I import the web certificate