End-to-End Crypto Tools
As part of an ongoing series, we’re highlighting the benefits and advantages of various end-to-end encryption tools for messaging, file storage, and secret management.
The modern world is built on a foundation of communication. But this foundation is predicated on shared trust that the communication is reliable. Unfortunately, there are many parties involved in sharing any two messages, and keeping the content of the message safe as it travels from point A to point B is difficult.
In this series, we have reviewed a number of the current end-to-end encryption tools available today. These tools listed below help ensure only the parties at intended to access the data can do so. These tools are a first step to ensuring your data and messages remain safe and secure.
Messaging and Chat
Most messaging and chat tools used today deal with plain text data. Both the sender and the receiver can read the data easily, but so can any party that helps broker the communication from points A to B. End-to-end encryption ensures that only the parties involved in the conversation can read the messages at all.
WhatsApp is a secure messaging (and phone/video) utility backed by Facebook. It’s free, easy to use, and supported on a wide variety of platforms. Signal is an alternative tool that serves the same purpose and is published by the organization that literally wrote the standards for secure mobile messaging. The app takes a stronger position on data retention, and might be a better choice for some sensitive use cases.
Google’s offering, Allo, supports secure messaging as well. It’s installed on most Android devices by default, so chances are good you’ve already got it set up. However, the end-to-end encryption features are explicitly opt-in. You might turn them on, but people you chat with might not realize they need to. Allo might not be the best option for absolute security, but it’s still an easily available one.
Files are long-lived and often rather large, making them more difficult to protect. The end-to-end crypto tools need to be fast when used legitimately. They also need to be strong enough to protect against a determined attacker with plenty of time available.
Luckily, the two primary tools available for full-disk encryption come built-in to the operating systems most of us use. Both BitLocker (Windows) and FileVault (macOS) have easy-to-follow setup instructions and work smoothly out of the box.
Protecting individual files or folders on your machine can leverage end user tools like TrueCrypt or VeraCrypt. Developers might use tools like EncFS to set up directories that handle encryption transparently. Other tech-savvy users might leverage the public-key infrastructure provided by Keybase to both encrypt and share files with others as needed.
End-to-end crypto tools for email have to address problems from both the categories above. They have to secure transmitted messages (like chat) over potentially long periods of time (like files).
Luckily, all of the tools needed for secure email are freely available. PGP/GPG is available through many open source libraries and integrates with a wide variety of tools for protecting messages or files. S/MIME is an open standard that’s supported by default in most major email clients.
Services like ProtonMail allow users to manage encrypted email without having to manage their own encryption keys. ProtonMail specifically goes the extra mile to ensure they have zero access to customer data, and even expose a Tor onion site to allow users to access the service anonymously.
Everyone uses passwords to authenticate against various online services and tools. These smaller pieces of information are incredibly important to protect. The crypto tools available are potentially even more important than the ones listed above.
Password managers like LastPass and 1Password help consumers protect their credentials for every day use. They also allow for easy sharing of passwords between authorized parties. Utilities like One-Time Secret enable the same kind of credential sharing, but without the requirement for individual user accounts.
Developers can use tools like GitCrypt and Amazon KMS to securely encrypt credentials before sharing them with deployed services and services. Credstash, built atop Amazon KMS, makes this kind of distributed sharing particularly easy for development teams.
Is it enough?
Encryption, on its own, is rarely enough to protect your data and ensure your privacy. If you only encrypt important information, a would-be attacker knows exactly what files or communications to attack. A vendor’s implementation mistake or a lapse on the part of a sender or receiver can render these targeted messages vulnerable.
The crypto tools listed above will only protect you if used consistently and correctly. The most critical way to ensure data is protected when it truly counts is to leverage end-to-end encryption whenever possible. If an attacker can’t tell the difference between an email containing your lunch order or one containing a stock trade order, they have nowhere to start with a targeted attack.
End-to-end crypto tools protect your data while it’s being transferred or waiting to be used. It’s up to you to use these tools appropriately, consistently, and with frequency. This is the only way to be sure they protect both the content and nature of the data they secure.