4

For a beginner, how can I encrypt a password text into a cipher text that I would send via an email to someone, such that they can decrypt locally (offline) and read the password?

To clarify, the intent is not to encrypt the whole email (irrespective of the service being used), but to just send the password itself in an encrypted format as opposed to a plaintext form, to be on the safe side. Can OpenPGP be used here? (Say, for a Linux based OS). I admit I don't know what key (and encryption protocol) I should share with the other party, so that they can decrypt, and how to share the key.

Any advice or pointers towards tutorials for such purposes would be highly appreciated.

Important details:

  • I don't have a public key from the recipient.
  • Nor do we have a pre-shared secret. (how can I establish that assuming I have other means of communicating with the other party, other than email I mean, for instance sharing a secret on a piece of paper, or via an encrypted call, etc.)
user929304
  • 143
  • 1
  • 6
  • This depends on what information your have or share with the recipient. PGP or S/MIME can be used if you've got an appropriate public key/certificate of the recipient and can trust it based on the various trust models PGP and S/MIME offer. If you have a shared secret already you can use this to encrypt the key. Thus, please provide the information on what you already have or what you can arrange to have. – Steffen Ullrich May 03 '18 at 12:16
  • @SteffenUllrich very good remark, I'll update it at once, thanks. – user929304 May 03 '18 at 12:20
  • 4
    Does this answer your question? [Sending passwords to someone remotely](https://security.stackexchange.com/questions/58509/sending-passwords-to-someone-remotely) – RemarkLima Mar 13 '21 at 08:57

3 Answers3

3

To do this securely, you'll need to either

  1. Create a PGP certificate or S/MIME certificate, share it with the user, and then share content via email encrypted using PGP or S/MIME.

Or

  1. Share a shared-secret with the recipient ahead of time - by phone is probably the easiest way. I'd recommend a 6 word or longer EFF Diceware password, but this will vary based on your threat model. A good tool for generating one can be found at https://www.rempe.us/diceware/#eff, although you can use whatever tool you want.

    After you share this shared secret, you can use any number of file-encryption (or email encryption) tools to send a document encrypted using the shared secret. I'm partial to ProtonMail because of its ease of use, but truly any reputable file encryption or encrypted email solution is fine.

    Alternatively, you can also use a tool like Sync.com or another file-sharing site that allows encrypted transfer and password protection. Truly, the important and difficult part is getting the shared secret out there in the first place.

If you recipient isn't computer savvy, #2 is probably the easier workflow. All they have to do is click an link and type a password consisting of only common English words.

Monica Apologists Get Out
  • 4,021
  • 1
  • 14
  • 21
  • Thanks a lot. I'd rather not have to rely on some websites, so I'll tend to learn more about the first suggestion, any introductory tutorials you'd personally recommend for that? (how to create the certificate, say in Linux, so on so forth.) Or at least somewhere where a dummy example is showcased. Thanks again. – user929304 May 03 '18 at 14:29
  • It's been a long time since I've had a reason to do anything with PGP, sorry. I'd just be googling for links. – Monica Apologists Get Out May 03 '18 at 17:49
  • The problem being: if you have some secure channel over which you can send an encryption password or PGP key, then you could also just as easily (or more easily) just share the password at that time. So unless you plan on continuing to send encrypted information via email, this isn't really needed. – Ben May 03 '18 at 19:19
  • I would also suggest to use a OTP ... One Time Password. – aurelien Nov 12 '19 at 09:41
  • Or, assuming the secure channel is a phone call, you could encode the data in Base32 and then read the bytes out to the user on the other side, who then types the data and finally decodes it. Saves sharing a password. – ig-dev Nov 12 '19 at 09:43
  • That's sounds like sharing a password but with extra steps. – Monica Apologists Get Out Nov 13 '19 at 18:11
1

For a beginner, sharing passwords through a password manager is probably the easiest. Each party sets up their own account and they are encrypted in the password manager.

https://blog.lastpass.com/2016/01/tips-for-securely-sharing-passwords.html/

Steve Miskovetz
  • 111
  • 2
1

Use snappass, a self-hosted open-source web tool made by pinterest to securely share passwords.

It uses a Redis Database (in-memory database) to store the encrypted passwords and a cryptic URL to share. The password can be revealed only once.

Passwords are encrypted using Fernet symmetric encryption, from the cryptography library. A random unique key is generated for each password, and is never stored; it is rather sent as part of the password link. This means that even if someone has access to the Redis store, the passwords are still safe.

With docker-compose installed, it is as simple as:

git clone https://github.com/pinterest/snappass.git
cd snappass
docker-compose up -d

By default, it is available on port 5000. You may want to add some https proxy.

pLumo
  • 111
  • 4