On 2020-03-23 at 12:55:15 PM, Achdut18 <achdu...@gmail.com> wrote: Before I go on and answer your more detailed questions, I urge you to think about the threat model that you and your colleague have.
As with all things in security--whether online or offline--you will want to figure out which threats you care about and how much you're willing to do to protect against and mitigate occurrences of those threats. After understanding that, the two of you can then research/ask more specific follow up questions. Some questions to get you started: * What assets need to be protected? * Who are your potential adversaries? * What are their capabilities? * What is the probability and impact of various adverse events? * What events do you care about trying to counter before they happen? Which ones do you only care about mitigating after an occurrence? * What are the myriad ways you could safeguard/minimize/mitigate against these threats? * What trade-off between spending money, convenience, and robustness are you willing to make? * What level of testing/validation do you need? * How will you learn and re-assess after you have more experience? Hope this helps, but I won't be offended if the response is akin to, "Thanks, but that's a lot of work, and we don't care that much." :-) That's implicitly going though the exercise, so my work here is done. :-) Perhaps email isn't the right medium for your communications. Perhaps your colleague is adding complexity and risk where it isn't needed. > What I would like to be able to do is send password-protected > messages that can only be opened by the receiving party who has the > password. Is that what this process does? Neither S/MIME encryption nor Open PGP encryption password protect a message. (Encryption doesn't require password protection, and password protection doesn't imply encryption.) S/MIME and Open PGP use asymmetric cryptography (public & private keys). There is no "shared secret" or password between the two of you. A shared password would be a use of symmetric cryptography. I'm not aware of an email encryption standard that uses symmetric cryptography. > So, in order to send password-protected messages, do I select > "Enable S/MIME" (which is already selected), and then "encrypt when > completed"? Irrelevant. See above about how this doesn't password protect a message. :-) When encryption is enabled, it ends up encrypting the message with the public key of the intended recipients. In this process, there is an assumption that proper identity verification has been performed. This is incredibly hard to get right, particularly at scale. The intended recipients can then use the corresponding private keys--and ONLY the corresponding private keys--to decrypt the message. If the private key is lost, then the message cannot be decrypted. E.g., your colleague won't be able to call you on the phone to ask for a password reminder. > If so, will this only impact the message being sent and no other > subsequent message? IIRC, it only affects the message being sent. You may be able to adjust the defaults here, but I haven't used this in a long time. > I send a message that is encrypted, how will the recipient, who does > not use The Bat, decrypt it? They will need to use their email client's S/MIME functionality. > The instructions for "Open PGP" states "First of all you should > download, install and set up the preferred OpenPGP program." > WHAT(!) program? There are a number of supported programs. If you want to download one for free, take a look at https://gnupg.org/download/index.html. AFAIK, the old commercial PGP program is no longer offered for sale. Note, however, that Open PGP is different and not compatible with S/MIME. You'll need to pick one of the two methods for both of you. > Do I need to do this if all I am doing is encrypting a single > message to a single recipient? Yes. > Finally, I am currently using ver 7.4.16, and it has worked fine for > me. Is there any need to upgrade in order to accomplish what I want > to do vis a vis password protection of specific messages? Shouldn't need to. I remember using either OpenPGP or GNU Privacy Guard with The Bat! 3.x many years ago. Though, see above: none of this password protects a message. :-) -- Christopher Warrington <li...@mygcw.net> ________________________________________________ Current version is 8.0.18 | 'Using TBUDL' information: http://www.silverstones.com/thebat/TBUDLInfo.html
