Securing email transmission

I am developing a site for a client. The site will have a form that will contain sensitive data such as credit card number. I will use an SSL connection to securely submit the form, but I also need to have the data sent to my client by email. After researching this topic previously, I arrived at the conclusion that I would need to host the site on a server with PGP or GPG. I recently learned of the mcrypt library for encrypting files or streams, but I can't find much information about it. Could mcrypt be used to encrypt data, send it by email, then decrypt on the other end? The site will almost certainly be on a Linux system, while my client will be using PCs. So in a nutshell, I need some technology that will allow me to encrypt the data on the server, then be emailed by PHP or sendmail or whatever, then be decrypted on my client's PC.

If anyone has any experience with this, or knowledge of the subject, I would greatly appreciate any information / advice / suggestions you can give me.

I don't have any experience in the area, but have you looked at this? <http://mcrypt.hellug.gr/>

Yes, I have looked at that site. It is geared for people who have more experience with UNIX -- I'm a UNIX novice. So, the site really didn't answer my question. Thanks for replying though -- as you can see, yours is the only one in the two weeks my question has been posted.

I'm pretty disappointed with the lack of reponse I've had on this forum on this subject. This suggests two possibilities: a) there is someone out there that knows about this, and they have declined, for whatever reason, to offer assistance, b) no one knows anything about this. I find b rather implausible. I feel certain that this situation has come up before in the history of web development, so why doesn't anyone have anything to say about it?

Thanks again pieux.

I would bet that the people that use these forums, use them primarily for PHP, and that truly, there may not be people that have a solution. Alternatively, it's that you posted too complex of a question. That's the issue for me, but I thought I would throw my two cents in, since it's been a while and you haven't gotten any responses. My experience has been that people will typically respond most quickly to the simplest questions that take them the least amount of time to respond to. If a question requires a lot of thought, you may not get a response as quickly, if at all. Also, people are hesitant to provide complete solutions -- if you work out part of it and are stuck on one part, you'll get help more often than if you ask "how do I do this?"

So, since I don't have much time to invest in the issue, I won't be able to help you, but if you're willing to do the research yourself and just ask me questions on the stuff that you are stuck on, I'd be willing to help you, piecemeal, so-to-speak. I have experience with various unices, I've just never had to do what you have to do, so I can help you with the unix part of it, if you work out the other details.

This url is related to this topic only in the words "Linux" and "secure", but I thought you'd find it an interesting read, nonetheless: <http://www.cryptoapps.com/press08282001.html>

I have done just that on a project I'm working on at present

I have been using perl and gnupg on a linux box
and the pgp freeware plugin for outlook express on the clients end
http://www.pgpi.com
http://www.gnupg.org

It works quite well
I have it going both ways, so that the users can email the server and the server will check a pop account, decrypt the messages and interpret the instructions if the message has a valid pgp signature.

The only problem I ran into is that Outlook Express can't print decrypted messages (Outlook full version can).

I ended up writing a proxy mail server for the pc that decrypts incoming mail before it gets to outlook express and encrypts outgoing messages that match certain filters.

Anyway have a look at GnuPG::Interface on CPAN, its quite well documented

if you get really stuck i can post some code

pieux,

I know what you mean, but originally I was just looking for a point in the right direction. As you'll see, this post several months ago got NO response. If someone could have just told me then 'You need a hosting company with PGP or GPG', that would have saved me a lot of aggravation. Being that no one could even tell me that, I did do the research. So, at this point I know generally what I need to do. The biggest roadblock at this point is finding a hosting company with the PGP or GPG software I need, which brings me to my next point (thanks for the article by the way):

bumperbox,

Thanks for responding. It's good to know that setup you have works, bacuse I wasn't entirely sure PGP would decrypt a GPG encrypted message, so I thought I might need to find a hosting company with PGP. As you may be aware, from what I've seen it seems to be a lot easier to find a hosting service with GPG, or at least that will install or let you install GPG. You seem to really know what you're doing; I don't think I'll need quite such an elaborate system (I hope not anyway). Thanks for the pointers and the offer to post code, greatly appreciated. I'm hoping to do all of the coding in PHP though. I think I can do that, but I'll just have to see as I go along. I did end up finding a tutorial on webmonkey that has been very helpful, so like I said, now I need to find an appropriate hosting company.

Thanks again guys, I hope you're still here in the future when inevitably I need more help ;)

As one of the earlier posts recommended, mcrypt will work very well for this kind of thing, and doesn't require keeping gpg/pgp keyrings on the system. I have a lot of experience usign gpg in a production environment, and it wouyld be much simpler to use mcrypt for the type of thing you describe.

Here is a little primer I wrote on installing mcrypt on Red Hat. Other Linux RPM installations should be similar.

To install support for mcrypt on Red Hat, We did the following:
- get the mcrypt, libmcrypt, and mhash sources from:
http://mcrypt.hellug.gr/

install them (as root) in the following order:
mhash
libmcrypt
mcrypt
using the standard:
tar -zxvf archive-name.tar.gz
cd archive-name
./configure
make all
make install

- get the php-mcrypt and php-mhash shared libraries from:
http://rpms.arvin.dk/
This site has Red Hat optimized PHP RPMs
that are more complete
than the packages Red Hat includes.
download the appropriate packages for your
Linux version.
eg. for Red Hat 7.2 or 8.0, this is:
http://rpms.arvin.dk/php/rh72/i586/?describe=php-mcrypt
http://rpms.arvin.dk/php/rh72/i586/?describe=php-mhash

Install these using rpm -Uvh --nodeps
(unless your entire PHP installation is from arvin,
rpm will complain without the --nodeps option)

- verify that mcrypt.so and mhash.so have been
installed in you php lib dir
(on Red Hat, this is /usr/lib/php4)

- add the following lines to the extensions section of your php.ini file:
extension=mcrypt.so
extension=mhash.so

- restart Apache.

- You're Done!