Klaus Zimmermann's Corner

Sending secure "email" from a public / shared computer

These days I did a little thought experiment concerning a situation in which I don't have access to a machine I own and still would like to securely relay messages (or even small files) to myself for when I get back to my own machines. Here's the blurb of it:

Imagine you're on a public shared computer i.e. hotel business lounge or public library and you've found some information online or produced a kind of document that you want to send it to yourself.

You could trust the machine you're using or your network to log into your own webmail, type in your password and send an email as usual. But maybe the information is sensitive or you don't trust too much that computer, or maybe your access to your webmail is restricted for whatever reason. How do you send that information securely in that case? You don't have your gpg or your keyring to encrypt it.

Here's one way that I thought:

  1. Visit the online demo of CyberChef, or download a local copy of it (it's a purely Javascript webapp).
  2. Get a copy of your public PGP key from one of many online keyservers, like Ubuntu's.
  3. Open CyberChef, select PGP encrypt from the recipes, paste your public key into the required field.
  4. Type or paste your message / information into the input field, click Bake.
  5. Copy the ciphertext output.
  6. Go to some kind of pastebin service, like Debian's and paste your ciphertext there. I'd avoid using Pastebin.com for this.
  7. Make a note of the paste's URL - it could be as simple as writing down the ID with pencil and paper.
  8. When you are back in range of a machine you do control, download the paste and decrypt it with your private key. You can now read your important message securely!

Of course, this is a silly experiment and does not consider the aggressiveness of nation-state adversaries, but could be much more "low-key" than using email traffic to send your information against a passive average opponent. Plus no need to use any sort of secrets (no passwords, public key available on internet, publicly-available cipher engine, etc) to securely send the message.

What would you do in the face of a similar situation? Let me know on Mastodon!