An Article from the PEPS Team at MLstate

Introduction

We all use email and online file storage services like Gmail or Dropbox. However, these services may not be suitable for the storage of sensitive data, both personal and professional. Do we trust their privacy policies when attaching an important business contract or confidential information? Do we accept that all our data will be collected, processed, and analyzed?

There is a solution to this problem: PEPS is an email, file sharing, and chat platform that uses end-to-end encryption. End-to-end encryption ensures that encryption and decryption happen on your computer (the client) and not on the server, which never sees confidential data in clear text.

This tutorial will guide you through the process of deploying your PEPS instance on a DigitalOcean Droplet so you can safely store your data.

Prerequisites

PEPS is distributed as Docker containers to make setup easy. You will need a DigitalOcean Droplet with Ubuntu 14.04 x64 and the Docker application installed on it. Specifically:

An Ubuntu 14.04 x64 Droplet with 2 GB of memory if you have just a few users. Select 4 GB of RAM or more if you need more users or you just need more storage for your data.

Purchase an SSL certificate to use in place of the self-signed one; this is recommended for production environments. Alternatively, you can create a free signed SSL certificate. Instructions for creating the certificate are included later in this tutorial.

The name of your Droplet matters: If you plan to send messages via email to external recipients, you want Reverse DNS configured to avoid your messages getting flagged as spam. Good news: DigitalOcean automatically configures the PTR record if your Droplet name is set to your FQDN (Fully Qualified Domain Name). If you plan to send email from mail.example.com , that should also be the name of your Droplet (even if your addresses are in the form of user@example.com ).

All the commands in this tutorial should be run as a non-root user. If root access is required for the command, it will be preceded by sudo . Initial Server Setup with Ubuntu 14.04 explains how to add users and give them sudo access.

Step 1 — Installing Docker

The first step is to install Docker. This tutorial is based on Docker 1.6.2. You have 2 options for installing Docker:

Follow the instructions for Ubuntu 14.04 in How To Install and Use Docker: Getting Started

Add the Docker application when you create the Ubuntu 14.04 x64 Droplet

You also need to add the non-root user you created (the one that will be running all the command in this tutorial) to the docker user group. Replace sammy with your username:

sudo usermod -aG docker sammy

You will also need to logout and log back in as your non-root user for this change to be active.

Step 2 — Deploying PEPS

Connect to your Droplet via SSH using ssh sammy@your_server_ip (replace your username and server IP), and run the following commands to prepare the environment.

First, clone the repository:

git clone https://github.com/MLstate/PEPS

Change to the PEPS directory:

cd PEPS

Configure your domain name, replacing example.com with your domain name:

echo example.com > domain

This command creates a text file named domain with your domain name as the first and only line in the file.

Install make:

sudo apt-get update

sudo apt-get install make

Now it’s time to build the containers, which will take about 10-20 minutes, so you can enjoy a coffee or schedule a stand-up meeting:

make build

If everything runs fine, it ends with something like the following (the ids are randomly generated and will differ):

Removing intermediate container 38d212189d43 Successfully built 24fd74241e48

For the first launch, we are going to create temporary SSL/TLS certificates and run the containers. (Both steps are almost instant, so don’t think you were going to take another coffee break.)

If you already have SSL certificates at hand for your domain, skip this and copy your certificate and key instead (see Step 5).

Create temporary SSL certificates with the command:

make certificate

Choose a simple passphrase, since you will be asked to type it 4 times, and the certificates are placeholders. Most of the questions can be skipped: The only question that matters is Common Name (e.g. server FQDN or YOUR name) []: which should be the same as your domain.

Here is an example dialog:

openssl genrsa -des3 -out server.key 1024 Generating RSA private key, 1024 bit long modulus [...] Enter pass phrase for server.key: Verifying - Enter pass phrase for server.key: openssl req -new -key server.key -out server.csr Enter pass phrase for server.key: You are about to be asked to enter information that will be [...] Country Name (2 letter code) [AU]: DE State or Province Name (full name) [Some-State]: Locality Name (eg, city) []: Organization Name (eg, company) [Internet Widgits Pty Ltd]: Organizational Unit Name (eg, section) []: Common Name (e.g. server FQDN or YOUR name) []: example.com Email Address []: Please enter the following 'extra' attributes to be sent with your certificate request A challenge password []: An optional company name []: cp server.key server.key.org openssl rsa -in server.key.org -out server.key # strip passphrase Enter pass phrase for server.key.org: writing RSA key [...] Getting Private key

Now, we’re ready to launch PEPS with the following command:

sudo make run

Step 3 — Logging in for the First Time

Connect to your Droplet using its IP address by visiting https://your_server_ip from your browser where your_server_ip is the IP address of your Droplet.

Since we are using temporary SSL certificates for now, your browser will warn you that the site is insecure. Accept it anyway. With Chrome, click Advanced to proceed.

At first run, you will be prompted to create an admin password. Choose any of your liking, provided its complexity is sufficient.

Due to end-to-end encryption in PEPS, the admin account can create and delete users but will not be able to access any existing encrypted user data.

Once your admin password is set up, the main PEPS interface is shown.

Next, let’s focus on setting up the domain and certificates properly.

Step 4 — Setting Up Your Domain

Now that your instance runs fine, we still need to set the domain properly, which involves using real SSL certificates, configuring DNS, and more.

Let’s start with the DNS. Depending on your domain name provider, either use their own interface to set up the DNS entries for your domain or set up your own DNS server. If you want to setup your own DNS server, you can use the How To Configure BIND as a Private Network DNS Server on Ubuntu 14.04 article, which is part of the An Introduction to Managing DNS article series.

You must set both A and MX records. For instance, for the fictitious example.com domain hosted on mail.example.com :

mail.example.com. 10799 IN A your_server_ip mail.example.com. 10799 IN MX example.com.

Your Droplet name should be mail.example.com . Don’t worry. You can rename the Droplet from your DigitalOcean account. Click on the Droplet name to see its details, click the Settings tab, and then click the Rename tab. You might have to wait for DNS to get updated.

You may also set additional records. Online checker MXToolBox is useful to verify your domain is set up properly and gives advice on several points.

Note that DNS propagation can be a bit slow, but after a while (often 1 hour) you will be able to access PEPS from https://example.com .

Note: After you have finished configuring PEPS, if you can’t send or receive email from external domains, double check your A and MX records. If they aren’t set correctly, you will not be able to send or receive email from domains other than your own.



Step 5 — Setting up SSL Certificates

You will still have an invalid SSL certificate warning from your browser.

It’s now time to set up SSL certificates. If you don’t already have SSL certificates you can buy them from a provider or even set up a free SSL certificate for non-commercial purposes.

The How To Install an SSL Certificate from a Commercial Certificate Authority article explains everything about SSL certificates, including how to purchase one.

Be sure to copy both the key and certificate named server.key and server.crt in the /etc/peps/ directory.

Prepare them on your local computer, and copy the files to your server by running from the directory that contains the certificates:

scp server.key server.crt your_server_ip :/etc/peps/

where your_server_ip is the IP address of your Droplet.

When done, check that your browser can access https://example.com without SSL errors.

Step 6 — Testing

To create more users, log in as the admin user with admin as the username and with the password you created in Step 3: Logging in for the First Time. The admin user can create email accounts for your domain. Go to the PEPS Admin Manual to learn how.

First, try to send and receive email between two different users within your domain. For example, try sending an email from admin@example.com to sammy@example.com. If that is successful, try having sammy respond to admin to make sure the reverse operation succeeds.

Now, send an email to an account outside of your domain. If this fails, your A and MX records have not been configured correctly. Go back to Step 4: Setting Up Your Domain. Don’t forget to test receiving email from a user outside your domain as well.

Conclusion

Congratulations! You now have an instance of PEPS running on a DigitalOcean Droplet. You can send messages, share files, and more (by running plugins such as chat) securely.

There are several manuals available:

User Manual

Admin Manual

More documentation for developers wanting to use the PEPS API or for operators regarding backup and more are available from the project wiki on GitHub.

Also visit the PEPS Facebook page for the latest news about PEPS.