Open-Xchange launches open-source OX Guard encryption tool for its mail and storage apps

Germany’s Open-Xchange, a provider of web apps for renaming by service providers and deployment in the enterprise, has released an encryption tool called OX Guard. As around 110 million people use Open-Xchange’s apps (though they probably don’t know it), this is a reasonably big deal.

OX Guard is designed to provide a layer of security over Open-Xchange’s email and cloud storage products, whether they’re consumed through a service provider or installed on the customer’s own servers (the software is free for non-commercial use).

The system encrypts email and file content with symmetric AES keys, then with RSA private/public key combinations. The idea is to make encryption simple for the end user, which is the holy grail of data security, as hard-to-use tools don’t get used. And indeed, a demo of the service showed me that it’s dead simple to deploy.

Open Xchange OX Guard

When in the mail client, you just need to click a padlock logo and the email is sent encrypted. If the recipient isn’t using an Open-Xchange client, they’ll receive a link that opens up a guest account page, initially protected by a one-time passphrase. Messages can even be set to self-destruct, Snapchat-style.

However, OX Guard doesn’t really fix certain fundamental problems that bedevil the PGP security system – the ones to do with key management. Using OX Guard is simple because the user doesn’t need to deal with encryption keys, and that only works because key management takes place on the server side. That means you need to trust whoever is running the server not to offer up or expose your private key.

According to Open-Xchange CEO Rafael Laguna, that’s OK because people can move their account between providers – you can even run it on your own server, though that takes a fair amount of technical know-how. As he told me:

There’s no way you can take your Gmail account and move it to another provider. What we do is we create trust by giving you choice on who runs the system. Offloading the hard work of key management to the server in our scenario is OK.

It’s certainly better than no encryption, but still far from ideal. Additionally, if you’re communicating with someone who’s not using Open-Xchange apps, the one-time passphrase also needs to be sent somehow. By default, it will be sent in a separate email – not much use if you’re worried about someone intercepting your traffic. The best option here would probably be to send the passphrase by some other means, such as dictating it over the phone.

I don’t mean to criticize Open-Xchange in particular here – the same problem applies to others playing in this space, such as Tutanota, who are also dealing with the complexities of adding security to a universal protocol that’s implemented across fragmented platforms. I think it’s just a case where users should be aware of the limitations of the security they’re adopting, and take this into account when they’re weighing up risk.

For most people, having some security is certainly better than none, and making it easy to use is essential. For that, Open-Xchange should be commended. Also in OX Guard’s favor is the fact that it is open source and can be freely audited.

For those who are interested, the system uses Bouncy Castle APIs for the PGP stuff and Java Crypto for AES and RSA encryption. Here’s an overview of the architecture:

OX Guard architecture