We all use email and online file storage services like Gmail or Dropbox. However, these services may not be suitable for the storage of sensitive data, both personal and professional. Do we trust their privacy policies when attaching an important business contract or confidential information? Do we accept that all our data will be collected, processed, and analyzed?
There is a solution to this problem: PEPS is an email, file sharing, and chat platform that uses end-to-end encryption. End-to-end encryption ensures that encryption and decryption happen on your computer (the client) and not on the server, which never sees confidential data in clear text.
This tutorial will guide you through the process of deploying your PEPS instance on a DigitalOcean Droplet so you can safely store your data.
PEPS is distributed as Docker containers to make setup easy. You will need a DigitalOcean Droplet with Ubuntu 14.04 x64 and the Docker application installed on it. Specifically:
An Ubuntu 14.04 x64 Droplet with 2 GB of memory if you have just a few users. Select 4 GB of RAM or more if you need more users or you just need more storage for your data.
Purchase an SSL certificate to use in place of the self-signed one; this is recommended for production environments. Alternatively, you can create a free signed SSL certificate. Instructions for creating the certificate are included later in this tutorial.
The name of your Droplet matters: If you plan to send messages via email to external recipients, you want Reverse DNS configured to avoid your messages getting flagged as spam. Good news: DigitalOcean automatically configures the PTR record if your Droplet name is set to your FQDN (Fully Qualified Domain Name). If you plan to send email from mail.example.com
, that should also be the name of your Droplet (even if your addresses are in the form of user@example.com
).
All the commands in this tutorial should be run as a non-root user. If root access is required for the command, it will be preceded by sudo
. Initial Server Setup with Ubuntu 14.04 explains how to add users and give them sudo access.
The first step is to install Docker. This tutorial is based on Docker 1.6.2. You have 2 options for installing Docker:
You also need to add the non-root user you created (the one that will be running all the command in this tutorial) to the docker
user group. Replace sammy with your username:
- sudo usermod -aG docker sammy
You will also need to logout and log back in as your non-root user for this change to be active.
Connect to your Droplet via SSH using ssh sammy@your_server_ip
(replace your username and server IP), and run the following commands to prepare the environment.
First, clone the repository:
- git clone https://github.com/MLstate/PEPS
Change to the PEPS
directory:
- cd PEPS
Configure your domain name, replacing example.com with your domain name:
- echo example.com > domain
This command creates a text file named domain
with your domain name as the first and only line in the file.
Install make:
- sudo apt-get update
- sudo apt-get install make
Now it’s time to build the containers, which will take about 10-20 minutes, so you can enjoy a coffee or schedule a stand-up meeting:
- make build
If everything runs fine, it ends with something like the following (the ids are randomly generated and will differ):
Removing intermediate container 38d212189d43
Successfully built 24fd74241e48
For the first launch, we are going to create temporary SSL/TLS certificates and run the containers. (Both steps are almost instant, so don’t think you were going to take another coffee break.)
If you already have SSL certificates at hand for your domain, skip this and copy your certificate and key instead (see Step 5).
Create temporary SSL certificates with the command:
- make certificate
Choose a simple passphrase, since you will be asked to type it 4 times, and the certificates are placeholders. Most of the questions can be skipped: The only question that matters is Common Name (e.g. server FQDN or YOUR name) []:
which should be the same as your domain.
Here is an example dialog:
openssl genrsa -des3 -out server.key 1024
Generating RSA private key, 1024 bit long modulus [...]
Enter pass phrase for server.key:
Verifying - Enter pass phrase for server.key:
openssl req -new -key server.key -out server.csr
Enter pass phrase for server.key:
You are about to be asked to enter information that will be [...]
Country Name (2 letter code) [AU]: DE
State or Province Name (full name) [Some-State]:
Locality Name (eg, city) []:
Organization Name (eg, company) [Internet Widgits Pty Ltd]:
Organizational Unit Name (eg, section) []:
Common Name (e.g. server FQDN or YOUR name) []: example.com
Email Address []:
Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []:
An optional company name []:
cp server.key server.key.org
openssl rsa -in server.key.org -out server.key # strip passphrase
Enter pass phrase for server.key.org:
writing RSA key [...]
Getting Private key
Now, we’re ready to launch PEPS with the following command:
- sudo make run
Connect to your Droplet using its IP address by visiting https://your_server_ip
from your browser where your_server_ip
is the IP address of your Droplet.
Since we are using temporary SSL certificates for now, your browser will warn you that the site is insecure. Accept it anyway. With Chrome, click Advanced to proceed.
At first run, you will be prompted to create an admin password. Choose any of your liking, provided its complexity is sufficient.
Due to end-to-end encryption in PEPS, the admin account can create and delete users but will not be able to access any existing encrypted user data.
Once your admin password is set up, the main PEPS interface is shown.
Next, let’s focus on setting up the domain and certificates properly.
Now that your instance runs fine, we still need to set the domain properly, which involves using real SSL certificates, configuring DNS, and more.
Let’s start with the DNS. Depending on your domain name provider, either use their own interface to set up the DNS entries for your domain or set up your own DNS server. If you want to setup your own DNS server, you can use the How To Configure BIND as a Private Network DNS Server on Ubuntu 14.04 article, which is part of the An Introduction to Managing DNS article series.
You must set both A and MX records. For instance, for the fictitious example.com
domain hosted on mail.example.com
:
mail.example.com. 10799 IN A your_server_ip
mail.example.com. 10799 IN MX example.com.
Your Droplet name should be mail.example.com
. Don’t worry. You can rename the Droplet from your DigitalOcean account. Click on the Droplet name to see its details, click the Settings tab, and then click the Rename tab. You might have to wait for DNS to get updated.
You may also set additional records. Online checker MXToolBox is useful to verify your domain is set up properly and gives advice on several points.
Note that DNS propagation can be a bit slow, but after a while (often 1 hour) you will be able to access PEPS from https://example.com
.
Note: After you have finished configuring PEPS, if you can’t send or receive email from external domains, double check your A and MX records. If they aren’t set correctly, you will not be able to send or receive email from domains other than your own.
You will still have an invalid SSL certificate warning from your browser.
It’s now time to set up SSL certificates. If you don’t already have SSL certificates you can buy them from a provider or even set up a free SSL certificate for non-commercial purposes.
The How To Install an SSL Certificate from a Commercial Certificate Authority article explains everything about SSL certificates, including how to purchase one.
Be sure to copy both the key and certificate named server.key
and server.crt
in the /etc/peps/
directory.
Prepare them on your local computer, and copy the files to your server by running from the directory that contains the certificates:
- scp server.key server.crt your_server_ip:/etc/peps/
where your_server_ip
is the IP address of your Droplet.
When done, check that your browser can access https://example.com
without SSL errors.
To create more users, log in as the admin user with admin
as the username and with the password you created in Step 3: Logging in for the First Time. The admin user can create email accounts for your domain. Go to the PEPS Admin Manual to learn how.
First, try to send and receive email between two different users within your domain. For example, try sending an email from admin@example.com to sammy@example.com. If that is successful, try having sammy respond to admin to make sure the reverse operation succeeds.
Now, send an email to an account outside of your domain. If this fails, your A and MX records have not been configured correctly. Go back to Step 4: Setting Up Your Domain. Don’t forget to test receiving email from a user outside your domain as well.
Congratulations! You now have an instance of PEPS running on a DigitalOcean Droplet. You can send messages, share files, and more (by running plugins such as chat) securely.
There are several manuals available:
Also visit the PEPS Facebook page for the latest news about PEPS.
Thanks for learning with the DigitalOcean Community. Check out our offerings for compute, storage, networking, and managed databases.
This textbox defaults to using Markdown to format your answer.
You can type !ref in this text area to quickly search our full set of tutorials, documentation & marketplace offerings and insert the link!
Sign up for Infrastructure as a Newsletter.
Working on improving health and education, reducing inequality, and spurring economic growth? We'd like to help.
Get paid to write technical tutorials and select a tech-focused charity to receive a matching donation.
Is it possible to use letsencrypt.org for ssl keys? If so, how? (ssl certs newbie here)
Dear PEPS Team at MLstate,
I do believe that you have to revise your article as I tried all your instructions but the software didn’t work at the stage of calling https://MY_DRPLET_IP!!!
Please any help on that?
Well it seem a pain this installation… 7789b9497390 peps “/sbin/my_init” 21 minutes ago Exited (1) 3 seconds ago peps_server.
I got this error when trying to make build :
build error: Error: ENOENT
Is there a way to fix this? I understand that the issue is currently open on github… To be more clear, it returned a non-zero code: [Error 8] What should I make of this?
@henri can above tutorial be updated to include Let’s Encrypt SSL instructions? It will be great if we can have one simple set of instructions, especially that Let’s Encrypt is now fully operational. Thanks.
Is it possible to configure multiple domains?
It only works with sudo make build
Hi, I have a n issue with PEPS install on Debian 8. Message error is :
I don’t really get it because the command line :
works nicely. Any clue? Something wrong from the droplet image?
I have this error when installing on Debian:
The strange thing is when I add the key with :
apt-key adv --keyserver hkp://keyserver.ubuntu.com:80 --recv 7F0CEB10
it work without error. So, what went wrong?I seem to be getting loads of errors during the build phase, has anyone else had a similar issue the output of the errors are here http://pastebin.com/wtPfzVfU