Email encryption methods have been around for 30 years, yet so few people use them. One of the reasons for this could be a lack of knowledge about the possible threats of sending unencrypted messages. By email encryption, we mean encoding an email message to protect potentially sensitive information from being read by anyone other than intended recipients.
Sending sensitive information, such as social security numbers, bank account numbers, login credentials, etc., can be like sending a regular letter with personal details: anyone who opens it can read it on its way to the destination.
Since you don’t want your personal information to land in the wrong hands, you may want to learn how to encrypt email messages. This will help you avoid prying eyes and the unfortunate consequences of being exposed.
As a matter of fact, instant messaging services like Messenger, Skype, and WhatsApp already use end-to-end encryption to provide privacy and security for their users.
Email encryption ensures that even if your message gets intercepted by hackers or cybercriminals, they won’t be able to decrypt and read it; well, at least not in this century, though technology can improve, of course.
Many people use end-to-end encryption services like the Switzerland-based ProtonMail, Tutanota, Hushmail, and others to protect their email communications. If your email privacy is a must, it’s best to use a service like the ones mentioned above, so you don’t have to take care of the encryption yourself.
Now, let’s see what email encryption is in more detail, as well as how to encrypt email messages on different platforms.
4 types of email encryption
Originally, the communication between the sender and recipient email servers was done in plain text. However, as email came to be used for more and more sensitive information, this method proved to be way too vulnerable. Therefore, more and more ways of encrypting were developed to keep online communications safe and private.
When we talk about email encryption and security, there are four basic ways to approach it:
1. Transport layer encryption
This means that the connection between your email provider’s server and the receiver’s email server in encrypted, securing your communications as they make their way between email providers. STARTTLS is one of the most commonly used extensions for making email servers encrypt plain text communications. as long as both sides support this.
2. Email message and attachment encryption
End-to-end encryption (E2EE) can be used to encrypt your email messages before you send them, to stop snoopers from reading them even if they intercept your emails at an earlier (or later) stage. This means that the email you are about to send is encrypted at the source end and it only gets decrypted at the endpoint.
One of the end-to-end data encryption standards is called OpenPGP, where PGP stands for “Pretty Good Privacy.” This method can be used to encrypt email contents, including attached files. OpenPGP uses Public Key Cryptography, which means that a public and private key pair is generated.
The public key has to be shared with all the recipients who will use this secure and private “channel” of communication. The private key, on the other hand, must not be shared with anyone, due to the fact that this pair can be used to encrypt and decrypt your messages.
At the same time, it is also recommended that you only share your public key with trustworthy friends and business partners.
There are basically three ways for you to share the public key. You can:
- send it via email: you can export the public key and simply send it to trusted recipients so that they can import it
- publish the public key on a website that all the trusted parties can access
- upload the key to a so-called keyserver where it can be accessed by the receiving parties
The problem with OpenPGP is that it only encrypts the contents of email messages, while the related metadata remains readable, i.e., snoopers can easily know who sent an email and to whom.
Another well-known drawback of OpenPGP is that users need to set up the public and private key pairs and distribute the public key themselves. This could be too technical for less tech-savvy users. No wonder why so few people use email encryption even though the methods have been around for 30 years.
3. Encrypting archived or stored email messages
Since you may store important email messages on your email client (MS Outlook, Gmail, Yahoo mail) or even on your hard drive, it is advisable to encrypt stored messages with sensitive content so that they cannot be read by unauthorized parties, such as hackers, should they gain access to your computer or your email client despite it being password protected.
Because the above-mentioned methods could be too complicated for general users, a few workarounds have emerged to provide a sense of privacy and protection for email communications. Let’s see what these are:
- Digital signature: although it is not an encryption method per se, you can use personal email certificates to protect and digitally sign your messages. A digital signature allows recipients to confirm that the message they received was actually sent by you. This helps to avoid opening dangerous spam emails that may mimic a familiar sender’s name and email address in order to deliver malicious attachments (such as ransomware or trojans).
- Mix networks: this method can be used to protect the anonymity of communications. Mix networks are routing protocols that use proxy servers to create a chain to disguise the sender and recipient so that there is no link between the source and endpoint. This makes it much harder for snoopers to trace end-to-end email communications.
- Sharing webmail login credentials: another way to avoid using encryption and having a false sense of privacy is to share your webmail login with the intended recipient. You can save a draft of your email and then ask the recipient to check it by logging in to your webmail account with your credentials. Of course, this method raises serious privacy and security issues, since the recipient has full access to all other emails as well.
- Using secure email services: services like ProtonMail use E2EE to secure your email communications. This provider has Android, iOS, and Web versions to provide you with a great level of privacy.
The best way to protect your privacy and your email messages with sensitive information is to consistently use encryption.
In other words, it is best to encrypt all messages you send and receive, not just the sensitive ones. Why? Because finding a few encrypted messages in your inbox would be a signal for hackers to dig deeper to crack the information that is supposed to be hidden.
However, when all your messages are encrypted, there is no obvious sign for hackers to know where to look. This kind of consistency can save you from exposure.
How to encrypt webmail services like Gmail?
With the appearance of webmail service providers like Gmail, Yahoo Mail, ProtonMail, and AOL Mail, more and more users migrated from using local clients like MS Outlook or Thunderbird in conjunction with small email service providers. The web-based clients are easier to use because they don’t require any configuration.
As of 2014, Gmail has been using encryption as a default setting, but this is transport layer encryption, which will work only as long as the receiving email provider also supports TLS. Perhaps more importantly, it means that Google can read your emails, which is a problem.
An even more worrisome privacy issue with Gmail, as we have reported recently, is that certain third-party Gmail app developers can sometimes also access your Gmail inbox.
Furthermore, Google can also grant access to your private or business emails when asked by the authorities.
So, if you are looking for privacy, you either forget about Gmail or, if you don’t have that luxury, use an outside encryption method to secure your emails so that no prying eyes can read them.
Yahoo Mail also started to use SSL (Secure Sockets Layer) to protect your account a few years back. This is an industry standard for the encryption of private data that is sent over the internet. Yet Yahoo was eager enough to create a tool to scan hundreds of millions of incoming emails on behalf of the FBI or the NSA searching for given keywords, which later culminated in a major surveillance scandal. Also, let’s not forget about the biggest ever data breach when Yahoo got hacked in 2013 and millions of its accounts got compromised.
If you want to encrypt your emails yourself, you need to download and install a third-party app. There are usually several platforms supported, including Windows, Mac OS, Linux, Google Chrome, Mozilla Firefox, Android, and iOS versions as well. Four major players on the email encryption stage are Gnu Privacy Guard (GPG), GPG Tools (Mac OS only), Mailvelope and FlowCrypt.
These programs are relatively straightforward to set up and use; their official websites provide manuals and other useful information regarding their use.
How to encrypt Outlook email?
Before sending sensitive information or notes on Outlook, you may want to set up and use a digital certificate. In case you don’t have one, you’ll need to create one as explained below:
- Go to File > Options > Trust Center > Trust Center Settings > Email Security, Get a Digital ID
- Select the Certification Authority to get the Digital ID from (Comodo is recommendable)
- You’ll receive the Digital ID in your mail
- Once you get the digital Certification, you need to follow these instructions to get it to work in Outlook:
- Choose Tools > Options > click the Security Tab
- Type in the name of your choice into the security Setting Name field
- Make sure to select S/MIME on the Secure Message Format Box
- Check the security settings and ensure they’re the default
- Under the Certificate box, choose your secure Email Certificate in case it is not selected by default
- Select the “Send these Certificates with Signed Messages” checkbox
- Click OK to save the settings and return to Outlook
By now, you’ve got a digital signature on your emails. However, they won’t appear by default. To attach them, follow the procedure described below:
- Click New Message
- Go to Tools > Customize and click the Commands tab
- Choose Standard in the category list
- Click Digitally Sign Message in the command list
- Click and drag the listing to your toolbar, so from now on, you can click that in order to add your digital signature
- While at it, click and drag Encrypt Message Contents and Attachments onto the taskbar as well
Please note that digitally signing an email is not the same thing as encrypting it. However, if you want to send an encrypted message in Outlook, the recipient has to have sent you at least one email with a digital signature attached. This is the only way Outlook knows it can trust the recipient. Similarly, in case you’re planning to receive an encrypted message from someone, you need to first send an unencrypted message with your digital signature on it. That way, Outlook knows it can trust both parties.
Ethan is a security researcher and digital privacy advocate. He spends his time unraveling various anonymity and security tools, plus contributing to open-source projects. Otherwise, he keeps a low profile by hiking or cycling around the countryside.