Your workplace login passwords, social security numbers, bank account data, store orders all go through your email. Therefore, it makes your email one of the most important communication channels, that when compromised can send you to a world of pain. However, there are methods to make your communication safer by encrypting your emails to prevent nosy individuals from reading your private messages.
What is email encryption?
In the early days of the internet, the communication between email servers was done in plaintext only. That was a huge security risk as anyone with a packet sniffer could see email contents. As a solution, several security mechanisms were added to make it more private and safer against interceptions.
Encryption is one solution against interceptors who want to read private messages. It scrambles the data and makes it readable only to those who have the encryption keys. The whole process isn’t as simple as it sounds, and it can mean several different things.
How does email encryption work?
Generally speaking, encryption is possible at the transport level or end-to-end. Here’s how they differ:
- Transport level encryption only protects the sending channel. It means that the email is still composed and sent as plain text, but the moment it leaves your mailbox, it’s protected with a layer of encryption. When it arrives at its destination, the email client decrypts it and stores it in plaintext for you to read.
- End-to-end encryption makes sure that the email is safe at all stages of the communication. This data can be read-only by the intended sender and remain encrypted throughout the exchange process.
The most widely used transport-level encryption protocol command is SMTP STARTTLS. It uses Transport Layer Security (TLS), or its predecessor Secure Sockets Layer (SSL) as cryptographic protocols encrypting the plain text messages only during server-to-server exchanges.
Both rely on a public and private set of keys to turn plaintext into unintelligible strings of characters. Therefore, email interception would give hackers no meaningful information. Initially developed by Netscape in 1995, SSL passed the torch to TLS – a more recent solution. Both of these protocols are still used alongside as they are not mutually exclusive.
SMTP STARTTLS isn’t an encryption protocol, but an email protocol command, because it instructs the email server to establish a very secure connection. In other words, it forces the server to use either SSL, TLS, or both. When you send an email, your client contacts the server to check whether it supports the requested protocol. The server shares a digital certificate confirming its identity. When it checks out, the two parties generate a unique exchange key used to encrypt and decrypt the messages.
Assuming that email servers on both ends support most recent SSL/TLS versions with patched security vulnerabilities, the attackers couldn’t use a packet analyzer to investigate the email’s contents. However, as the name transport-level encryption suggests, it’s only effective against interceptions – the email service provider could still access the communication.
Transport-level encryption adds a layer of security, but ultimately it’s far from private.
With end-to-end encryption, the message is encrypted and decrypted only at the endpoints. The difference with transport-level encryption is that your email provider holds encryption keys and could retrieve the contents of your message using them. In end-to-end encryption, the message is decrypted only at the final stage of arriving at the destination. It stays private from hackers and service providers alike. Some email services even have built-in end-to-end encryption.
End-to-end email encryption requires both the sender and the recipient to have a pair of cryptographic keys. The process is as follows:
- Both the sender and the recipient generate their public keys and exchange them with each other, the private keys they keep only to themselves. When registering with an encrypted email service you also get a public key.
- The sender composes a message, encrypts it using the receiver’s public key, and sends it.
- The receiver gets an encrypted message, which he decrypts using his private key.
This way, the encryption and decryption happen on the user’s device. It prevents any intermediary, including even the email service provider from ever finding out what the content of the message was.
Protocols used for email encryption
Some of the protocols used for end-to-end encryption include:
- GNU Privacy Guard (GPG). GPG, also known as GnuPG, allows you to encrypt and sign your data and communications. As a free software replacement for Symantec’s PGP cryptographic standard, it features a robust key management system with access modules of many open public key directories. Easy integration with other applications like email is also a big plus.
- Pretty Good Privacy (PGP). A popular algorithm used to encrypt and decrypt messages over email and add digital signatures to messages and files. It follows OpenPGP standard (RFC 4880) for PGP encryption. PGP involves a combination of hashing, data compression, and symmetric and asymmetric cryptography.
- Secure/Multipurpose Internet Mail Extensions (S/MIME). A protocol for sending encrypted and digitally signed messages. For the receiver, this confirms that the message was not altered in transit. All of this only works if both parties have it set up on their email clients.
Why is email encryption necessary?
When sending confidential information, no matter the degree of sensitivity, you should always be cautious. There’s quite a lot of things that the attacker could do if they got ahold of your private information, so why risk it?
Here’s how it could be beneficial to you:
1. Your private information remains private
Email encryption will protect your confidential information like your bank account number, social security number, etc. If stolen, this data is invaluable to cybercriminals. To avoid such leaks, encryption is a must.
2. Avoid your message being re-sent
Not only can your sent message be altered, but the attackers can later use it at their will. It’s easy to save a message, alter it, and re-send it. Generally, the cybercriminals might get a foot in the door with an altered genuine message, following up with spoofed emails.
3. Avoid identity theft
Sensitive information that you send through email is also the information that you use to confirm your identity. In other words, email vulnerabilities are one of the easiest ways for attackers to obtain this private information, which immensely helps when stealing your identity.
4. Confirm that the claimed sender sent the message
Forging genuine-looking messages is far too easy. Digital signatures added to encrypted email messages can help to confirm the identity of the sender.
Ways to encrypt your emails
If you want to encrypt your email, there’s an easy way to do it, and there’s the DIY approach. You could just opt-in for end-to-end encrypted email service or set up encryption protocol on your current mailbox. Keep in mind that for the latter approach to work, you’ll need the sender and the recipient to be with matching setups. Some of the services also have built-in protocols for encryption.
Here’s how to encrypt your email if you don’t want to use third-party solutions.
Encrypt emails in Gmail
S/MIME protocol is already built-in within the Gmail infrastructure, but it’s not enabled for all users. If your account isn’t business or education (G Suite), then you will not be able to use the feature. Even if your account has a G suite plan, you will still need to ask your administrator to enable it in the console. Only then you will be able to turn on encryption as a user.
If S/MIME is enabled a lock icon will appear near the name of the recipient when composing new emails. You can choose the encryption status of the message from there: Red (means the email isn’t encrypted), Gray (means that the email is secured via TLS, this will work only if your recipients’ client also supports TLS, otherwise you won’t be able to verify the encryption status), Green (means that S/MIME is on and your message will be secured with a private key).
By default, Gmail uses TLS encryption when communicating with most other provider’s servers. If you want additional privacy, you can also use a third-party browser extension like FlowCrypt, which adds a Secure Compose button to the regular interface. However, your recipient will also have to use this extension installed or another PGP system to see your message.
Outlook email encryption
Adding S/MIME to your Outlook account isn’t the easiest of tasks, but chances are you won’t be doing this yourself. As with Gmail G suite, S/MIME compatibility is reserved for administrative users who can enable it on organization accounts following the official Outlook guidelines.
Once that is done, all there’s left for you to do is to go to your Outlook app, click on the gear icon to select S/MIME settings. You can choose what you want to encrypt: contents, attachments, or add a digital signature to all the messages sent.
You can encrypt individual messages selecting More options > Message options and clicking Encrypt this message (S/MIME).
Keep in mind that this will only work if the receiving party has also S/MIME set up, or else they won’t be able to read the message.
Yahoo mail encryption
If you’re looking for ways to encrypt yahoo email, you’re trying to solve a problem by ignoring another one. In general, your email provider should be the one that is going toe to toe with prominent cybersecurity challenges. Data breaches in the past have crippled Yahoo authority as a secure provider, so before you go through with the encryption setup, evaluate if that will improve anything?
Having that said, Yahoo uses SSL by default. S/MIME or PGP protocols aren’t built-in and you will need to install third-party applications like Virtru to use them. As of writing this article, there were no plans to integrate S/MIME or PGP encryption for common users.
Encrypting email on iOS
S/MIME support is included with all Apple Devices. iOS is no exsception and it’s very easy to toggle even for common users:
- Go to Settings and tap Accounts & Passwords
- Select the email account that you want to encrypt
- In the next windows tap Advanced
- Scroll down and locate S/MIME and switch the slider on
- Change Encrypt by Default to Yes
- When you want to send an encrypted message, the lock icon will appear next to the recipient. If you click it, you will enable encryption. Blue lock means that the email can be encrypted, and the red lock is an indication the recipient needs to toggle S/MIME in their settings.
Android email encryption
If you have an Android phone, you can add an encryption layer to your emails, but you will also need third-party apps. When installed, you will need to give the apps permissions and exchange your public keys with the recipient. For example, apps like ChipherMail add an option to set up S/MIME encryption to your existing email clients. We can only hope, that the next Android version will include built-in encryption solutions for your emails.
OSX email encryption
Apple’s mail supports S/MIME out of the box. Here’s how to set it up:
- Go to Finder > Applications > Utilities and then double-click on Keychain Access
- Find Certificate Assistant and click Create a Certificate
- Name your certificate and click Create and Continue
- Go to Keychain Access again to locate your certificate and right-click the file. Then, click New Identity Preference
- Enter your email address in the box and click Add
- Allow access from your Mailbox account to the Keychain Certificate
- Now you can send your certificate to a recipient to start encrypted conversations by clicking on a padlock near the name of your contact’s address bar.
Best encrypted email providers
If you aren’t satisfied with DIY solutions and you need to be extra sure that your communications are private, why not opt for a secure email service? These services will provide a more natural way to manage your email, with built-in encryption measures that you won’t have to set up by yourself.
- ProtonMail. It has built-in end-to-end encryption with PGP compatibility. In addition, it offers a free version and several pricing options depending on the number of domains or sent messages.
- Hushmail. This service offers PGP-encrypted email and domain service. You can send and receive encrypted messages in the client if the public encryption keys are available to the sender and the recipient.
- Tutanota. Based in Germany, Tutanota is an end-to-end encrypted email software and email service. Their business model relies solely on donations and premium subscriptions, avoiding earning money from ad revenue.
- CounterMail. As a secure email provider, CounterMail has a strong reputation as a reliable service. Featuring plenty of built-in security features, it’s one of the services to look out for. We expect great things from them in the future.