How to encrypt and protect your email

While other forms of online communication have appeared over the last few years, emails are still widely used by individuals and companies around the world. Although emails allow us to transmit a wide variety of information, their security is in question. Unfortunately, email communication are not truly private and the majority of email services don’t offer default encryption to protect your messages and attachments. This lack of protection means that your emails are more likely to be intercepted by hackers, eavesdroppers and cyber criminals.

Although there are many tools that aim to help users to encrypt their email communications, it is important to keep in mind that encrypting your emails is not a simple process. That doesn’t mean that only people with advanced technical skills will be able to do it, but you do need a bit of tech knowledge to use an email encryption solution. Another thing to keep in mind is that encrypting every single email you send is not necessary and it is not the most practical option, given that most people wouldn’t know how to decrypt the messages.

Ideally, you should only encrypt email messages that contain sensitive information that you don’t want third-parties to see. Encryption is crucial to protect confidential company information and it is also important for journalists who need to keep secure communications with their sources. In general, encryption should only be used when it is necessary as it is unlikely that you need to use it for all the messages that you send and receive. However, it is important to have the option available so that you can use it whenever it is really required.

Tips to protect your email

Before we focus on the process of encrypting your emails, we will start by discussing some measures that you can take to keep your emails protected. You may have these already in place, but if that is not the case, it is important that you take them into consideration.

Protect your emails with a strong password

Passwords play a crucial role when it comes to security. Make sure that your email account is protected by a strong password. A password with at least 15 characters that combines numbers, uppercase and lowercase letters, as well as symbols is the best option.

Don’t click on links from senders that you don’t know

Before clicking on a link, make sure that you trust the source and check carefully that the email is actually coming from that sender. Some emails may claim to be from a company but if you check the email address, the wording of the email and other details, you may notice inconsistencies. If you see an email in your inbox that seems suspicious, it is better that you don’t open it at all. It is also advisable to have a spam blocker in place.

Don’t open suspicious attachments

As obvious as the risk may seem, many people are still opening email attachments without taking any precautions. The majority of viruses that infect systems come from email attachments so it is important to be very cautious when it comes to email attachments. Make sure that you scan them before opening them and be very ware of attachments from unknown senders. Some email clients such as Gmail will scan the attachments automatically, but in other cases you will need to do it manually.

Use BCC

In case you are sending an email to a large number of people, it is advisable to use BCC to prevent spammers from getting access to the list of recipients. If you receive an email that is addressed to a lot of people, avoid replying to all. You may only reply to the original sender instead of the the full list.

Understanding email encryption

Encryption ensures that the contents of a message can only be read by those who have a key to decrypt the information. Even if someone else managed to access the messages, they won’t be able to understand because when encryption is applied, the information is scrambled. Only the recipient holds the key to decode the information and in order to ensure that only they can read it, email encryption uses public key cryptography. Everyone has a combination of keys, which are the digital codes used to decrypt a message that has been encrypted.

The public key is stored on a key server where it can be found by anyone, along with your email address and name. You can also find someone else’s public keys on keyservers to send them encrypted email. To encrypt an email, the recipient’s public key is used to scramble the message. In this type of cryptography, it is not possible to use the public key to decrypt the message. Only the recipient’s private key can decrypt the message and this key is kept secure and private on their computer.

Different types of email encryption

The main types of email encryption methods that you need to be ware of are S/MIME and PGP/MIME. S/MIME is included in the majority of devices running iOS and OSX (macOS). If someone sends you an email from an iOS device or a Mac, you may see an attachment called smime.p7s, which verifies the identity of the recipient to make sure that only they can read the email. S/MIME uses a centralized authority to select the encryption algorithm and the size of the key. It is widely supported by Apple and Outlook and it is easy to manage, although setting it up with web-based clients can be more difficult.

PGP/MIME offers more flexibility when it comes to encrypting emails and it uses a decentralized, distributed trust model. It offers wider availability since it is possible to get a certificate for free, unlike S/MIME, for which you usually have to pay for (you get it when you buy an Apple product). PGP/MIME can be easily used with web-based clients and it gives you more control over the encryption. You can decide how to encrypt and how strong the encryption applied should be. In general, it is a solution that provides affordability and more flexibility.

How to encrypt emails on Outlook

In order to encrypt your Outlook communications, you need to have a digital certificate. This can be created following the below steps.

  1. Go to File, then Options, Trust Center, Trust Center Settings, Email Security and select Get a Digital ID.
  2. Select which certification authority you prefer to get a digital ID from. Comodo is one of the best options. Your digital ID should arrive via email.
  3. Once you get a digital certificate/ID, you can select Tools, then Options and click the Security tab.
  4. Enter the name that you prefer into the Security Settings Name Field. S/MIME should be the option selected on the Secure Message Format box. Make sure that the Default Security Setting is checked.
  5. Go to the Signing Certificate section under Certificates and Algorithms. In the Select Certificate box, choose your Secure Email Certificate, if it is not selected already.
  6. Mark the option that says Send these Certificates with Signed Messages. Then click OK to save your settings and go back to Outlook.
  7. Now that you have a digital signature for your emails, you need to attach it since it won’t be added by default. To do this, you need to:
  • Select New Message. Then go to Tools, select Customize and then click the Commands tab
  • Select Standard in the Categories list
  • Click Digitally Sign Message in the Commands list
  • Click and drag the listing to your toolbar. When you want to add the digital signature, you just need to click that.
  • You should also click and drag Encrypt Message Contents and Attachments into the toolbar

Keep in mind that adding a digital signature to an email and encrypting it are different things. In order to be able to send an encrypted email on Outlook, the intended recipient should have previously send you at least one email including their digital signature. In the same way, in order to receive an encrypted email, first you will need to send one unencrypted email with your digital signature to the other person. This allows Outlook to know that the sender can be trusted.

Although this complicates the process a little, it is possible to digitally sign your email by clicking the new Sign button before you send it. Once you have the other person’s digital signature and they have yours, and both of you have also each other’s certificates saved into your respective key chains or address books, you will be able to send and receive encrypted messages. All you need to do is to click the Encrypt button that was added before pressing Send.

How to encrypt emails on iOS

The email app on iOS devices comes with support for S/MIME. You can go to Advanced settings, enable S/MIME and change Encrypt by Default to Yes. Once you do this, you will see a padlock icon next to the names of the recipients. To encrypt the email, you just need to click the closed padlock icon. In order to locate contacts in your exchange environment, iOS checks the global address list or GAL, which is a keyserver for S/MIME certificates. If it finds contacts, the padlock icon will turn blue.

It is also possible that you see a red padlock icon next to a recipient’s email address, which indicates that they are not in your exchange environment. This could be because you work in different companies or because you haven’t installed that person’s certificate yet so it is not possible to exchange encrypted messages with them. Just like with Outlook, you will need to receive at least one email with a digital signature from that person.

You will also need to send them an email with your digital signature attached. You can find the option to attach a digital signature to your email by default in the advanced settings menu where the encryption options are also located. Once you receive the email, you can follow the below steps:

  1. Click the sender’s address. You will see a red question mark icon that indicates that the signature is not trusted.
  2. Tap View Certificate and then tap Install. Once it is done, the install red button will turn Red and will display “Remove”.
  3. At the top right corner, click Done. The padlock icon will turn blue when you compose a message to that person. Tap the icon to close the padlock and encrypt the email.

How to encrypt emails on OSX

Having the digital signature of the recipient is also a condition required, in order to be able to send encrypted messages in the default mail program in Mac OSX. When a message is composed and you enter the recipient’s email, you will see a checkmark icon that indicates that the message wil be signed. You will also see a padlock icon next to the signature icon. The difference is that in OSX, it is not possible to select specific recipients to send encrypted messages to. You will need to have the certificate for all the recipients, otherwise you won’t be able to send encrypted emails at all. Once you finish composing an email, you need to sign it. If it has been modified, the certificate will appear as untrusted.

How to encrypt your email on Android

There are different solutions to encrypt your email on Android. You can use an app called CipherMail, which enables you to send and receive S/MIME encrypted emails using the default Gmail app and some third-party tools. The certificate rules mentioned in previous cases, also apply here. Another way to encrypt your email is using PGP/MIME. For this, you need an email app, as well as a keychain to store certificates. PGP’s set up requires more steps. However, having someone’s digital signature before sending them encrypted emails is not required.

You can use OpenKeyChain to store other people’s certificates. This is a free keychain tool that works well with K-9 Mail and other email apps. OpenKeyChain allows you to set up your own public and private keys. Enter your name, email address and password and the keys will be automatically generated. If you already have a key, you can import it and you can use a generated with other devices and apps by exporting it.

With OpenKeyChain, you can look for other people’s public keys online, which will enable you to send them encrypted emails. Once you have added another person’s public key to your keychain, it will be available for future use. You can use OpenKeyChain with an email app by going into the email app’s settings and setting OpenKeyChain as your default OpenPGP provider. The process will depend on the app, but in general, if you check the settings menu, you should find what you need to do.

How to encrypt web-based email clients

In order to encrypt web-based email clients such as Gmail, the best option is to use PGP/MIME since its set up is less complicated. You can use a Chrome extension called Mailvelope, but there are other options available such as GPGTools, GNU Privacy Guard and EnigMail and they all work pretty much in the same way. The first step is to install the extension and then open the options menu. To generate your own key, entering a name, email and password, then click Generate. The majority of email encryption extensions include a key generator and key ring. If you have previously generated a key, you can simply import it using copy and paste.

Once you have an encryption key, the next step is to make sure that your public key can be found by others, so that they can send you encrypted emails. Your can upload your public key to a keyservers such as MIT’s keyserver. This is a widely used option that is free and simple. In the extension settings (we’ll use Mailvelope as an example), go to Display Keys and click on the one you just generated. Then go to Export to see your public key in plain text and copy it to your clipboard. Go to the MIT PGP keyserver and paste the key into the field that says “Submit a Key” and then press Submit. Return to the MIT keyserver homepage and look for the name you entered to make sure that it is now listed.

Write down the key ID that appears in the Mailvelope settings and on the MIT listing. This is your unique identifier and will be helpful in case you have the same name as another person listed on the keyserver. You may have seen that some journalist (including Glenn Greenwald, who worked with Edward Snowden) have their public keys on their social media profiles or websites so that other people can send them encrypted emails. In the MIT keyserver site you will be able to find public keys belonging to other people. You can click on the Key ID of the person you are looking for to see their key in plain text. Then copy and paste it into the Import section of Mailvelope to save it to your keyring.

Once you have ensured that your public jkey is available to others and have also added recipients to your keyring, you will be able to send and receive encrypted emails. Mailvelope will add a button to the Gmail composer that opens a new window where you can type the message that should be encrypted. Once you have finished writing the message, you can press the encrypt button, select a recipient and move the encrypted text to the email. It is also possible to add unencrypted text in the email, just make sure that you don’t alter the encrypted text in any way.

When an encrypted email is received, the browser extension should identify it and make the decrypt option available. Keep in mind that if you send an encrypted email, the recipient will need to have an extension of a PGP decryptor tool. With Mailvelope, you just need to click the icon that is displayed when you hoover over the encrypted text and then enter your password. One thing to keep in mind is that Mailvelope, just like the vast majority of web-based encryption extensions, don’t encrypt attachments. What you can do is to encrypt the attachments before uploading them, using Gnu Privacy Guard. This will encrypt the data using the same key pair. Alternatively, you can use a file encryption app.

Temporary email addresses

While encryption protects the content of the message and makes it inaccessible to others, the sender’s email would still be exposed. If you need to send an email without revealing your identity, you can use an fake or temporary email address. There are multiple disposable email options that allow you to send email anonymously including Malinator, Fake Mail generator and Guerrilla Mail. Setting up a disposable email address is easy and it allows you to receive and send messages without compromising your real email address. These solutions are web-based so they don’t require registration.

Conclusion

Uploading your public PGP key to a keyserver ensures that others can send you encrypted emails. However, if you prefer not to upload it, you can simply send your public key in plain text to the people you want to receive encrypted emails from. There are apps that claim to encrypt your email, they don’t use PGP/MIME or S/MIME. Although this can simplify the setting up process, it is unlikely that they can provide the same high level of privacy.