How to encrypt email (Gmail, Outlook iOS, OSX, Android …

Posted on by

Email was one of the earliest forms of communication on the internet, and if youre reading this you almost undoubtedly have at least one email address. Critics today decry the eventual fall of email, but for now its still one of the most universal means of communicating with other people that we have. One of the biggest problems with this cornerstone of electronic communication is that it isnt very private. By default, most email providers do not provide the means to encrypt messages or attachments. This leaves email users susceptible to hackers, snoops, and thieves.

So you want to start encrypting your email? Well, lets start by saying that setting up email encryption yourself is not the most convenient process. You dont need a degree in cryptography or anything, but it will take a dash of tech savvy. Well walk you through the process later on in this article.

Alternatively, you can use an off-the-shelf encrypted email client. Tutanota is one such secure email service, with apps for mobile and a web mail client. It even encrypts your attachments and contact lists. Tutanota is open-source, so it can be audited by third parties to ensure its safe. All encryption takes place in the background. While we can vouch for Tutanota, its worth mentioning that there are a lot of email apps out there that claim to offer end-to-end encryption, but many contain security vulnerabilities and other shortcomings. Do your research before choosing an off-the-shelf secure email app.

If youd prefer to configure your own email encryption, keep reading.

Encryption, put simply, is no more than scrambling up the contents of a message so that only those with a key can decrypt it. Sort of like those puzzles you did in school where every letter of the alphabet had to be converted to some other letter of the alphabet so as to decode the final message. Computers make the scrambling far more complex and impossible for a human to crack by hand. When you encrypt an email, its contents are scrambled, and only the receiver has the key to unscramble it.

To make sure only the intended recipient can decrypt the message, email encryption uses something called public key cryptography. Each person has a pair of keysthe digital codes that allow you to decrypt an encrypted message. Your public key is stored on a key server where anyone can find it, along with your name and email address. Conversely, you can find other peoples public keys on keyservers to send them encrypted email.

When you encrypt an email, you use the recipients public key to scramble the message. Due to the technology behind this type of cryptography, the public key cannot be used to decrypt it. The email can then only be decrypted by the recipients private key, which is stored somewhere safe and private on his or her computer.

There are two main types of email encryption methods you need to know exist: S/MIME and PGP/MIME. The former is built into most OSX and iOS devices. When you receive an email sent from a Macbook or iPhone, youll sometimes see a 5-kilobyte attachment called smime.p7s. This attachment verifies the identity of the receiver so only he or she can read the email. S/MIME relies on a centralized authority to choose the encryption algorithm and key size, is easy to maintain, is harder to set up with web-based email clients, and is more widely distributed thanks to Apple and Outlook.

The other heavyweight in email encryption is PGP/MIME, which is what were going to focus on in the latter part of this tutorial. You get more flexibility in how you encrypt emails, it relies on a decentralized, distributed trust model, and its fairly easy to use with web-based email clients. Its also free to get a certificate, which S/MIME is usually not (you buy it when you buy an iPhone or Macbook). With PGP, not only can you choose how you encrypt, you can specify how well encrypted the messages you receive must be.

This makes PGP/MIME cheaper and more flexible, but before we get into that, well look at the S/MIME encryption features built into Outlook and Apple products.

Now that you have a digital certificate/ID, follow these instructions to get it into Outlook:

Okay, so now youve got a digital signature to put on your emails, but they wont appear by default. To attach your digital signature:

At this point we want to remind you that digitally signing an email is not the same as encrypting it. However, if you want to send someone an encrypted message on Outlook, that person needs to have sent you at least one email with their digital signature attached. This is how Outlook knows it can trust the sender. Conversely, if you want to receive an encrypted email from someone else, youll need to send them one unencrypted email first with your digital signature on it. This is a tedious downside to S/MIME. You can digitally sign your email just by clicking the new Sign button before sending.

Now that you have each others digital signatures and certificates saved into your respective key chains (address books), you can start exchanging encrypted emails. Just click the Encrypt button that we added before hitting send, and thats all there is to it!

S/MIME support is built into the default email app on iOS devices. Go into the advanced settings, switch S/MIME on, and change Encrypt by Default to Yes. Now when you compose a new message, lock icons will appear next to recipients names. Simply click the lock icon closed to encrypt the email.

iOS consults the global address list (GAL), a sort of keyserver for S/MIME certificates, to find contacts in your exchange environment. If found, the lock icon will be blue.

When you receive that email, do the following:

To send encrypted messages in the default mail program in Mac OSX requires the same condition as iOS and Outlook: you must first have the recipients digital signature stored on your device. When you compose a message and type in the recipients email, a checkmark icon will appear to show the message will be signed.

Next to the signature icon, a lock icon also appears. Unlike iOS where you can select which recipients will receive encrypted email and which dont, OSX is an all-or-nothing affair. If you dont have the certificate for all of the recipients, the email cannot be encrypted.

Remember to sign emails only after youve finished writing them. If its been altered, the certificate will show up as untrusted.

On Android, youve got a couple options for how to encrypt your email. The CipherMail app allows you to send and receive S/MIME encrypted mail using the default Gmail app and some 3rd-party apps like K-9. It follows the same certificate rules as what we already discussed above.

The other option is to use PGP/MIME, which requires both an email app and a keychain to store certificates. PGP requires a bit more setup, but you dont need to receive someones digital signature in advance to send them encrypted email.

OpenKeychain is a simple and free keychain tool for storing other peoples certificates. It works well with K-9 Mail, but some other email apps might also be compatible.

In OpenKeychain, you can create your own public and private keys. Input your email address, name, and password, and it will generate these keys for you. If you have an existing key, you can import it. To use a generated key with other devices and apps, you may export it.

OpenKeychain also helps you search for other peoples public keys online so you can send them encrypted email. After youve added someones public key to your keychain, they will be saved for more convenient use later.

To use OpenKeyChain with an email app, go into the email apps settings and make OpenKeyChain your default OpenPGP provider. This process varies from app to app, but it should just take a bit of digging through settings menus to find it. Not all email apps (including Gmail) will support encryption, however.

For web-based email clients like Gmail, we recommend a PGP/MIME encryption solution, as they are far easier to incorporate than S/MIME. For the purposes of this tutorial, were going to use a Chrome extension called Mailvelope with Gmail. Most browser extensions work in a similar manner, however, and follow the same basic principles. You can also consider EnigMail, GPGTools, and GNU Privacy Guard.

To get started, install the extension and open the options menu. Start by generating your own key: enter a name, email, and password and click Generate. Most email encryption extensions come with a built-in key generator and key ring. If you already have a key, just select the option to import it via copy and paste.

Now youve got an encryption key, but it doesnt do much good if no one can find your public key to send you encrypted mail. You can upload your public key to a keyserver. We suggest MITs keyserver because its popular, free, and easy to use. In the Mailvelope settings, navigate to Display Keys and click on the one you just made. Go to Export to see the plain text of your public key. Copy it to your clipboard.

Head to the MIT PGP Keyserver and paste your key into the Submit a Key field and hit submit. Now go back to the MIT keyserver homepage and search the name you entered. You should see your key listed.

Take note of the key ID, which is displayed both in the Mailvelope settings and on the MIT listing. This is useful if you have the same name as someone else on the keyserver because it serves as a unique identifier. Journalists, for instance, often publish their key ID onto their online profiles and social media so sources know for certain that they are emailing the right person.

While were on the MIT keyserver site, you can use it to search for the public keys of others. Click on the key ID of the person you are searching for to display the plain text of their key. Copy it and paste it into the import section of Mailvelope to add it to your keyring.

Now that youve added recipients to your key ring and made your own public key available to others, you can start sending and receiving encrypted mail. Mailvelope adds a button to the Gmail composer that opens another window where you can type out the message you want to encrypt. When youre done, hit the encrypt button, choose the recipient, and transfer the encrypted text into the email. You can add unencrypted text in the email as well, but dont tamper with the encrypted text.

When you receive an encrypted email, the browser extension you chose should automatically recognize it and offer to decrypt it. The recipient will need an extension or some sort of PGP decryptor app on their end. In Mailvelopes case, I just click the icon that appears hovering over the encrypted text, enter my password, and voila!

The downside to Mailvelope, and indeed most web-based encryption extensions, is that they dont encrypt attachments. You can use Gnu Privacy Guard to encrypt attachments with PGP before uploading them, which allows you to encrypt using the same key pair. Or you can opt for any one of these file encryption apps.

Encryption only hides the content of the message, not the senders email address. For any number of reasons, a time may come when you need to send an email anonymously to hide your identity. To do this, a few burner email services will give you a temporary fake email address.

Guerrilla Mail is our top choice. You can set up a disposable email address from which you can send and receive messages. It includes a password manager so you dont have to memorize passwords for multiple burner accounts. Best of all, its completely web-based with no registration required, which makes hiding your identity that much more effective.

Zmail is another solid option for sending fake email if you prefer a desktop client rather than a web app.

Nine out of 10 viruses that infect computers come from email attachments. No level of encryption will protect you from being careless. Its therefore very important to scan all email attachments before opening them, especially from senders you dont recognize. Viruses disguised as Microsoft Word documents are especially common. Many email clients, including Gmail, will automatically scan attachments for you, but others will require you do so manually.

Dont click on links in emails from unreliable sources. In fact, just dont open emails altogether if they dont look trustworthy. A spam blocker will go a long way toward avoiding these.

If you email a large group of people, use BCC so spammers cant get a hold of the list. Conversely, if someone includes you in a long list of CCed email addresses, dont hit reply all without carefully considering the alternatives.

Finally, set a strong password on your email account and change it every so often. Read through our guidelines if youre not sure what constitutes a strong password or use apassword strength checker if youre still unsure how strong yours is.

Now, lets get on with encryption.

Related: Cyber security statistics

Many apps and email services out there promise email encryption but dont use S/MIME or PGP/MIME. These are indeed much easier and faster to set up, but be aware that they roll their own encryption and may not strive for the same privacy standards. SafeGmail and Virtru are examples of these, and we dont recommend them.

We encourage you to upload your public PGP key to a keyserver, but its not required. Instead, you can just send the plain text of your public key to the person(s) that you want to receive encrypted from.

Email encryption provides a secure means of sending messages containing sensitive material as well as a means for others to send you sensitive material. Journalists use it to correspond confidentially with sources. Businesses use it to relay trade secrets and classified documents. Lawyers use it to keep sensitive client and case information safe. You get the idea. In our opinion, email encryption is something you should have readily available when the need arises, but its not necessary for everyday communication.

See also: Can your employer read your personal emails?

Related: Looking for a VPN to protect your privacy? See our list of the best VPN services.

See the original post here:
How to encrypt email (Gmail, Outlook iOS, OSX, Android ...

Related Posts
This entry was posted in $1$s. Bookmark the permalink.