Encrypt Your Emails: Introducing 3 Email Encryption Methods

Despite the widespread use of WhatsApp, Twitter, and the like, a large proportion of internet users still send private and professional emails on a regular basis. What many of them don't know: emails are unencrypted by default and as a result, can be read or even manipulated—either along the way to their destination or by the email provider. Not only that—there's also a risk that someone could impersonate the sender. All in all, emails present a greater security risk than many people realize.

End-to-end encryption (i.e., encryption from the sender to the recipient) resolves these problems at their core. If you want to ensure that your future emails are sent securely, you're in the right place; this article explains exactly how the process works.

S/MIME (secure/multipurpose) is a standard, proven method for encrypting emails that was introduced back in 1999.

S/MIME relies on "asymmetric encryption," which utilizes pairs of keys. Each pair consists of a public key and a private key.

When you send an encrypted email to a contact, you need the contact's public key. They can only read the message with their private key; no one else will be able to see it.

If your contact sends you a message, they generate an email from your public key, which again, only you are able to decrypt using your private key.

Another important S/MIME feature is that emails can be digitally signed. This ensures recipients where your email originated from (you), and protect against increasingly tricky phishing attacks. In our article on data theft, you'll find more detailed information on the various methods which are used in these.

To get started with S/MIME encryption, you'll need an email client such as Thunderbird, Outlook, or Apple Mail, as well as an S/MIME certificate. The latter can be obtained from various providers. Doubts have been raised about the seriousness of free offers, which often include certificates with short terms or limited features. One way to play it safe is by creating a self-signed certificate with OpenSSL.

Alternatively, you can purchase a paid certificate such as those offered by Sectigo, which will only set private users back $16.99 per year. However, keep in mind that purchased certificates could pose a security risk because they were not generated locally on your computer.

If you have the S/MIME certificate on your computer, double-click it. It can then be imported.

Unlike most email clients such as Outlook, Thunderbird manages certificates itself. Start the program and select Extras from the Menu, followed by Account Settings, and lastly, on the left, End-to-End Encryption.

Click on the Manage S/MIME Certificate button. A Certificate Manager pop-up window will open.

Click on the Import button and select the certificate file.

Then input the password you received (e.g., per text message) and click OK to confirm.

If completed successfully, the imported certificate will be displayed. Next, click OK.

Click the Select button under S/MIME and Personal certificate for digital signature. Your certificate will already be displayed—all you need to do is click OK to confirm. You now have the option to add a digital signature to your emails, which is a way for the recipient to verify that the email is actually from you.

Thunderbird will now ask if you also want to set up a certificate for encrypted emails you receive from others. Select Yes to confirm, and then OK in the pop-up notification that follows. By default, encryption is disabled in Thunderbird.

You can now send, sign, and also received encrypted emails provided that the required certificates are available for both the sender and recipient. To send an email, click the Security button and select whether the message should be encrypted and signed.

PGP (Pretty Good Privacy) offers another secure method for encrypting emails. As with S/MIME, PGP also uses asymmetric encryption that relies on pairs of keys, each consisting of a private and a public key.

To exchange emails, you send your public key and signature to the recipients of your confidential emails, and vice versa for those dispatching emails to you. Finally, the private key, which is absolutely confidential, is used to decrypt incoming emails and verify identities.

The recipient's public key is needed to encrypt outgoing messages. The same applies to incoming emails: your counterpart needs your public key to encrypt an email.

PGP is available from various providers. OpenPGP is free and widely available. If you use Outlook, you can integrate OpenPGP by downloading the free GpgWin, after which you can generate a pair of keys and import them into Outlook.

OpenPGP has supported Thunderbird by default since version 78. Open the program and switch to Account Settings. Select End-to-end encryption from the left side, and then click on Add Key.

You can either add an existing pair of keys or generate a new one. If you need a new pair, select Create a new OpenPGP Key and click Continue.

Next, specify the expiration date of the newly created key (if desired), and click the blue Generate key button.

Click Confirm to start the process.

Once finished, OpenPGP is configured.

Creating backup ensures that you'll always have access to your encrypted emails, even if your computer is damaged or stolen.

To create a private key backup, select your OpenPGP key and click on the chevron (two angled dashes) on the far right. The key information section will now be expanded. Click More and then Backup Secret Key To File.

Now save the file with the ASC extension, preferably on an external storage device.

To send your public key to your contacts, click on More in Key Properties and then on Send public key by email. An email will open with the ASC file attached. All you have to do is specify the recipient and send the email.

If you receive a public key by email, right-click on the ASC attachment and select Import OpenPGP Key. Thunderbird will then ask you if you want to import the key. To do so, click Accepted (unverified).

A message will confirm that the process was successful.

To create a new email, click Compose in Thunderbird. If you want to encrypt and/or sign the message, click on the Security button (lock icon).

Next, select Require Encryption, Digitally Sign This Message, and/or Attach My Public Key. Once you're finished, you can send your message.

You should still verify that a received public key came from the true sender. To do so, click the OpenPGP icon on the far right and then select Show digital signature key.

Tutanota and ProtonMail are two email services that aim to simplify message encryption for their customers without compromising on security. Both store the user's private key in encrypted form on their respective servers. Users can access their keys via password.

ProtonMail relies on OpenPGP, while Tutanota uses both a symmetric AES 128 encryption method, as well as an asymmetric AES 128/RSA 2048 one. The latter enjoys an advantage over PGP—not only are the email's content and attachments encrypted, but also the subject line, the sender's name, and the names of the recipients.

Both Tutanota and ProtonMail offer private customers free accounts with basic features. Those in need of more services and storage space can purchase a premium account.

Both providers offer several advantages and disadvantages when set alongside PGP and S/MIME.

One thing's for sure: you'll have much greater security with either provider compared to using unencrypted email. In the next segment, we'll show how email encryption works using ProtonMail as an example.

First, you'll need to register with the provider. After your first login, an assistant will guide you through the most important steps in setting up your account.

Generally speaking, you can do four things with ProtonMail:

To send an unencrypted email, click the blue New Message button. Compose your message and when finished, click Send. Note that messages sent with ProtonMail to non-ProtonMail customers have an expiration date. For non-encrypted messages, this entails seven days, however, it can be altered. To change when a message expires, click on the hourglass icon (marked red in the image below).

If you're sending an encrypted message to a non-ProtonMail user, click on the lock icon in the message window (highlighted in green in the image above). The Encrypt for non-ProtonMail users pop-up will open. Enter a password, confirm it, and add a password hint if desired. Click Set, and then Send.

Recipients can read the message by clicking on the blue View Message button.

The web browser opens and the recipient is prompted to enter a password.

If the password matches, the email will be decrypted.

Emails sent to other ProtonMail users are automatically encrypted. Once received, they are automatically decrypted for the recipient, allowing them to be read immediately.

To send a PGP-encrypted message to another (non-ProtonMail) PGP user, select New Message and then click the chevron on the far right of the formatting icons bar. Select Attach Public Key. This will share your public key with your intended recipient.

When someone sends you their public key, click Trust Key in the accompanying message. A pop-up will ask you if you trust this key. If you do, click on Trust Key.

The green lock in the "To" field tells you that you're sending an email to a contact whose public key you've imported.

The email is now encrypted with PGP. If you want to automatically encrypt all outgoing emails, click the Settings button in the upper right corner, then Go to settings, and finally on Encryption and key on the menu to the left.

In this article, we've introduced you to some ways you can shield your emails from prying eyes. But is it really necessary for everyone to encrypt their emails? Isn't that a bit overkill? Ultimately, email encryption is about protecting your personal data. Therefore, if you are sending potentially sensitive information and want to avoid issues, it is highly recommended to encrypt your emails. On the other hand, if what you're sending is not privileged or personal, then encryption is not necessary.

Should you have a serious need for security, go for PGP or S/MIME. If your priority is simple and secure encryption for everyday use, then ProtonMail will serve you well.