How to encrypt email
In this blog post I shared the most common technologies for email encryption and a bit of how they work. PGP and S/MIME are the most popular schemes, with support from a lot of clients.
These are all the steps required to go from having no encryption, to encrypting all of your future emails.
Getting keys
#PGP and S/MIME are both built upon public-key cryptography so you and all of your recipients need to have a pair of public and private keys.
PGP
#As discussed, PGP relies on a web of trust, meaning you can generate your keys by yourself.
pgptool.org
#By far, the easiest way to do this is via the website pgptool.org. Just open the link, fill out your details, select the recommended values (select never as your expiration time) and wait a couple minutes. After they are done, you can click the two red buttons to download your public and private keys.
GNU Privacy Guard
#As an alternative, you can use a desktop program. The most popular one is GNU Privacy Guard (GPG for short). It is available on most desktop operating systems, including Windows and MacOS.
The Windows version comes with a graphical user interface, so it’s easiest to use that:
- Open the application “Kleopatra”
- Click on
File->New Certificate - Input your details and press
OK- Feel free to click on
Advanced Settingsand look if if the value forRSAis4096 bit, the value for+ RSAis enabled and is4096 bits, and finally bothSigningandAuthenticationare selected
- Feel free to click on
- On the next screen, press
Create - You’ll be asked for a password. Make one up, and enter it, but do not forget it!
- The password is used for your private key. If anyone gets ahold if it, they will be able to impersonate you. A password makes sure that doesn’t happen, at least until you tell everyone that your key was leaked.
- On the final screen, click
Finish - To help with the next chapter, we’ll extract your public key. In “Kleopatra” you should see a line, containing your name and email. Right-click on it, and select
Export Certificate.
On Linux and MacOS, you can use the command line:
Enter this command in your favorite terminal
gpg --full-generate-keyFollow the prompt on the screen (sample pictures available in encryptionconsulting.com)
Export your public key (of course, change me@email.com and the location to the one you want, but don’t forget the .asc extension)
gpg --armor --export me@email.com > ~/Documents/me-email.com-publickey.asc
S/MIME
#Contrary to PGP, S/MIME relies on a certificate authority, meaning you’ll have to buy your keys from someone. Any provider from Google’s list of trusted CAs will work.
Currently, the only one that provides free certificates is Actalis. Their process is pretty straight forward, just follow the instructions (shown in this article).
Exchanging keys
#You should now have a text file with your public key in it. When you want to send an encrypted email to someone, ask them for their public key, and meanwhile send them your public key. It doesn’t matter how you do that, even if it’s with unencrypted emails.
Remember, never send your private key to anyone!
Configuring clients
#Now we need to configure your email application to automatically encrypt and decrypt messages. There are a lot of email clients, so I have compiled the most used ones and linked resources on how to set them up.
When writing a message, don’t forget to check if encryption is turned on for this email! On most clients, in the compose window, you’ll have to select an option to enable encryption, but others do that automatically.
Freemium means it has a free and a paid tier. Premium means you have to pay for it. FOSS means it’s free and open source. FreemiumOSS means it is free and open source, but also has paid tiers.
| Client | Type | Platform | PGP/Inline | PGP/MIME | S/MIME |
|---|---|---|---|---|---|
| Web | |||||
| Gmail | Freemium | Web | Yes1 | Yes1 | Yes2 |
| Outlook | Freemium | Web | No | No | Yes2 |
| iCloud mail | Freemium | Web | Yes | Yes | Yes |
| Yahoo! | Freemium | Web | No | No | No |
| Protonmail | Freemium | Web | Yes | Yes | No |
| Roundcube | Self-hosted | Web | Yes1 | Yes1 | No |
| Rainloop | Self-hosted | Web | Yes | No | No |
| Desktop | |||||
| Thunderbird | FOSS | Windows, MacOS, Linux | Yes | Yes | Yes |
| Outlook | Premium | Windows, MacOS | No | No | Yes |
| Mailbird | Premium | Windows | No | No | No |
| Evolution | FOSS | Linux | Yes | Yes | Yes |
| Sylpheed | FOSS | Windows, MacOS, Linux | Yes | Yes | No |
| Claws-mail | FOSS | Windows, Linux | Yes1 | Yes1 | Yes1 |
| Mobile | |||||
| Gmail | Free | Android, iOS | No | No | Yes3 |
| Outlook | Free | Android, iOS | No | No | Yes3 |
| Apple Mail | Free | iOS | Yes | Yes | Yes |
| Yahoo! | Free | Android, iOS | No | No | No |
| Edison | Free | Android, iOS | No | No | No |
| Protonmail | Free | Android, iOS | Yes | Yes | No |
| K-9 Mail | FOSS | Android | Yes | Yes | No |
| FairEmail | FreemiumOSS | Android | Yes | Yes | Yes* |
1 Available with an extension/plugin
2 Available in a paid version of the software (assuming the software is Freemium; this is true for all Premium software)
3 Available with a Premium account (even if the software is Free)
* You can read S/MIME messages, but signing and encrypting is a pro feature