How to encrypt email

Contents

  1. Getting keys
    1. PGP
      1. pgptool.org
      2. GNU Privacy Guard
    2. S/MIME
  2. Exchanging keys
  3. Configuring clients

In this blog post I shared the most common technologies for email encryption and a bit of how they work. PGP and S/MIME are the most popular schemes, with support from a lot of clients.

These are all the steps required to go from having no encryption, to encrypting all of your future emails.

Getting keys

PGP and S/MIME are both built upon public-key cryptography so you and all of your recipients need to have a pair of public and private keys.

PGP

As discussed, PGP relies on a web of trust, meaning you can generate your keys by yourself.

pgptool.org

By far, the easiest way to do this is via the website pgptool.org. Just open the link, fill out your details, select the recommended values (select never as your expiration time) and wait a couple minutes. After they are done, you can click the two red buttons to download your public and private keys.

GNU Privacy Guard

As an alternative, you can use a desktop program. The most popular one is GNU Privacy Guard (GPG for short). It is available on most desktop operating systems, including Windows and MacOS.

The Windows version comes with a graphical user interface, so it’s easiest to use that:

  1. Open the application “Kleopatra”
  2. Click on File -> New Certificate
  3. Input your details and press OK
    • Feel free to click on Advanced Settings and look if if the value for RSA is 4096 bit, the value for + RSA is enabled and is 4096 bits, and finally both Signing and Authentication are selected
  4. On the next screen, press Create
  5. You’ll be asked for a password. Make one up, and enter it, but do not forget it!
    • The password is used for your private key. If anyone gets ahold if it, they will be able to impersonate you. A password makes sure that doesn’t happen, at least until you tell everyone that your key was leaked.
  6. On the final screen, click Finish
  7. To help with the next chapter, we’ll extract your public key. In “Kleopatra” you should see a line, containing your name and email. Right-click on it, and select Export Certificate.

On Linux and MacOS, you can use the command line:

  1. Enter this command in your favorite terminal

    gpg --full-generate-key
    
  2. Follow the prompt on the screen (sample pictures available in encryptionconsulting.com)

  3. Export your public key (of course, change me@email.com and the location to the one you want, but don’t forget the .asc extension)

    gpg --armor --export me@email.com > ~/Documents/me-email.com-publickey.asc
    

S/MIME

Contrary to PGP, S/MIME relies on a certificate authority, meaning you’ll have to buy your keys from someone. Any provider from Google’s list of trusted CAs will work.

Currently, the only one that provides free certificates is Actalis. Their process is pretty straight forward, just follow the instructions (shown in this article).

Exchanging keys

You should now have a text file with your public key in it. When you want to send an encrypted email to someone, ask them for their public key, and meanwhile send them your public key. It doesn’t matter how you do that, even if it’s with unencrypted emails.

Remember, never send your private key to anyone!

Configuring clients

Now we need to configure your email application to automatically encrypt and decrypt messages. There are a lot of email clients, so I have compiled the most used ones and linked resources on how to set them up.

When writing a message, don’t forget to check if encryption is turned on for this email! On most clients, in the compose window, you’ll have to select an option to enable encryption, but others do that automatically.

Freemium means it has a free and a paid tier. Premium means you have to pay for it. FOSS means it’s free and open source. FreemiumOSS means it is free and open source, but also has paid tiers.

Client Type Platform PGP/Inline PGP/MIME S/MIME
Web
Gmail Freemium Web Yes1 Yes1 Yes2
Outlook Freemium Web No No Yes2
iCloud mail Freemium Web Yes Yes Yes
Yahoo! Freemium Web No No No
Protonmail Freemium Web Yes Yes No
Roundcube Self-hosted Web Yes1 Yes1 No
Rainloop Self-hosted Web Yes No No
Desktop
Thunderbird FOSS Windows, MacOS, Linux Yes Yes Yes
Outlook Premium Windows, MacOS No No Yes
Mailbird Premium Windows No No No
Evolution FOSS Linux Yes Yes Yes
Sylpheed FOSS Windows, MacOS, Linux Yes Yes No
Claws-mail FOSS Windows, Linux Yes1 Yes1 Yes1
Mobile
Gmail Free Android, iOS No No Yes3
Outlook Free Android, iOS No No Yes3
Apple Mail Free iOS Yes Yes Yes
Yahoo! Free Android, iOS No No No
Edison Free Android, iOS No No No
Protonmail Free Android, iOS Yes Yes No
K-9 Mail FOSS Android Yes Yes No
FairEmail FreemiumOSS Android Yes Yes Yes*

1 Available with an extension/plugin
2 Available in a paid version of the software (assuming the software is Freemium; this is true for all Premium software)
3 Available with a Premium account (even if the software is Free)
* You can read S/MIME messages, but signing and encrypting is a pro feature