How to encrypt email
In this blog post I shared the most common technologies for email encryption and a bit of how they work. PGP and S/MIME are the most popular schemes, with support from a lot of clients.
These are all the steps required to go from having no encryption, to encrypting all of your future emails.
PGP and S/MIME are both built upon public-key cryptography so you and all of your recipients need to have a pair of public and private keys.
As discussed, PGP relies on a web of trust, meaning you can generate your keys by yourself.
By far, the easiest way to do this is via the website pgptool.org. Just open the link, fill out your details, select the recommended values (select never as your expiration time) and wait a couple minutes. After they are done, you can click the two red buttons to download your public and private keys.
GNU Privacy Guard§
As an alternative, you can use a desktop program. The most popular one is GNU Privacy Guard (GPG for short). It is available on most desktop operating systems, including Windows and MacOS.
The Windows version comes with a graphical user interface, so it’s easiest to use that:
- Open the application “Kleopatra”
- Click on
- Input your details and press
- Feel free to click on
Advanced Settingsand look if if the value for
4096 bit, the value for
+ RSAis enabled and is
4096 bits, and finally both
- Feel free to click on
- On the next screen, press
- You’ll be asked for a password. Make one up, and enter it, but do not forget it!
- The password is used for your private key. If anyone gets ahold if it, they will be able to impersonate you. A password makes sure that doesn’t happen, at least until you tell everyone that your key was leaked.
- On the final screen, click
- To help with the next chapter, we’ll extract your public key. In “Kleopatra” you should see a line, containing your name and email. Right-click on it, and select
On Linux and MacOS, you can use the command line:
Enter this command in your favorite terminal
Follow the prompt on the screen (sample pictures available in encryptionconsulting.com)
Export your public key (of course, change firstname.lastname@example.org and the location to the one you want, but don’t forget the .asc extension)
gpg --armor --export email@example.com > ~/Documents/me-email.com-publickey.asc
Contrary to PGP, S/MIME relies on a certificate authority, meaning you’ll have to buy your keys from someone. Any provider from Google’s list of trusted CAs will work.
Currently, the only one that provides free certificates is Actalis. Their process is pretty straight forward, just follow the instructions (shown in this article).
You should now have a text file with your public key in it. When you want to send an encrypted email to someone, ask them for their public key, and meanwhile send them your public key. It doesn’t matter how you do that, even if it’s with unencrypted emails.
Remember, never send your private key to anyone!
Now we need to configure your email application to automatically encrypt and decrypt messages. There are a lot of email clients, so I have compiled the most used ones and linked resources on how to set them up.
When writing a message, don’t forget to check if encryption is turned on for this email! On most clients, in the compose window, you’ll have to select an option to enable encryption, but others do that automatically.
Freemium means it has a free and a paid tier. Premium means you have to pay for it. FOSS means it’s free and open source. FreemiumOSS means it is free and open source, but also has paid tiers.
|Thunderbird||FOSS||Windows, MacOS, Linux||Yes||Yes||Yes|
|Sylpheed||FOSS||Windows, MacOS, Linux||Yes||Yes||No|
1 Available with an extension/plugin
2 Available in a paid version of the software (assuming the software is Freemium; this is true for all Premium software)
3 Available with a Premium account (even if the software is Free)
* You can read S/MIME messages, but signing and encrypting is a pro feature