Since news stories have surfaced about NSA surveillance, email encryption has received more attention in the media. Whether you’re afraid of Big Brother or need to protect your messages for personal or regulatory reasons, email encryption could be right for you.
Without smart data protection solutions like email encryption, businesses, health care organizations and government agencies could easily become the targets of litigation and regulatory fines. Email encryption is a small inconvenience that can yield healthy doses of peace of mind and liability protection. It’s important to know how email encryption works before choosing the solution that’s right for your organization.
How Email Encryption Works
Email encryption isn’t the most intuitive process, and if you don’t understand it, you’re not alone. Here’s a summary of how emails are encrypted:
- You purchase a digital certificate. Many free services like Thawte and Comodo provide free certificates. Just double-check how long the certificate will be valid. With your certificate, you can’t send encrypted emails from your inbox, but others can send encrypted emails to you.
- You distribute your public encryption key by digitally signing your message. Then, your contacts save your public key in their address books.
- Your contact sends you an encrypted email using your public key. You unencrypt the email using your private key. If your contact wants to receive encrypted email from you, then he or she must send you a public key.
Don’t Depend on Your Email Client
Google has encrypted the connection between its users and its email client, Gmail, for about four years. The encryption system utilizes an SSL configuration that supports forward secrecy and HTTPS. With a strong password, Gmail is good for work as long as you’re also using a total security solution on your computer. However, if you’re governed by HIPAA or HITECH, you should know that Gmail doesn’t encrypt your messages. Instead, an option like Hushmail should be used to communicate with patients or to send messages about confidential subjects.
Yahoo has also announced HTTPS encryption for its connections, but its implementation has been inconsistent across different servers. On some servers, Yahoo encryption uses a cipher called RC4, which is considered weak and easy to crack. On others, Yahoo utilizes AES but fails to use defenses for known attacks like CRIME and BEAST. Outlook.com incorporates HTTPS, but you’ll still need to encrypt your messages.
Keep in mind that that the messages in your inbox aren’t encrypted unless someone sends you an encrypted message. In addition, email encryption tools don’t encrypt email metadata including email addresses, the date and time of sending and the email’s subject line. However, in a strict regulatory environment, encryption should be your default position.
Easy Email Encryption Tools
To handle your email encryption needs, you can use an extension to encrypt multiple emails or a website to encrypt a single email. Here’s a list of tools that you can try with different email clients and browsers:
- Enigmail. Both Thunderbird and GnuPG will have to be installed on your machine for the extension to work. If you use a PC, then you can download Gpg4win to manage your certificates.
- Mailvelope. This application can integrate with Gmail, Yahoo Mail, GMX and Outlook.com on Chrome and Firefox browsers. The extension creates a small window in the corner of your outgoing message, and you have to manually click the window to encrypt the message.
- Mymain Crypt. This particular extension solely for Gmail allows you to generate your key and then open your contacts’ keys from your Chrome extension settings. Then, you’ll see three buttons in Gmail: one for Encrypt, one for Sign and one for both functions.
- Infoencrypt. For simple encryption of a one-off message, go to the Infoencrypt website, type your email, create a password and click the “Encrypt” button. Once your message is encrypted, you can copy and paste it into your email client and send it. Your recipient pastes the email back into Infoencrypt, enters the password and then reads your message.
New organizations like the Dark Mail Technical Alliance are proposing standards to encrypt email metadata. If they succeed, then people can feel more confident about email security. Until then, public key encryption is the best choice for secure messaging.