Considering the constant exposure we have to email-based security breaches, like spoofing, phishing, malware and ransomware attacks, you might think that email encryption has become a standard implementation for most companies and email platforms — well, think again. Most platforms today do support encryption, but it’s up to you — or your system admin — to get your security certificates installed and enabled before the encryption options can be turned on.
How Email Encryption Works
Email encryption works much the same as any other digital encryption, as it takes all of the data in your message, shuffles it and then locks it in place. Once the shuffled message has been transmitted, it can then be reassembled on the other end.
The process requires two types of digital keys. A public key that you can share with anyone so they can send you encrypted emails, as well as a private key that you use to decrypt those emails. The private key is also used to digitally sign your own messages so there is no doubt that the message came from you. Your private key is securely stored on your computer. This system of encryption is known as PKI, or public key infrastructure.
There are different encryption technologies that use PKI, but the most notable today are the following.
- S/MIME: Secure/Multipurpose Internet Mail Extensions, used by Microsoft, Apple and Gmail. All of the tools needed are built into the operating system
- PGP/MIME: Pretty Good Privacy/Multipurpose Internet Mail Extensions, used by AOL, Yahoo and Android devices. The required tools are provided by a variety of third-party companies. These services also support S/MIME but still require third-party tools
Getting Digital Encryption Certificates
Setting up your email client for encryption is usually the last of a series of steps you, or your company, needs to take. The first step is to get a digital ID, also known as a digital certificate, from a certificate authority (CA), such as GlobalSign or IdenTrust, which are both recommended by Microsoft. If you don’t have a certificate yet, you should talk to your firm’s network administrator or IT manager before starting the process on your own. Your company may have certificates already, or have in-house requirements on where they should be obtained, what type of encryption you need, and how they should be used.
Once you have a digital certificate, you can install it on your computer. On Windows PCs, these are stored in Microsoft Outlook, while Mac computers store them on the Mac’s Keychain Access.
How to Send a Secure Email in Outlook
Windows 10 users will have an easy time enabling S/MIME encryption on Outlook 2019, provided they’ve been set up with an installed certificate. You can send encrypted messages one at a time, or configure Outlook to encrypt all outgoing messages.
To send an encrypted message in Outlook…
- Click the File menu, and go to Options > Trust Center > Trust Center Settings.
- Select “Email Security” and then select “Settings” under the “Encrypted Email” option.
- Click “Choose” under “Under Certificates,” and then select “Algorithms” and select your S/MIME certificate.
- Click OK.
When you’re ready to send an encrypted email, once you’ve finished writing it and selected your recipients, click the “Options” tab, select “Encrypt” and then click “Encrypt with S/MIME.” Select any permissions you want to restrict, like “Do Not Forward,” and then send your message.
If you want to encrypt all outgoing messages by default, this option is found in Outlook’s Trust Center Settings, found under the Options tab. Next, look for “Encrypted Email” on the “Email Security” tab that opens, and click the checkbox beside “Encrypt contents and attachments for outgoing messages.”
How to Send Encrypted Email in Mac Mail
As with other email platforms, you need an encryption certificate in your Mac’s Keychain Access. Once this is installed, configuring Mac Mail is relatively easy.
Open a new message in Mac Mail. Hover the cursor over the “From” field and click the pop-up menu that appears. Choose the account that’s linked to your keychain’s security certificate.
A checkmarked “Signed” icon will appear in the message header when you’ve enabled encryption for the email. A closed-lock “Encrypt” icon appears beside the name of each recipient. This must appear for each recipient. If one of your recipients doesn’t have a lock icon beside it, you’ll have to send an unencrypted email to all recipients. To do this, click each recipient’s lock. This changes the icon to an unlocked status.
How to Send a Secure Email with Gmail
Gmail does offer email encryption. However, you need to enable this feature and it’s not available for everyone. To begin with, you need a Google Workspace account that falls under the Enterprise category (or the enterprise-version of their Education services). Vanilla Gmail accounts, or non-enterprise Google Workspace accounts, don’t qualify for S/MIME encryption.
This means, of course, that all of your recipients also need to qualify for S/MIME encryption and know how to enable it. If any of your recipients use a vanilla Gmail account, or a lower-tier Business Workspace account, you won’t be able to encrypt the email.
Assuming your recipients do qualify for S/MIME encryption and that they have enabled the feature, you then need to exchange security keys with them so your accounts can identify each other.
Sign in to the Google Admin console using an administrator account. Navigate to your Gmail User Settings and select your Organization. Select the “Enable S/MIME encryption” option.
Once your email encryption has been set up, you can send secure emails and encrypt Gmail attachments automatically when you click the “Send” button.
Using Other Encryption Services
Services like Yahoo Mail and AOL, as well as Android devices not using Gmail, all require third-party apps before you can use encryption. You have a choice between using S/MIME or PGP/MIME protocols. For these, you should consult the provider’s website to determine which tools are supported.
There are also a variety of third-party apps that provide end-to-end email encryption. These can be set up manually yourself or, more commonly today, will have the encryption already set up when you install the app. These are available at a variety of price points. You should also check the documentation to see if the encryption works with other email services, or if it works only when the recipients are using the same app that you are. Some of the apps available today include the following.
- ProtonMail: Android, Apple, with free and paid plans
- Ciphermail: Android, free
- Mailvelope: Chrome, Firefox, free
- Virtru: Chrome, free and paid plans
- Startmail: free and paid plans, compatible with Outlook and Gmail
- Send 2.0: Outlook plug-in, free and paid plans, compatible with Gmail
- Enlocked: Chrome plug-in, free and paid plans, compatible with Gmail, Yahoo, AOL
Eliminating Email Security Issues with a VDR
It’s important to stress that once you have encryption configured for your emails, you will not be able to use it until each of your recipients has also installed their certificates and configured their email clients for it as well. Until that happens, you won’t be able to use the feature.
A more practical option is to focus on securing the information that needs to be secured, not the vehicle you’re using to transmit it. Caplinked’s Virtual Data Rooms were designed with state-of-the-art encryption already built in. Instead of attaching a document to an email and then encrypting the email, you can instead encrypt the document and simply send your recipients a link. Access to the secured documents can be terminated at any time, even if the document has been downloaded. Your documents are also protected with digital watermarks and tracking software, indicating who has accessed each document, when they were accessed and the IP addresses of each recipient.
Try out Caplinked’s document security options for yourself with a free trial account.
Google Support: https://support.google.com/a/answer/6374496?hl=en
Apple Support: https://support.apple.com/en-ca/guide/mail/mlhlp1180/mac