Should You Encrypt Your Email?

Category: Email

Interest in email encryption has skyrocketed since Ed Snowden revealed the NSA’s widespread surveillance of electronic communications. And more recently, there's been lots of noise about Wikileaks and email hacking. Here is the low-down on email encryption, and some free tools to help you send and receive secure emails...

How To Encrypt Your Email Messages

Unencrypted email is a sitting duck for eavesdroppers; your message is sent in plain text that anyone who intercepts it can read. Email bounces from one server to another, often many times, on its way from sender to receiver. Administrators at any of these relay points can read any email they choose (although they’re usually too busy). Search warrants or national security letters can force email service providers to open their stored copies of your email to the government.

Encryption is essential if you want any assurance of privacy. There are three things that need to be encrypted to protect your email fully.

First, the connection between you and your email server should be encrypted. For Webmail users (Gmail, Yahoo, Outlook.com, AOL, etc.) this is done for you automatically. When you're logged in, you’ll see “https” instead of “http” in your browser’s address bar, and a lock icon that indicates you have a secure encrypted connection.

Encrypted Email

Desktop email clients such as Outlook, Thunderbird, and Eudora can secure connections to email servers using SSL/TLS, too, if the server supports it. Consult your Internet Service Provider or your email program's help files for details on how to enable secure connections. Thunderbird users can install the Enigmail extension (Windows or Mac) to simplify the process of sending secure emails.

The Next Step

Second, each email message should be encrypted before it is sent to protect its contents against prying eyes while it resides on other people’s servers, including your email service provider. This is important because even though your email travels over a secure, encrypted connection, it's stored in plain (non-encrypted) text once it arrives. If your email service provider (or the recipient's) is served with a court order to give up your mail, it should be able to hand over only a file of encrypted gibberish. The email service provider should not have the key that decrypts your encrypted email.

If the password that protects your email account is trivial or easily guessed, all the encryption in the world is useless. The infamous "hack" of the DNC emails was ridiculously easy because the campaign chairman used "password" as his password! See my articles Hey, Is This Your Password? and An Extra Layer of Security for help choosing a strong password, and taking security to the next level with Two-Factor Authentication.

However, sender and receiver must have digital certificates and they must know each other’s public encryption keys before they can exchange encrypted email. Yes, that sounds kind of geeky. In the past, setting up encryption has been a challenge for most users so it hasn’t gotten done. Now there are services that make using encryption easy.

Virtru provides add-ons and apps that do the heavy lifting of email encryption. It supports Internet Explorer, Firefox, Chrome, and Safari browsers; iOS and Android devices; and Outlook and Mac Mail desktop mail clients. Once installed, Virtu lets you encrypt any email you choose before it is sent. Virtru never sees your email’s contents and your email service provider never gets the key that decrypts your mail. However, recipients do not need the Virtru software or a public key; they just have to verify their identities once by registering with Virtru or using Oauth or OpenID and their Google, Yahoo, or Microsoft account.

Virtru’s basic end-to-end email encryption (including attachments) is free. It comes with a 14-day trial of the Premium features including the ability to revoke/cancel an email after it’s sent, control of forwarding, setting of email expiration dates, and more. If you want these features they cost $2/month after the trial ends.

ProtonMail goes beyond Virtru to provide email service as well as encryption of email. Like Virtru, ProtonMail cannot decrypt any of its users email. Better still, ProtonMail provides email servers that are beyond the reach of the NSA and other governments’ spies. ProtonMail’s servers are in Switzerland, where strong privacy laws keep all governments out of email and other personal electronic data. ProtonMail is available via the Web, and on Android and iOS (iPhone/iPad) mobile devices. Free accounts offer 500MB of message storage, and can send up to 150 messages per day. A ProtonMail Plus account (about $5/month) gives you 5GB of storage, up to 5 email addresses, the ability to use a custom email domain, and 1000 messages per day.

SendInc is a web-based email service that lets you send and receive emails protected by military-grade encryption. There's no software required for you or your recipients, and you can use your existing email address. Sendinc does not store encryption keys, so only your recipients have the ability to decrypt your messages. The free version offers 7-day message retention, with up to 100MB of message storage. You can send encrypted messages to up to 20 recipients per day, with a 10MB max message size. If you are a Microsoft Outlook user, there is a Sendinc extension that enables you to send and receive encrypted email.

What About Your Locally Stored Email?

Third, email stored on your local device should be encrypted in case the device is lost, stolen, or accessed without your permission. If you're on a mobile device, Apple iOS has supported device encryption for years, and Android does too. Bitlockeris an encryption tool built into Windows, but is only found on Pro, Ultimate, and Enterprise editions of Windows Vista, 7, 8.1 and 10. It's not available to Windows Home edition users. FileVault is the Mac OS X equivalent. Windows, Mac and Linux users can encrypt their hard drives using the free VeraCrypt utility.

Some (perhaps most) users feel that encrypting email is not necessary or just too much trouble. If you feel that way, I'm not trying to change your mind. But for those who feel the need to be more proactive about email privacy, or those who want to send an occasional encrypted message, here are the tools you can use.

Your thoughts on this topic are welcome. Post your comment or question below...

 
Ask Your Computer or Internet Question

  (Enter your question in the box above.)

It's Guaranteed to Make You Smarter...

AskBob Updates: Boost your Internet IQ & solve computer problems.
Get your FREE Subscription!


Email:

Check out other articles in this category:



Link to this article from your site or blog. Just copy and paste from this box:

This article was posted by on 9 Jan 2017


For Fun: Buy Bob a Snickers.

Prev Article:
When White Hats Collide

The Top Twenty
Next Article:
Hey, Is This Your Money?

Most recent comments on "Should You Encrypt Your Email?"

(See all 22 comments for this article.)

Posted by:

MmeMoxie
09 Jan 2017

I agree with bill - I am not concerned about email security. I rarely get any emails from my financial institution and the bulk of my emails are newsletters like Bob's. I like hearing about the latest technology or the latest news. I don't have any earth shaking emails that warrant security means. Encryption is for secret stuff and I don't send out any emails to anyone anymore. Most people now use Facebook which has a ton of security issues!!!


Posted by:

JC
09 Jan 2017

How does one secretly exchange the encryption keys, with someone in another country? lol

EDITOR'S NOTE: The same way you'd do it if they lived in the next town. You could send the key by registered mail or Fedex. But a messaging app with end-to-end encryption would be a better idea. Here's one example: https://play.google.com/store/apps/details?id=org.thoughtcrime.securesms&hl=en


Posted by:

Jonathan
09 Jan 2017

Of course I remember when all correspondence was sent by what is now known as snail mail.

Plenty of opportunity for someone to open the envelope and read or destroy the contents. I don't think I even gave it a thought.

I am glad though that Bob brings this option to our attention so that we can decide for ourselves what level of interest our missives inspire.

Mine are oh so boring, some not even of interest to the recipient I suspect :-)


Posted by:

steve blackthorne
09 Jan 2017

Thanks Bob for this article. Like others, my emails do not contain confidential information to the masses, but shaky relationships, divorce, and at the very least no more targeted ads. With Protonmail it is just you and the recipient. I signed up and love the auto delete feature at the receivers end, which can be turned on or off when ever you like). Passwords for your encrypted emails can be on the fly and different for each address and/or email. Clean layout and easy to use.

The only suggestion I have for Proton is it would have been great to simply have your address as *@proton.com instead of *@protonmail.com


Posted by:

john silberman
09 Jan 2017

I have used Proton mail for a few years now. What I like about Proton mail is that I can send encrypted mail to non-Proton mail users. In addition, you can also put a time frame on the e-mail or attachment existences.


Posted by:

bart
09 Jan 2017

I agree with the others: nothing I send is that interesting or sensitive. That may change as our political situation evolves. For now, it's way too much work for the small benefit. When I get an email encrypted for no good reason from an organization I work with, I refuse to open it and let them know that.


Posted by:

MG
09 Jan 2017

Proton(.com) is a Malaysian car manufacturer.


Posted by:

RandiO
09 Jan 2017

Have you ever attempted to tell your Aunt Gertrude that (for privacy/security’ sake) she needs to install PGP on her POP3 or that she should change her email client to one that uses STARTTLS for IMAP?

If some of the best pragmatic security information is found in humor; then, it's definitely worth having a read of this masterpiece (pdf) > by James Micken >

Extract >> “…In general, I think that security researchers have a problem with public relations. Security people are like smarmy teenagers who listen to goth music: they are full of morbid and detailed monologues about the pervasive catastrophes that surround us, but they are much less interested in the practical topic of what people should do before we’re inevitably killed by ravens or a shortage of black mascara. It’s like, websites are amazing BUT DON’T CLICK ON THAT LINK, and your phone can run all of these amazing apps BUT MANY OF YOUR APPS ARE EVIL, and if you order a Russian bride on Craigslist YOU MAY GET A CONFUSED FILIPINO MAN WHO DOES NOT LIKE BEING SHIPPED IN A BOX. It’s not clear what else there is to do with computers besides click on things, run applications, and fill spiritual voids using destitute mail-ordered foreigners…”


Posted by:

Clairvaux
09 Jan 2017

I'm curious to investigate Send Inc, the only service in this post I do not know of. What they seem to propose seems to good to be true (many unsaid things there), and they have almost no explanations on their site, apart from "shoot us a question".

Sorry guys, I need a bit more. As far as I know, there is no really good way to do encrypted email right now, and I have this on authority of cryptography experts such as Bruce Schneier.

By good way, I mean : simple and foolproof (so : not PGP, or related solutions), universal (can be used with people you don't know, and you don't need to exchange a password on the phone), and thorough (metadata have to be encrypted as well).

I'm not even adding : needs to warn you on receipt of email, or : can be used anonymously. That's even more difficult / unavailable, as far as I know.


Posted by:

Steve
10 Jan 2017

I'll be 86 this year and I don't care who reads about my tortoise, my interest in plants or any of the gripes I may have. My bank and other institutions use encripted mail to me and that's all I really need. But I have filed this article away in case things do change. The article was an eye-opener to me and was much-appreciated. Thanks.


Posted by:

Bman
10 Jan 2017

The MAC OSX encryption tool is FileVault not Filelocker.

EDITOR'S NOTE: Oops, fixed now. Thanks !


Posted by:

Marc Menard
10 Jan 2017

I've been using ProtonMail for a couple of years now. Apart from a serious incident that incurred some downtime (apparently state-sponsored attack), I like it and it makes it transparent to the recipient. In other words, the recipient doesn't need a key to open your email. Login in involves two levels of password and that's it. I saw that on a TED Talk, and I immediately thought, hey great idea! Not that I have anything to hide mind you, but as it is, the Government sees enough stuff already, they don't need to intrude further.


Posted by:

Richard
11 Jan 2017

To answer the comment on exchanging keys for public key systems. The real answer is very complex but in simple terms there are 2 matching keys, one is public and one is private usually protected with a password. You send the public key out anywhere you want, doesn't really matter. There are special keyservers to handle things that provide other details like email address and so on. To send a message you use the recipient's public key. The only person who can then read it has the matching private key (and its password).

Think of it like this. The public key is like a set of padlocks with only one key. You send out lots of padlocks (you are really rich). If someone wants to send you a secure message, they pop it in a box and lock it with your padlock. Only you have the key to open that padlock.


Posted by:

Butch
12 Jan 2017

It seems to me that, in order to encrypt my e-mails and have them received by others, the recipient has to have a key. So what happens if someone with whom I correspond (usually family) refuses to sign in with the Virtru program?


Posted by:

KC2IQX
13 Jan 2017

Check out EFF for their opinions on https


Posted by:

Buffet
15 Jan 2017

Enough already with the limp-wristed, pencilneck twits saying "I don't care. I have nothing to hide."
It's these sheeple cowards who opened the door for attacks against our constitution like the patriot act and allowed a government of wolves to enact the communistic police state we're now fighting


Posted by:

Bob Carrera
23 Jan 2017

Why doesn't Microsoft include encryption in Windows so we don't have to worry about sharing keys?


Posted by:

Bob Carrera
23 Jan 2017

Why doesn't Microsoft include encryption in Windows so we don't have to worry about sharing keys?


Posted by:

Wayne M.
25 Jan 2017

My concern is political. I was a Tea Party supporter and I was audited by the Lois Lerner/Obama IRS. My tax man said he had one other client with the same story. When the scandal broke, they dropped me like a hot potato. I hope someone is prosecuted, because if they let this abuse of political power go unpunished, we will forever be corrupt! These days I do not send much email at all. I primarily use my iPhone and do most of my political yammering on Facebook. I need to create anonymous accounts, because I've had some vandalism that I feel is a message from someone who doesn't like my posts about Islam.


Posted by:

FAfel
24 Jun 2017

nice one!


There's more reader feedback... See all 22 comments for this article.

Post your Comments, Questions or Suggestions

*     *     (* = Required field)

    (Your email address will not be published)
(you may use HTML tags for style)

YES... spelling, punctuation, grammar and proper use of UPPER/lower case are important! And please limit your remarks to 3-4 paragraphs. If you want to see your comment posted, pay attention to these items.

All comments are previewed, and may be edited before posting.

NOTE: Please, post comments on this article ONLY.
If you want to ask a question click here.

Free Tech Support -- Ask Bob Rankin
RSS   Add to My Yahoo!   Feedburner Feed
Subscribe to AskBobRankin Updates: Free Newsletter
Copyright © 2005 - Bob Rankin - All Rights Reserved
Privacy Policy -- See my profile on Google.
[an error occurred while processing this directive]


Article information: AskBobRankin -- Should You Encrypt Your Email? (Posted: 9 Jan 2017)
Source: http://askbobrankin.com/should_you_encrypt_your_email.html
Copyright © 2005 - Bob Rankin - All Rights Reserved