Technology in terms you understand. Sign up for the Confident Computing newsletter for weekly solutions to make your life easier. Click here and get The Ask Leo! Guide to Staying Safe on the Internet — FREE Edition as my thank you for subscribing!

How Do I Encrypt Email?

Question: What software do you use to encrypt email? Do you have any recommendations for email encryption software (preferably free)?

I really wish this was easier.

It should be easier.

But it’s not.

The fact is, encrypting email is cumbersome, and solutions that should work easily don’t work consistently. I’ll look at why encrypting email matters, and then I’ll give you some alternatives, starting with the one that’s the easiest to use.

Become a Patron of Ask Leo! and go ad-free!

Why encrypt email?

An https connection to your mail account only encrypts the information between your computer and the mail server. Email itself is sent and stored in plain, unencrypted text. While on your mail provider’s server, and on your recipient’s server, the email is visible to mail service personnel.

On top of that, you have no control over whether any encryption is used when transmitting that mail from server to server. In theory, anyone with access to the network path taken to make the transfer could “listen in” and view your messages.

Finally, you have no control over how your recipient connects to their email. If they don’t use a secure connection, they could easily be downloading your email in the clear.

If you’re looking for complete security for your messages, the only solution is to encrypt the email message itself.

Unfortunately, that’s not as easy as it sounds.

Encrypted attachments

By far the most practical way to encrypt email for the average user is to send your message as an encrypted attachment.

  • Write your message in a program like Notepad, Word, or whatever text or document editor you prefer.
  • Save that message to a file on your hard disk (example: message.txt for notepad, or message.doc for a Word document).
  • Encrypt that file, using a tool like AxCrypt, 7-Zip, or even GnuPG.
  • Email the encrypted file, as an attachment, to its destination.
  • Convey the password or encryption key to the recipient by some other means. This is important: if a malicious individual captures the encrypted package, they may be able to capture the password, if you sent it using the same technique. Pick up the phone, send a letter, text, instant message, or use completely different email accounts on both ends using completely different computers in completely different locations.

EncryptionThere are, naturally, a couple of caveats.

Make sure you chose an encryption program your recipient can use. Your recipient will need to be able to run the corresponding decryption tool.

Make sure you choose an appropriately difficult password/passphrase. Just like account log-in passwords, encryption passwords are subject to brute-force attacks. The simpler your password, the easier it is for someone to decipher it and decrypt your message.

This process is not pretty, and the steps involved make it a barrier to doing regularly, but it works.

With that out of the way, let’s look at two approaches that more closely match how it should work.

Certificate-based encryption

Buried in the advanced security dialogs in Outlook and account security setting dialogs in Thunderbird (and similar places in some other email clients) is the concept of using digital certificates to sign and encrypt email.

These are, essentially, the same kind of certificates used to protect https websites, and in general, they’re purchased the same way. Like website certificates, these certificates can be used for two purposes:

  • To digitally “sign” your messages to confirm you as the author of the message, and confirm that the message has not changed since you signed it. (This isn’t encryption, it’s validation.)
  • To allow people to send you encrypted messages such that only you can decrypt them.

That last one is a little counterintuitive. To encrypt a message, you don’t use your own encryption certificate; you use that of the person to whom you’re sending the encrypted message. That way, only they can decrypt it. (In reality, certificate-based encryption, like https, is quite complex and relies on public key cryptography, discussed below.)

This is a fine approach, and once set up, can be nearly transparent. As long as both you and your recipient use the same encryption mechanism, your emails are transparently encrypted and decrypted when sent or viewed. While stored on your machine, on your recipient’s machine, or somewhere in between, the messages are securely encrypted.

Unfortunately, it suffers from a couple of problems preventing widespread adoption:

  • Not all email programs and interfaces support it.
  • Certificates either cost money, or are cumbersome to obtain.
  • All parties involved need to use the same system for it to work.

PGP/GPG-based encryption

PGP (Pretty Good Privacy) and GPG (Gnu Privacy Guard, the open-source equivalent) are very similar to the certificate-based encryption scheme above. They rely on public key cryptography, which, in a nutshell, boils down to this:

Two really large numbers, A and B, are created, and share a special relationship:

  • Anything encrypted with “A” can only be decrypted by “B”.
  • Anything encrypted with “B” can only be decrypted by “A”.

You make either A or B public, and keep the other one private.

Let’s say I make my “A” number public (which I have), and keep the “B” number private – only I have it. You can now encrypt a message to me using my public key “A”. Only I can decrypt it with my private key “B”.

To encrypt email to someone, you need their public key (their “A”, in my example). For someone to send an email only you can decrypt, they need your public key. The private key (“B”) is needed to decrypt it.

PGP and GPG are just standard techniques and tools to manage those two “numbers”, more commonly called keys, or key pairs.

The good news about GPG is that all the parts are free. The bad news it can be fairly really geeky. I wrote an article about using it some years ago: How do I send encrypted email?, which walks through the steps. I don’t recommend it for the average user, but if you’re at all technical, or just enjoy this kind of geekery, you can see what it entails.

Most email programs do not include support for GPG/PGP keys. Thunderbird does have an extension, “Enigmail“, that adds support quite nicely, and there’s a Chrome browser extension called “Mailvelope” that adds encryption to Gmail.

The weakest link when you encrypt email

I have to include a word about trust.

All the encryption in the world won’t help a whit if you can’t trust the person at the receiving end. They have to keep passwords safe, if you use them, and they have to keep your private message private, if that’s the intent of your encryption. They also have to practice safe computing – your message will be decrypted on their computer, and hence visible to any malware that might be present there. Heck, if their computer is stolen and they happened to keep the decrypted message, that email is now in the hands of someone else.

So, in addition to doing the right things with your sensitive information yourself, make sure your recipient has an appropriate level of understanding as well.

That’s something that technology just can’t fix.

Do this

Subscribe to Confident Computing! Less frustration and more confidence, solutions, answers, and tips in your inbox every week.

I'll see you there!

Podcast audio

Play

30 comments on “How Do I Encrypt Email?”

  1. If you use Thunderbird using the add-on Enigmail makes the process painless. It acts like a front end for the more painful parts of GnuPG.

    Right, but then everyone you send encrypted or signed email has to either have Thunderbird + Enigmail, or some other more painful solution to decrypt or validate.

    – Leo
    27-Feb-2009
    Reply
  2. –quote–
    Right, but then everyone you send encrypted or signed email has to either have Thunderbird + Enigmail, or some other more painful solution to decrypt or validate.
    -quote-

    True, but my concern is making my life easier. If someone wants to use a painful solution to decrypting my email that is hardly my fault or concern.

    It’s your concern if you actually want them to READ your email.

    – Leo
    01-Mar-2009
    Reply
  3. I have to ask. How often is it really necessary to encrypt your email?

    It really depends on your situation. For most people: rarely, or never. But for people who regularly send highly sensitive documents or information, encryption may be a solution that could or would be used regularly.

    – Leo
    01-Mar-2009
    Reply
  4. I gave Thunderbird + Engimail a try. The installation is not as straight forward as I like. Need to first install Thunderbird, and then GnuPG. After that I need to go to Thunderbird -> Tool to add the Engimail plugin. Can’t they make the whole things into one package?

    Creating the key is easy – there is a wizard for it. I notice it says the key is good for 5 years. What will happen after that? Will my emails encrypted/signed by the old key stop working?

    Encrypting is easy as well – just press the OpenGPG button. I notice it actually put some encoded strings in the email when I view it from gmail directly. But in Engiemail, it automatically decrypts it. Very nice!

    However, now I run into a problem. How do I send encrypted emails to other people? I tried my other email account and Engimail complains it couldn’t find the key. Looks like the recipient must first have a key in the server? This seems broken… What do I miss here?

    That’s how public key cryptography works: you need the public key of the person to whom you’re sending email, so that they can then decrypt it with their private key.

    – Leo
    01-Mar-2009
    Reply
  5. I just started using voltage secureMail from voltage security to encrypt my email and I have to say it is the easiest email encryption solution I have ever used. After I installed it, all I had to do to send secure email was click the added “send secure” button in outlook. Also, it doesn’t matter if the person I am sending to doesn’t has secureMail, they can still read the message after they verify themselves. I think it has an advantage of PGP because it uses identity based encryption, which effectively makes my email address my public key. This is a great feature so i don’t have to keep looking up the public key of everyone I want to send email to. I would definitely recommend SecureMail to everyone. Have you ever tried SecureMail Leo?

    I was actually wondering when someone would mention services like this – there are several. My problem with them is simple: you must trust them, as they can decrypt your email. If you’re not keeping your own encryption keys, and you’re not performing the encryption and decryption on your own machine and under your own control, you’re implicitly trusting someone else. The whole point (to me) of encrypted mail is that you only want to trust the recipient, and no one else.

    – Leo
    03-Mar-2009
    Reply
  6. Come on, you said nothing about FireGPG for webmail GMAIL in Firefox http://getfiregpg.org/ It works just fine! And it’s free. Any upgrades come as naturally and automatically as any Firefox plugins, so it never gets outdated.

    Hadn’t heard of it. After playing with it a little bit I agree it has a lot of promise, but “it works just fine” isn’t quite how I’d qualify it. Definitely a few rough edges, especially for the average user. I ended up uninstalling it.

    – Leo
    04-Mar-2009
    Reply
  7. Bottom line, don’t send anything by email you don’t want anyone else to see. If it’s that sensitive there’s still registered mail or certified mail w/return receipts…might take abit longer but atleast it’s safe…

    Reply
  8. I have done a LOT of searching for an easy and free email encryption service to use, and quite frankly there are no “free” versions out there that are user friendly and allows you to manage the keys yourself and at the same time worrying if your recipient can read when it gets there. As far as sending the occasional email that needs to be encrypted I prefer to use hushmail.com it is not a large sized account for the free version, but if you are worried about the information you are going to be sending it works and it’s easy to use. I do agree you are relying on someone else managing you keys, but lets face it some people just turn on the computer check email and surf the net for a while and that is it. In my opinion email encryption today is simply too much for the average user to handle. By the way I do like to use and recommend off-the-record (OTR) for my instant messenger client……

    Reply
  9. I’ve been playing with some free email encryption softwares in last few days. Here are the things I tried so far:

    Hushmail – Easy to use. However I can’t use my existing gmail account. The recipient needs to be a registered user, or I need to provide a secret question and answer. No installation required but need to go back to hushmail to get the email.

    FirePGP – easy to use, love the integration with gmail. I can actually send encrypted email directly on Gmail’s page! However, I can’t send email to other people, and recipient needs to install the software and use firefox.

    Sendinc – Need to use their page to send the email. Can send to anyone, but needs to go back to sendinc’s page to read the email.

    Opaqueware – easy to use, integrated with gmail. Can set time limit and get notification! Can send to anyone, but recipient needs to install the software.

    So far, I like Opaqueware more. Both FirePGP and Opaqueware let me encrypt on my machine – I don’t want the provider to see my email. Opaqueware let me encrypt to anyone and I really like their notification.

    Reply
  10. Got this when I tried AxCrypt link:
    Not Found
    The requested URL /d-axcrypt was not found on this server.

    Additionally, a 404 Not Found error was encountered while trying to use an ErrorDocument to handle the request.

    Are they out of business?

    Typo on my part. Should be working now.

    – Leo
    07-May-2009
    Reply
  11. I have installed Opaqueware to use with Outlook 2007. When I click encrypt, pop window appears saying ‘The page you are looking for cannot be found’!

    Not sure what is going on as the app is using IE settings.

    Reply
  12. Leo,
    As always your advice & information is concise, spot on, but best of all, easily understood by us that do not fully understand computer talk.
    Good onya?
    Russell Iles
    From deep down under Australia

    Reply
  13. Thanks for this article. It’s now on the front page of Google for Email Encryption help. I have really struggled to get a SMIME certificate installed, and finally gave up after the person I wanted to send to had zero success. It’s amazing that such valuable technology is nearly impossible to implement successfully. We resolved our problem by signing up a free account at https://lockbin.com We’re using their Outlook add-in.
    One thing I discovered that a lot of people are having trouble with: you can’t download a SMIME certificate from a cert authority using Chrome browser. It just doesn’t work. Try IE or Firefox instead.

    Reply
    • Remember BOTH the sender and recipient must use the same encryption technology. It’s not enough for YOU to use something, your recipient must also be able and willing to use something compatible. That’s not always the case, and often quite a barrier to widespread adoption.

      Reply
    • Depending on the version of the tool app-specific encryption can be weak. Consider also that it’s a feature of a program designed to do something else – often even an afterthought. Dedicated encryption tools are just that: designed specifically for encryption.

      That being said, modern versions of popular apps tend to have adequate encryption for most puposes.

      Reply
  14. I use Protonmail,com for encrypted mail . They’re based in Switzerland, a country with very strict privacy laws. The service is invented and run by a bunch of egghead scientists from the CERN accellerator. They have a method where you can send an encrypted message to a person who does NOT have a corresponding encryption program. The message simply contains a link to Protonmail where the recipient has to enter the password you’ve sent to him by another channel, and the message is decrypted. 500mb of message storage is free and you can buy more as\t a nominal price. This makes sending an encrypted message absolutely painless. Go to protonmail.com for a full rundown.

    Reply
  15. On checking, I see that even my antique Outlook Express has a facility for encrypting outgoing messages (Tools > Options > Security) but I don’t know whether they could be decrypted with other programs. It might be worth mentioning that WinRar contains a facility for password protecting its files: of course, the recipient would also have to have WinRar, but it is widely used.

    Reply
  16. Austen Ray: Microsoft Office’s encryption since the 2007 version is pretty good. I think Bob doesn’t list it or Acrobat because they are not free. The free Open and Libre Office have the same capability to encrypt individual files and are are file-compatible with the Microsoft product. All of the offices are fairly large programs, installing one just to encrypt something would be overkill.

    Since this article was originally written, AxCrypt has dropped off the recommended list for many people, including me. AxCrypt v2 now requires an account with Axantum, stores the password on their server, and does not allow different passwords for different files. Stick with v1 or the slightly more clunky AES Crypt.

    Reply
  17. I use Proton Mail, based in Switzerland. They do all the hard work for you, and you don’t have to trust people with keys.

    Reply
  18. Leo, I’d love to see a 2022 update to this. Thunderbird now has PGP integrated in the software, rather than forcing you to install third-party applications. Protonmail allows you to choose RSA or EC encryption algorithms, and converse with non-Protonmail users using PGP. I know very little about Tutanota, but their paid plans seem very reasonable. Many things have changed since this article was written. Could we see an update in the near future?

    Reply
    • Honestly, it’s still as broken as it ever was. I love that those email providers and tools are incorporating GPG encryption, but honestly until it becomes native and easy in the major players like Outlook.com, Gmail, and in major programs like Microsoft Office’s Outlook, it still just as messy as its ever been.

      Reply
      • It seems like it would be relatively easy to incorporate GPG into an email program, and as long as the sender and receiver were both using the same email program or compatible plugins, and exchanged keys, it would be as easy to send encrypted email as it would plain text. The only things that it would be necessary to do is create a key pair when installing the program or the plugin, and the program could have a button pr press to send attach the key.
        It would even be possible to make this compatible between different email programs.

        Reply
        • Absolutely. It’s possible. However it isn’t nearly as simple as it needs to be for the average user not to get totally lost and confused. AND the “cost of failure” is high — messages you encrypt that because it’s easy to mismanage keys you can no longer read. It’s like self-ransomware when done improperly, and it’s easy to do improperly.

          Reply
          • This is all theoretical, but the self-ransomware disaster could be avoided by saving a plain text version of the email in the sender’s sent mail folder. I’m not saying it’s trivial, but a well-designed plug in, or better yet, encryption module built into a browser could make it almost trivial to the user.

          • Yes, all these things are possible. Implemented even — Thunderbird and ProtonMail are two examples, and have been for years. But the interoperability issues are a minefield. Imagine the questions we’d get about not being able to read an important email message.

Leave a reply:

Before commenting please:

  • Read the article.
  • Comment on the article.
  • No personal information.
  • No spam.

Comments violating those rules will be removed. Comments that don't add value will be removed, including off-topic or content-free comments, or comments that look even a little bit like spam. All comments containing links and certain keywords will be moderated before publication.

I want comments to be valuable for everyone, including those who come later and take the time to read.