Encrypting your emails
Recently we have been asked by a client about sending encrypted emails, so this was written in response to their query, as it’s likely to crop up again with the GDPR edging ever closer.
The first question perhaps should be, do I need to encrypt my email? This could be answered ‘no’ if you don’t send anything of any sensitivity, or if there is a better way to transmit the information you want to send. An online document and file exchange service may suit your needs better, and a simple “I’ve updated your file drop” email to the client, so think about this option first. There’s plenty to choose from, including Onedrive, DropBox, WeTransfer – you just need to check out the security and retention policies of whichever company you are considering. Web and mobile options are available for most services these days, again worth checking.
Second question – with whom are you communicating?
Email encryption solutions are broken down into several basic ideas, but all can suffer a similar issue – the other end. In an enclosed system it’s relatively easy to implement something new, but when you need to work with customers and suppliers, it can get more tricky. How technically adept is the person you are communicating with? Will they need to install software – will their IT dept. allow this? Most importantly – how do you securely get the key or password to them? There’s not much point sending password-locked files if the password is sent in plain text immediately ahead of time!
Another consideration will be how strong your encryption method is. The most sophisticated password-based encryption is pointless if the password is ‘1234’. Password cracking these days is usually either dictionary-based attack or brute force. Therefore advice has recently become to use longer passphrases rather than shorter but complex passwords, because they would take longer to crack.
On to 3 encryption methods for email communication.
Method 1 – plain text encryption
A very simple text cipher, this system involves some method of scrambling the text in your email but sending it as ‘plain’ scrambled text. The recipient simply copies-and-pastes the scrambled text into an unscrambler (either installed software or web-based) to read it. Not so good for attachments, and suffers with the problem of how you share the secret password without sending it in the clear.
https://encipher.it/ offer a simple free example of this.
Method 2 – public key
Public key encryption is based on key pairs, called public and private. You can encrypt something using your private key and the recipient’s public key. It can only be decrypted by someone in possession of your public key, and the recipient’s private key.
You and your recipient must both obtain a mail certificate, and share your public keys with each other. Since public keys are meant to be public this can be done in the clear e.g. via email. Outlook takes care of encrypting messages using the recipient’s public key, and decrypting it the other end with the private key owned only by the recipient. Great for Outlook users but with certificate costs, public key does work on Mac and mobile phones.
https://www.comodo.com/home/email-security/free-email-certificate.php offers free personal-use certificates but do charge for commercial use.
Update 2018-05-23: You can use OpenPGP and obtain a free certificate. It’s made easier by using their simple software. You can even submit your public key to a directory, and search for other users’ public keys there too.
Method 3 – web based
Various companies offer a service whereby you can send messages which they will hold in an encrypted format for you and the recipient. The message recipient gets a message that you’ve sent them something and that they should login to the service to be able to read it. Aside from the cost, you may have issues with relatively short retention times (although this can be advantageous in some instances).
https://encipher.it/ also offer a free online message storage option.
Office 365 users have the option to use Office Message Encryption but since it requires Azure Rights Management you’ll need either an E3 plan or to add ARM service to your Exchange Online, E1 or K1 plan. It’s not currently compatible with Business plans.
Eset – our preferred antivirus and security provider – have a product named Endpoint Encryption which has some great ease-of-use manageability for workgroups and enterprises. It’s based on either keyfiles similar to public key infrastructure, and can also use password-based encryption. The old problems of how to securely issue keys and passwords to users outside of your organisation, as well as expecting recipients to install software, are definitely the barriers here. Endpoint Encryption also isn’t universally compatible with mobile email, requiring an app download that is currently only available on iOS devices.
Update 2018-05-23: It’s possible to password-protect MS Office documents and PDF files created from MS Office documents. The tutorial here provides a good insight into this – the issue remains however as to how you securely transmit the password to the other party without it being revealed to anyone else along the way. You also have no control over who else the password and the document is shared with at the other end – this would require a system like Eset’s Endpoint Encryption which allows you to restrict the redistribution of keyfiles.
In conclusion there is no simple and easy answer to either how or whether you should encrypt your emails.