How to Encrypt Your Email

How To Encrypt Your Email
Even if you never email sensitive information--social security numbers, banking info, business secrets, and so on--you should consider using encryption. Aside from capturing your email content and attachments, a miscreant could hijack your entire email account if you failed to secure it properly. In this article, I'll discuss what you need to encrypt and how to get started, regardless of the particular email service you use.

What to Encrypt

To secure your email effectively, you should encrypt three things: the connection from your email provider; your actual email messages; and your stored, cached, or archived email messages.

If you leave the connection from your email provider to your computer or other device unencrypted while you check or send email messages, other users on your network can easily capture your email login credentials and any messages you send or receive. This hazard typically arises when you use a public network (the Wi-Fi hotspot in a coffee shop, say), but an unencrypted connection can also be pose problems on your work or private network.

Your actual email messages are vulnerable as they travel over the Internet, after leaving your email provider's server. Bad guys can intercept a message as it bounces from server to server on the Internet. Encrypting your messages before sending them renders them unreadable from the point at which they embark on their journey to the point at which the intended recipient opens them.

If you leave your saved or backed-up email messages (from an email client program like Microsoft Outlook) on your computer or mobile device, a thief or snoop might be able to gain access to them, even if you've password-protected your email program and your Windows account or mobile device. Again, encryption renders them unreadable to the intruder.

How to Encrypt Email Connections

To secure the connection between your email provider and your computer or other device, you need to set up Secure Socket Layer (SSL) and Transport Layer Security (TLS) encryption--the same protection scheme that you depend on when checking your bank account or making online purchases.

If you check your email with a Web browser (whether on a desktop, a laptop, a smartphone, or a tablet), take a moment to ensure that SSL/TLS encryption is active. If it is, the website address (URL) will begin with https instead of http; depending on your browser, you should see some additional indication, such as a notification next to the address bar or a small yellow padlock icon on the status bar at the bottom of the browser window.

Encrypted connection to Gmail using Internet Explorer 9. Note the 'https' in the address bar.

If you don't see an 'https' address and other indicators after logging into your Web-based email program, type an s at the end of the 'http' and press Enter. If your email provider supports SSL/TLS, that instruction will usually prompt it to encrypt your current connection. Then browse your account settings to see whether you can activate encryption by default for future logins, and whether you can create or modify bookmarks or shortcuts to your email site using the 'https' address. If you can't force the encryption, check with your provider as they may not support SSL/TLS.

If you use a desktop client program like Microsoft Outlook to check your email, or if you use an email app on your smartphone or tablet, you should still try to use SSL/TLS encryption--but in such situations, encryption is harder to verify or to set up. To do it, open your email program or app and navigate to the settings menu; there, your account will likely be labeled as a POP/SMTP, IMAP/SMTP, HTTP or Exchange account. Look for an option to activate encryption; it's usually in the advanced settings near where you can specify the port numbers for incoming and outgoing connections.

You can enable encrypted connections in Outlook's advanced settings.

If you use an Exchange email account for work, for example, you'll find a designated area for security settings where you can clearly see whether encryption/security is enabled for the incoming and outgoing connections and for your Exchange account. If it isn't enabled, check with your email provider to see whether the provider supports encryption, and consider switching to a service that allows SSL/TLS encryption.

How to Encrypt Email Messages

You can and should encrypt your individual email messages during transit, but both you and your recipient must do some work ahead of time to make the protection work properly. You can use encryption features built into your email service, or you can download encryption software or client add-ons (such as those that use OpenPGP). In a pinch, you can use a Web-based encryption email service like Sendinc or JumbleMe, though doing so forces you to trust a third-party company.

Most forms of message encryption, including S/MIME (Secure/Multipurpose Internet Mail Extensions) and OpenPGP, require you to install a security certificate on your computer and to give your contacts a string of characters called your public key before they can send you an encrypted message. Likewise, the intended recipients of your encrypted message must install a security certificate on their computer and give you their public key in advance.

Support for the S/MIME standard is built into many email clients, including Microsoft Outlook. In addition, Web browser add-ons, like Gmail S/MIME for Firefox, support Web-based email providers as well. To get started, you can apply for a security certificate from a company such as Comodo.

The OpenPGP (Pretty Good Privacy) email encryption standard has a few variants, including PGP and GNU Privacy Guard (GnuPG). You can find free and commercial software and add-ons, such as Gpg4win or PGP Desktop Email, that support the OpenPGP type of encryption.

How to Encrypt Stored Email

If you use an email client or app on your computer or mobile device, rather than checking your email via a Web browser, you should make sure that your stored email data is encrypted so that thieves and snoops can't access your saved messages if you lose the device or someone steals it.

It's best to fully encrypt your laptop or mobile device, since the portability of such devices puts them at special risk of being lost or stolen. For more information on encrypting your Windows computer or laptop, see "How to Encrypt Files With Your Windows PC." For mobile devices it's best to use an operating system that provides full device encryption by setting a PIN or password to protect your email and other data. BlackBerry and iOS (iPhone, iPad, and iPod Touch) devices have offered this type of encryption for years; Android supports it only in version 3.0 and later. For older Android devices, consider obtaining a third-party email app, like TouchDown for Exchange accounts, that provides encryption.

For desktops and laptops, you can encrypt just your email data files if you prefer not to encrypt the whole computer. The encryption features of email clients vary, so check the documentation for your particular program and version. If your email client doesn't offer trustworthy encryption, consider selectively encrypting the directory where your email records are stored.

If you use a Professional, Business, or Ultimate edition of Windows, for example, you can encrypt email records--no matter what email client you use--through Windows' built-in Encrypted File System (EFS) feature. First, find the file(s) that your email client uses to store your email messages; Microsoft Outlook uses a .PST file to store messages, or an .OST file for Exchange accounts. In Windows XP, you'll find the file at C:\Documents and Settings\yourusername\Local Settings\Application Data\Microsoft\Outlook. In Windows Vista and 7, it's at C:\Users\yourusername \AppData\Local\Microsoft\Outlook.

Once you've determined where your email client stores your data, right-click the file(s) or the folder that contains them, select Properties, click Advanced, and select Encrypt contents to secure data.

Encrypting files with the Encrypted File System (EFS) feature of Windows.

That's all you have to do. The EFS feature will open and automatically decrypt file(s) when you're logged into your Windows account. Remember to disable encryption before reinstalling Windows or changing your Windows account, or you'll risk being unable to decrypt the files later.

Subscribe to the Security Watch Newsletter

Comments