How to Encrypt Emails
Emails are inherently insecure, but most of the time it doesn’t matter. However, occasionally it would be preferable if some emails could be sent safe in the knowledge that only the intended recipient can read them. For example, consider a scenario in which you are receiving the results of a blood test from your doctor via email. With a standard email, there is no guarantee that it will not be viewed by anyone else before it reaches your inbox. Our end-to-end encryption feature can provide that guarantee. On this page we will explain how to use this feature to encrypt the emails you send so that no-one other than the intended recipient can read them.
Design Goals
Before we explain how to encrypt emails, let’s consider a few design goals for such a system. Click here to skip this bit.
| Privacy | No one but the intended recipient should be able to open the message; not even administrators or a junk filtering email system. |
|---|---|
| No Plugins | No plugin should be required to open the original message. It uses software that is commonly available on every computer or mobile device. |
| Off-line Access | Recipients should not have to rely on external websites in order to view the message. They should be able to view the message even if Internet access is not available. |
| Mobile Access | Recipients should be able to open the message on their mobile devices, running on iOS, Android or Windows. |
| No Expiration | A previously sent message should never expire. |
SSL/TLS A misconception
Many individuals incorrectly think they can achieve end-to-end encryption when using SSL/TLS, but SSL can only encrypt in-transit data.
Consider the image below as an example:
Since SSL/TLS only encrypts in-transit data (represented by red lines in the diagram), it is potentially stored in clear once the message gets to the next SMTP server. Therefore, both humans and software can look into the message, defeating the purpose of having an end-to-end encryption system.
Prelude to the Rescue!
You can encrypt your outgoing emails in three different ways:
- Set encryption passwords on the fly, which you can do with any individual email that you send;
- Set predefined encryption passwords, which you do for specific recipients and you can subsequently apply for any email that you send to that recipient;
- Prompt a recipient to create an encryption password, which you can then subsequently apply for any email that you send to that recipient.
Set Encryption Passwords on the Fly
Compose your email as normal with your email client, e.g. Microsoft Outlook or Mozilla Thunderbird or any other web-based email client, and modify the subject line to append with the word encpass followed by your chosen encryption password in brackets, for example:
Email subject line before being modified
Your tax returns for 2020
Email subject line after being modified
Your tax returns for 2020 encpass(magicWord2020)
In this example, magicWord2020 is the password that you must share with the recipients of the email by some other means so they can use it to open the email after they have received it. Don’t send the password in the body or attachments of the encrypted email as they won’t be able to see it. You must do this with each email that you want to encrypt. The password can be any text you choose and is specific to each email that is sent, but you can use the same password each time or different.
It is as simple as that. Of course, this can only work if we host your emails and if you send your emails using our mail servers, configured according to the instructions we provided.
For outgoing messages with encpass(yourPassword) at the end of the subject, Mailgate will extract the body and any attachments from the message, create an encrypted PDF document using 256-AES encryption and send the encrypted PDF instead. The PDF reader, either on desktop or mobile device, will prompt the recipient for the encryption password.
Set Predefined Encryption Passwords
If you want to do this regularly for specific recipients, e.g. your accountant or your clients if you are an accountant, it can be cumbersome to do this manually every time you send an email to these recipients. In this case you can associate a predefined password for specific recipients.
To enable this, log in to your Mailgate account, click here for instructions, and then do the following:
- Select End-To-End Encryption from the Home menu.
- Enter the recipient’s email address and the password you want to associate with it in the relevant boxes and press Add.
- Repeat for each email address as required.
Ignore the references to sensitive data on the web page as it doesn’t apply.
Prompt a Recipient to Set their Predefined Encryption Password
All you have to do is add encpass at the end of the outgoing email’s subject line, after which Mailgate does the following:
- Stores that email temporarily, already encrypted;
- Sends an email to the recipient, asking them to create an encryption password;
- After the recipient creates that password, sends the email to the recipient, which can only be opened with that password;
- Stores that password for future use.
Ignore the references to sensitive data on the web page as it doesn’t apply.
Choosing When to Use an Encryption Password
When you send an email, compose your email as normal and do one of the following:
- Include the word
encpassat the end of the subject, without a password in brackets;- Mailgate will automatically apply the predefined password to the encrypted email.
- Include
encpass(magicWord2020)at the end of the subject, to apply a one-off password as explained above; - Include neither of these to send a normal unencrypted email.
Note that predefined passwords can only work with one recipient in the message, not multiple recipients.
Resetting Passwords
You can reset a stored password for a recipient by deleting it, from menu Home > End-to-End Encryption, and setting it again with your preferred method above.