DEV Community

Cover image for Email Encryption: What it is, How Does It Work, and How to Encrypt an Email

Posted on

Email Encryption: What it is, How Does It Work, and How to Encrypt an Email

How can you be sure your email contents are safe, and no one is eavesdropping on them? Let's find out how to secure the communication using email encryption

"What if someone reads my emails?", "What if someone steals that information and blackmails me?", "What if hackers alter the information in my emails or insert the malware in the attachments?" Let's be honest; at some point in our lives, these types of questions do haunt us all. Email confidentiality has been a talk-of-the-town as we hear data breach incidents so frequently. To tackle these issues, email providers and some independent third parties have come up with the idea of email encryption. In this article, we will talk about how email encryption works and what are some of the latest encryption tools and technologies available in the cybersecurity industry.

What is Email Encryption?

Before moving forward, let’s quickly cover what encryption is. Encryption means scrambling plaintext data and make it incomprehensible by applying mathematical algorithms. So, for example, if you encrypt the line “Angry-birds is my favorite game”, it will look something like this “ZJSwbngQXQvvkDPO5qCF0eyUoojqeOcXC0lIncuECKY=”. That means, even if someone gets access to your data, they won’t be able to read it. To decrypt and interpret the encrypted data, one needs to have an authentication key, and it is assumed that (ideality) the only authorized person has this key. Popular authentication keys are passwords, private keys (stored in digital certificates), OTP, passcodes, biometrics, etc.
Encryption is used to protect many types of data such as data stored on cloud platforms, files and folders, data traveling between the website and its users, data stored on hardware devices, etc. And it is used to protect email communication as well.

Historically, emails used to be in plaintext when they were in-transit and at-rest. That means, if an intruder hacks the email client or breaks-into an internet connection, they can read, steal, and modify the email content. But then, the transport layer security (TLS) technology got invented which facilitated data encryption between two end-points. It got popular for all types of websites and email clients. Most email clients use it to provide email encryption facilities to their users. That means, when you send an email, it automatically gets encrypted until it reaches the intended recipients. Even if a hacker tries to access the email content, all they would get is a ciphertext that looks gibberish and doesn't make any sense! Later on, end-to-end encryption got invented, which provides even tighter security than the TLS. In the next section, we have covered both of these technologies in detail.

How Does Email Encryption Work and How to Send Encrypted Emails?

In this section, we have covered email encryption’s practical utility. As we mentioned earlier, there are basically main two types of email encryption. One is transport layer security (TLS) encryption, and another is end-to-end encryption (E2E).

1) Transport Layer Email Encryption
In this type of email encryption, when you send an email, it reaches the email client's server first and then goes to the intended recipient. In easy words, when Bob sends an email to Alice using Gmail, it reaches Gmail's server first, and then (from that Gmail's server) it is pushed forward to Alice's email client.

How can I send an encrypted email using transport layer email encryption?

The good news is you don’t have to anything to encrypt the email with TLS technology! All the email clients use SSL/TLS certificates. This certificate facilitates email encryption for all outgoing and incoming emails. Whenever you send an email, it automatically gets encrypted, and you don’t need to take any extra steps to encrypt or decrypt the email.
If you open an email client, check the address bar. Can you see a padlock sign in front of the domain name? It is the sign that your email client is using an SSL/TLS certificate and is already providing you the email encryption facility.

The biggest disadvantage of transport layer email encryption is that the email client stores the cryptographical keys on its server. If their employees want, they can read all of your email contents (although there are legal regulations for this). If a hacker breaks into the email client's server or accesses their database, they can also access all the email communication. Plus, TLS technology encrypts the emails only when they are in transit. But when they are at-rest i.e., stored on the email client, they remain in the plain text. That means, although hackers can’t read the emails while they are in transit, as soon as the email reaches the recipient and is stored on their email client, it becomes vulnerable for hackers to attack.

Of course, all email clients have a strong security posture to prevent such cyberattacks. But the question is, can you take a proactive step to protect your email communication instead of just relying upon the email clients? This question is leading to our second type of email encryption, i.e., end-to-end encryption.

2) End-to-End Email Encryption
Unlike TLS encryption, in which there is the email client’s server works as the mediator, end-to-end encryption has a direct path of communication. When you send an email, it directly reaches the recipient without any intermediaries. That means, chances of email getting compromised, and corrupted get reduced dramatically.

How can I send encrypted email with end-to-end email encryption?

There are some third-party certificates, browser extensions, and email clients which you can utilize to enable E2E encryption.

Secure/Multipurpose Internet Mail Extensions (S/MIME) Certificates

The organization needs to buy these certificates from the third-party certificate authorities (CAs). S/MIME certificates are also known as email signing certificates and email encryption certificates. The CAs vet the buying organization’s credentials to make sure it is issuing the certificate to the legit business. Once the S/MIME certificate is issued, you (as an organization) need to install it on your employees’ email clients. Please note that these certificates are available at the enterprise level only. So, if you are an individual, you can’t enable E2E encryption using S/MIME certificates unless your organization facilitates it.

These certificates offer not only end-to-end encryption service but also identity authentication facilities and email tampering alerts. That means, the sender can insert the digital signature on the email so that the recipients can make sure the email is coming from the same source as it claims to be. No one can remove, copy, or modify this digital signature. It also uses hashing technology. So, if an intruder tries to modify the email content, the recipients are immediately notified that the email is compromised and not to trust its content and download anything from it. These facilities are some of the best weapons to protect recipients from phishing emails. Plus, emails stay encrypted when they are at-rest (stored on the email clients), too.

These are some of the resources with detailed steps on how to send encrypted email using S/MIME. You can follow these steps only after your organization has bought the email signing certificate.

How to enable S/MIME on

Web clients that facilitate end-to-end encryption

There are some email clients like ProtonMail, Tuanota, Mailfence, PreVeil, Virtru, etc, that have in-built E2E encryption facilities, without the need for a certificate.

Browser extensions for end-to-end email encryption

You simply need to add extensions to your browsers and enable them on your regular email clients. Some of the popular extensions are Mailvelope, SendSafely, End-To-End, Lockmagic, and FlowCrypt.

Oldest comments (0)