Email encryption used to be the domain of security experts and programmers alone. Users would have to install and configure encryption, generate their own key pairs, and trade public keys with anyone they wanted to email (and confirm the user was who they said they were). Each user would have to manage and protect their private key from third parties and enter it any time they wanted to decrypt email. It was complex, finicky and easy to mess up — potentially exposing email to a malicious actor.
Nowadays, users can choose a secure email service to handle the encryption basics for them, putting the technology within reach of nearly any Internet user. But not all email encryption programs are equal; some don’t offer adequate security, while others use strong encryption, but aren’t user-friendly enough to communicate with everyone. Here’s how to find the best email service for your needs.
The best secure encrypted email for one user may be a poor choice for another.
Your secure email service needs to support the way you use email. For example, if you’re a tech-savvy user who wants something to communicate one-on-one with a small group of security professionals, older email encryption tools like PGP or S/MIME could be a great fit.
Sure, they’re finicky and don’t have good support for sending attachments, but both provide strong security (provided you know how to encrypt an email the hard way) and let you store your own keys without putting any trust in third-party security service providers. If you have the knowhow and don’t need the missing features, then why not?
However, most users need to be able to communicate with any arbitrary email user, both one-on-one and in group messages. That means many of your recipients either won’t use the same secure email service as you do, or won’t encrypt at all. You’ll need to choose an email encryption program that lets you communicate securely with everyone, supports attachments and is user-friendly enough to allow your least tech-savvy friends and business associates to send secure emails back.
Not all email encryption is equally secure.
Although usability is key, good encryption is still at the heart of any secure encrypted email service. AES 128-bit encryption and better is considered very strong with current technology, however the longer the key, the more secure. With 256-bit AES encryption available, and widely trusted for sensitive information, there’s no good reason to use anything less.
It’s also worth mentioning that while you can control your email’s destination, you can’t control how it gets there. A secure email service that uses point-to-point encryption only protects the connection, leaving your message vulnerable if it travels through a hacked or poorly-configured server. Client-side encryption scrambles the message and attachment before they even leave your device, and can only be decrypted by the recipient.
Your secure email service’s data practices also affect security. If your provider stores both your emails and your encryption key, they can read your messages — or be compelled by the government to disclose them. That also means that a hacker could conceivably read your emails by infiltrating your provider’s server. However, if your encrypted email service only has access to your keys, it eliminates that single point of failure, making it much more difficult for any unauthorized party to access your data.
The best secure encrypted email service is hard to crack, but easy to use.
Older encryption protocols, which required custom setup and careful operation, aren’t suitable for the cloud. Most users need an email encryption service that works across multiple devices, can be setup with a few clicks, and secure emails with just one. That level of ease of use can only be achieved with automatic key management — a system where the provider stores your encryption keys on a secure server, and plugs them in when you need to read or send an encrypted message.
Encryption methods that require users to enter their keys are less convenient, and for most users, less secure. If your computer is hacked or your phone is stolen, a malicious party could access your encryption key. If you use automatic key management and employ email security best practices, your key is safe in the cloud and your email, inaccessible. That means that even if your device is stolen, the hacker won’t be able to access your messages.
Your secure email service also shouldn’t require extra logins and accounts. This is a convenience issue, but it also impacts security; the more passwords you have and the more steps you have to take, the more likely that you’ll forget a password, miss a step or just send an unencrypted email when you’re in a hurry. Encrypted emails don’t need to be any harder to send than unencrypted ones, so they shouldn’t be.
The best secure encrypted email services allow you to use email the way you normally do.
Email has been around for a while, but is still a wonderfully flexible and convenient communication method. It allows you to send a message to one person, or to many, to send CC’s and BCC’s and upload attachments. Likewise, your recipients can reply to the whole group, certain recipients or you alone, forward the message or add their own attachments.
Unless your secure email service can do everything you do with email, you won’t be able to use it all the time — and that puts your security at risk. Unfortunately, most email encryption providers restrict how you use email. Some require each user to setup a new email account, which is impractical (especially for business users). Other email encryption protocols can’t send attachments or reply to multiple users.
But interoperability is the biggest issue. Nearly all secure email services can only encrypt messages to recipients who have installed (or otherwise use) the same service, and many only work on certain platforms or devices. For most users, that’s not a practical solution; with so many encryption options available, you’ll never be able to get all of your friends to install the same tool — and that doesn’t count vendors, business associates, tech support and other strangers you need to contact. You need a solution that can send messages to anyone.
From an interoperability standpoint, the best secure email service solution is a browser plugin. With an email encryption add-on that supports common browsers like Chrome and Firefox and common webmail services like Gmail, and should enable you to encrypt emails from any device or account. Some users may require encryption that also supports desktop platforms, such as Microsoft Outlook.
Your email security solution should also have a way for recipients to read encrypted messages and send an encrypted reply. Make sure the process is relatively simple, even for a user who has never received an encrypted email before; it will take at least a couple clicks to open a secure window and reply, so the encrypted message should come with clear instructions.
Your secure email service should make your life less stressful.
Email encryption isn’t just a specialized security tool for confidential messages anymore — it’s something that we can all use to keep data safer in the cloud. No matter how secure email services are, they only work when you can use it. If encrypting emails is a hassle, or something that only works when you communicate with certain recipients, it’s not doing its job.
We recommend researching your providers, and making sure they’re both secure and easy to use. You can learn more about our approach here: how to encrypt email.
If you’d like to learn more about how Virtru could work with your organization, let’s chat.