Email Encryption Basics

New to Email Encryption? Learn the fundamentals from our collection of articles for beginners.

How Does Email Encryption Work?

The origins of email go back to the early days of computing. Back when computers were purpose-built devices shared by groups of users, programmers invented methods to share messages with other users on the same machine. As technology evolved, so did messaging, allowing users communicate with each other over early networks like ARPANet, and finally, over the Internet.

Over time, email acquired other features. Attachments, HTML formatting, and security tools to send encrypted email made it an effective alternative to both lightweight messaging apps and complex portals. But email has something that no other messaging tool has: universality.

A 2015 study by The Radicati Group predicts that nearly 2.9 billion users will have email access by 2019 — 1 out of every 3 people on the planet. In developed countries, you can use email to communicate with virtually anyone, from tech industry workers to people who still read out a URL “h-t-t-p-colon-forward-slash-forward-slash.”

This makes it an indispensable tool for both professional and personal communication. But while email’s functionality has kept up with the times, the times haven’t kept up with the threat environment. Like most messaging apps, email is not sufficiently secure against hackers, government spying, and other risks. But while you have to settle for default security in apps, you can protect your email by learning how to encrypt email.

How to Encrypt Email: Key Features
Email encryption should support everything you do with email — otherwise, it will leave some of your messages unprotected. That means it needs to be:

  • Effortless: Email should be easy enough that non-technical users can learn how to encrypt email in a few minutes, and encrypt with as few extra steps as possible. The goal is to have something that preserves the convenience of email, requiring little training or extra work. To do this, your email encryption application should be able to automatically perform technical functions such as managing keys, encrypting and decrypting messages, and controlling access.
  • Universal: Encryption should be able to send secure messages to anyone with an email address — not just people who use the same form of encryption. It should also be able to encrypt messages to groups of recipients, and to cc’d and bcc’d recipients, just like ordinary email.
  • Content Agnostic: Your email encryption should be able to secure any file you would attach to an email. Documents, sound files, spreadsheets, videos and other types of data must be encrypted without extra work.
  • Secure: Email encryption should be able to transport a message from your computer to your recipient securely, every time. There will always be risks (e.g. someone gaining control of your recipient’s email account) but the failure of the encryption itself should not be a significant email security risk.
  • Private: Email encryption should ensure only you and your recipient can read the message. That means it must protect your communication from your email provider, the organizations controlling the servers it travels across, and even your encryption provider, as well as hackers. No one should be able to see your data unencrypted.

How to Encrypt Email With PGP
Pretty Good Privacy (PGP) is an encryption program used to send secure email and files, as well as to encrypt other types of data. When you encrypt an email with PGP, the program creates a one-time session key, which is then used to encrypt the email. The session key is then encrypted with the recipient’s public key, and both are sent. The recipient uses their private key to retrieve the original session key, which then decrypts the email.

PGP is very secure when used correctly. Assuming your recipient’s public key is authentic you can protect your private key, and you know how to encrypt email correctly, it’s unlikely a third party will be able to read your messages.

The problem is that it’s too complicated for most users. Before you can send secure email to a user, you need to obtain their public key, and provide your public key to respond. The Web of Trust (the system PGP uses to confirm keys are authentic) depends on other users to endorse keys, making it clunky and difficult to use — particularly for new users, who not have contact with the PGP community.

You also have to manage all your keys on your device. Lose your private key, and you’re locked out of all your messages. Lose control of your device, and an attacker could read your emails. And of course, you can only send messages to other PGP users whose keys you already have, making it unsuitable for general communication.

Additionally, PGP has many security flaws, particularly for users who are just learning how to encrypt email. If you use an outdated version of PGP, or fail to configure your software properly, it could be exposed to an attacker.

How to Encrypt Email With TLS
Here’s some good news for aspiring encryption users: you’re probably already encrypting email with Transport Layer Security (TLS). TLS (and its predecessor, SSL) is used across the Internet to send secure email, protect financial transactions, and provide for secure web browsing. Look at your browser bar — you see the address that starts with “https” next to the closed lock? That means you’re using TLS here, too!

TLS is a kind of point-to-point encryption, meaning it protects data along each hop it takes on its journey across the Internet. When you send an encrypted email, your computer communicates with your webmail client (e.g. Gmail), and executes a handshake.

The process is complex, but essentially, the two confirm that each is who they say they are, agree on an encryption method and create a session key. The client (your computer) uses that session key to send the message to the server (Gmail), which decrypts the message. The whole process repeats, sending the message from your server to the recipient’s server, and finally to the recipient’s email address.

The great thing about TLS is you don’t need to know how to encrypt email — if your email provider uses TLS (and they should), the process is automatic. Unfortunately, it’s not secure enough. If the recipient’s server doesn’t use TLS, your email will be sent in plain text (i.e. unencrypted) and you won’t even know it has been exposed. TLS encrypted email is also vulnerable at each server. If a server has misconfigured TLS, or hasn’t fixed a bug or applied an update, the connection can be hacked. The server’s operator also has access to your email, unencrypted. In either case, you won’t know if your secure email has been compromised.

Finally, TLS is vulnerable to government spying. Through a program called BULLRUN, the NSA has been able to crack much of the TLS-secured traffic. There’s no way to know if your TLS email is really secure, or if it is being read by a government agency.

How to Encrypt Email With Virtru
Virtru email encryption is designed to overcome the limitations of traditional encryption techniques, providing complete security combined with user-friendliness. Like SSL, it can encrypt anything, but it is not vulnerable to covert hacking or interception in-transit. And because it encrypts messages with one click, and can deliver messages to any recipient, Virtru is suitable for non-technical users who don’t understand how to encrypt email by other means.

To encrypt Virtru email, just click the “v” in your message composition window after you’ve downloaded the Virtru extension (or plugin), then send the message like normal. Virtru will create a content policy governing how, when, and by whom the message may be accessed, encrypt the message, and send it. Your key will be transferred via a secure connection to a Virtru server or customer-controlled key store.

When the recipient opens the message, their computer will connect to the server to see if they have permission to open the message — directly from their email program if they have Virtru installed, or via Virtru Secure Reader if they don’t. The server will check the content policy and, if the recipient has the right to view the email, unlock it. This content policy also enable other features, giving the sender the ability to rescind the message (even after it’s been read), set an expiration date, disable forwarding and take other access control measures.

The message is encrypted before it leaves your computer and only decrypted when your recipient opens it, preventing the interception in transit that TLS is vulnerable to. And because Virtru does not have access to your message, and your email provider does not have access to your key, no one can covertly spy on your emails — even us.

Other Email Encryption Features
All messaging tools share an essential security problem: once you share information, it’s very hard to protect or control that information. If your recipient loses control of their email account, forwards your email to the wrong person, or intentionally shares an attachment against your wishes, it can be tremendously damaging to you and your family, customers, or business partners. Learning how to encrypt email can mitigate the risks of third-party interception, but by itself, it won’t allow you to keep control of information after you’ve hit send.

Selecting an encryption tool with access control allows you to control the information contained in your emails — even after you hit send. The right encryption tool will allow you as the sender to retain control of the key, even after the recipient opens it. Look for a tool that lets you recall an email (even after it has been read), set time limits for messages to automatically expire, and disable forwarding of sensitive messages.

Ideally, you should be able to see and control access along each stage of the message’s journey. That way, if a recipient shares a message with an inappropriate recipient, you’ll be able to see this and correct it immediately. Virtru Pro features read receipts, which tracks message opens and forwarding, showing you exactly who has accessed your content — even when it is shared by your recipient. Combined with read receipts, this gives you considerable control of your message at each stage of its journey.

Finally, think about how human error can affect your security — particularly if you’re looking for an encryption solution for your workplace. Even if your users know how to encrypt email, they may forget to turn on encryption when sending sensitive messages. Choosing an encryption solution with integrated Data Loss Prevention can ensure workers don’t forget to encrypt, and protect against a range of security and compliance risks.

Learning How to Encrypt Email is Just the Beginning
Email encryption is an invaluable tool to improve your security, particularly if it’s used as part of a comprehensive security strategy. Check out our webinar, Email Security — 4 Ways to Enhance and Simplify Compliance to learn how to protect your organization’s email.