Whether personal or professional — many of the emails we send are highly confidential and contain sensitive data or information. To ensure emails don’t fall into the wrong hands, you can send them with even more secure end-to-end encryption in addition to the basic level of encryption that’s applied automatically. Read on to learn how email encryption works and how you can encrypt your messages. Also discover what other steps you can take to protect your email traffic and how you can improve the security of your online communications using the free all-in-one solution Avira Free Security.
What is email encryption?
Email encryption is used to protect emails from unauthorized access and manipulation as well as to secure confidential information. It converts the plain text of an email during transmission (and, depending on the method, storage) into a ciphertext comprising letters, numbers, and symbols. This ensures that third parties can’t read the email even if it’s intercepted during its journey. Your email provider usually encrypts your emails.
The most common form of email encryption is hybrid encryption, which is a combination of symmetric and asymmetric encryption methods. While symmetric encryption uses only one key for encryption and decryption, asymmetric encryption uses a key pair consisting of a public key and a private key. The data is encrypted with the public key, which can be used by anyone, and decrypted with the corresponding private key, which only the recipient has.
When encrypting emails, asymmetric encryption is used for key exchange and authentication, and symmetric encryption is used for the actual transmission of data. A widely used symmetric encryption method that is valued for its security and efficiency is the Advanced Encryption Standard (AES), which is supported by many encryption protocols (such as TLS/SSL).
Basically, two methods can be used for email encryption, which we’ll dive into now. Since they work on different levels and independently of each other, they can be used both individually and together.
- Transport encryption: With this method, emails are only encrypted during transmission between the client and the server or between email servers, e.g. using TLS (Transport Layer Security).
- End-to-end encryption (E2EE): Here, the content of the email is encrypted on the sender’s device and is only ever decrypted on the recipient’s device, e.g. using PGP (Pretty Good Privacy) or S/MIME (Secure/Multipurpose Internet Mail Extensions).
Public key infrastructure and digital certificates
The encryption protocols TLS and S/MIME use an asymmetric encryption method based on the public key infrastructure (PKI) for secure key exchange. This is a hierarchical system for managing and verifying digital certificates and public keys. The digital certificates are issued by trusted certificate authorities (CAs) and confirm the validity of a public key and the holder’s identity. The digital certificate itself is protected by a digital signature, the authenticity of which can be verified using the CA’s public key. The certificate therefore guarantees that the email comes from the specified email address and that the communication partners are actually who they claim to be. Encryption also ensures that the data that’s exchanged cannot be falsified or manipulated.
Transport encryption offers automatic security
TLS is the current default technology used to encrypt data transmitted between a client and server or between servers. Since the TLS protocol is an updated version of the SSL protocol, the two terms are commonly used to mean the same thing or you may see it referred to as SSL/TLS encryption.
The SSL/TLS protocol is used not only for data transmission from web browsers to secure websites via HTTPS but also for the secure transmission of emails via SMTPS. SMTPS (Simple Mail Transfer Protocol Secure) is an email delivery protocol that’s responsible for the secure exchange of data between an email program and a server or different email servers. In addition, SSL/TLS is also used when retrieving emails from a server via IMAPS (Internet Message Access Protocol Secure) and POP3S (Post Office Protocol 3 Secure).
Although most email providers use TLS encryption by default to secure the connection between the email client and the email server, the connection between email servers (when sending email from one provider to another) is not always guaranteed to be encrypted. If the receiving server doesn’t support TLS or the connection can’t be encrypted for some other reason, the email is transmitted unencrypted in plain text. In addition, although the data is encrypted during transmission, it is often stored in plain text on the servers, meaning the email provider can in theory read it.
Another weakness of transport encryption is that an email message usually passes through several intermediate nodes before reaching its destination. The server relays pass email messages encrypted with TLS from one server to another, where they are decrypted and then encrypted again. This makes it difficult to completely shield data from man-in-the-middle attacks since cybercriminals can in principle intercept it at these nodes.
End-to-end encryption offers additional security
With end-to-end encryption, however, not only is the transport path encrypted but so too is the email itself. The content of the email and all email attachments are encrypted on the sender’s device and only ever decrypted on the recipient’s device. This encryption method offers greater confidentiality and security than transport encryption because the data remains encrypted throughout the entire transmission chain — meaning across all intermediate nodes. Even the email provider itself can’t read the data. And if cybercriminals compromise the server on which the data is stored, they won’t be able to decrypt it.
End-to-end encryption is used in email encryption protocols such as the two standards S/MIME and PGP in combination with digital signature processes. A digital signature ensures that an email has not been manipulated and verifies the author’s identity. Whereas encryption guarantees the confidentiality and integrity of the message, the digital signature confirms both that and the authenticity of the sender.
S/MIME encryption
The email encryption protocol S/MIME uses asymmetric encryption based on the public key infrastructure (meaning key pairs and digital certificates). Since S/MIME is supported by popular email clients such as Outlook, Gmail, and Apple Mail and is comparatively easy to integrate into existing IT infrastructures, it’s often used in professional environments.
To use this end-to-end encryption scheme, the communication partners need to download a valid certificate from a private or public CA. The required certificates or key pairs are usually not generated and configured by the users themselves but by the company’s system administrators.
PGP encryption
The email encryption protocol PGP also uses asymmetric encryption with a private and public key. Unlike S/MIME, though, PGP relies on a decentralized trust model known as the Web of Trust. Trust in the authenticity of a public key is not based on certificates but on a network of user signatures. Instead of relying on central certificate authorities, users can exchange public keys directly and sign each other’s keys to confirm their authenticity.
Since PGP is an open standard that’s supported by many different programs and services, it’s used mainly in the private sector. Thanks to the flexibility of PGP-based systems, they can support different methods for encrypting emails, including password-based email encryption. If the recipient doesn’t have a PGP key, the sender can send them a password separately to decrypt the email.
Not just for emails: VPN encryption
VPN encryption basically works like transport encryption. The main difference, however, is that a VPN routes all of a device’s online traffic, not just email communications, through an encrypted tunnel. As such, everything sent over the internet (such as emails, web requests, files, or streaming data) is transmitted in an encrypted form and protected during transport.
Avira Phantom VPN uses a protocol with AES-256 encryption for security, making it almost impossible for cybercriminals to intercept or manipulate data. Together with default TLS encryption for email communications, a VPN can therefore provide solid protection against unauthorized access — especially on unsecured Wi-Fi hotspots.
How do you encrypt emails?
Most email services don’t require you to do anything to encrypt and decrypt emails by default, as TLS encryption is enabled automatically. It’s best to check whether this is also the case with your email provider. Some email providers such as Yahoo Mail, Outlook, and Gmail display a warning message (such as an open red padlock) if an email was not received using TLS encryption.
If you want to use more secure end-to-end encryption, follow the steps below for your email service. Ensure that the recipient’s webmail service/email client also supports the corresponding encryption technology or that they have compatible software or a decryption extension so they can read the encrypted message.
Yahoo Mail, Gmail & the like: Encryption solutions for private accounts
Most popular webmail services don’t offer end-to-end encryption by default for private accounts. However, you can use encryption tools such as the browser extension Mailvelope to encrypt and decrypt emails using PGP. That said, these tools usually don’t offer client support — you can only use them via a web browser.
Gmail and Outlook offer end-to-end encryption, but only for corporate accounts. For private purposes, you can use an email service such as Proton Mail, which uses PGP encryption by default and is available as a web application, desktop program, and smartphone app.
Outlook: End-to-end encryption for businesses
Microsoft 365 subscribers and users of the latest versions of Outlook can use S/MIME encryption on their Windows devices if they have a business email account.
- Have your system administrator enable and configure S/MIME.
- Encrypt a single message: In the message window, click the Options tab followed by the Permissions button, then select the lock icon or Encrypt.
or - Encrypt all messages: On the File tab, click Options, select Trust Center, and then Trust Center Settings. On the Email Security tab, under Encrypted email, select the Encrypt contents and attachments for outgoing messages check box. You can select the S/MIME certificate under Settings.
Gmail: Hosted S/MIME for enterprises
As a Gmail corporate account holder or an eligible Gmail school account holder, you can encrypt and decrypt messages using keys provided by Google.
- Have your system administrator enable and configure S/MIME.
- Compose a message, enter the recipient, and hover your mouse pointer over the lock icon to the right of your recipient (Message security). Here you can now choose between two encryption strengths: Standard encryption (TLS) and enhanced encryption (S/MIME).
Gmail: CSE for workspace accounts
As a user of Google Workspace Enterprise Plus, Education Plus, or Education Standard, you can use Client Side Encryption (CSE) using S/MIME with keys from your organization. Your data will then be encrypted in your browser before being transferred to or stored in Google’s cloud platform.
- Have your system administrator enable and configure S/MIME.
- Compose a message, enter the recipient, click the lock icon (Message security) in the right-hand corner, and select Additional encryption.
Additional steps to protect your emails and accounts
End-to-end encryption is a robust way to protect your emails and personal data from unauthorized access and manipulation. However, encryption doesn’t protect you from human error, such as careless clicks on phishing links in emails, especially as they’re becoming ever more sophisticated and professional.
The free cyberprotection solution Avira Free Security comes with phishing protection thanks to the browser extension Avira Browser Safety so you can block malicious websites. In addition to antivirus protection, Avira Free Security includes a VPN that allows you to surf anonymously and encrypt all online traffic on your device. In addition, the integrated password manager helps you to protect your email account (and of course your other online accounts too) with strong passwords so you can improve your protection from hacker attacks and identity theft.