Mails verschlüsseln - so gehts

Secure mail: How to encrypt e-mails and attachments

If you share sensitive data or information by e-mail, it is very important that you encrypt it. The readable text and attachments are converted into encrypted text and only the recipient who has the appropriate key can decrypt it. This way, the content of your e-mail stays confidential. However, a few steps are necessary. We will show you how you can reliably protect your e mail traffic from strangers’ eyes. We also explain how to encrypt your e-mail connection as well as your archived e-mails.

Content

GDPR and e-mail encryption
Encrypt emails end-to-end – that’s how it works
Mail encryption with OpenPGP and S / MIME
Warning, security gap: EFAIL
Send encrypted attachments with idgard®
How to encrypt your e-mail connection
How to encrypt archived e-mails

GDPR and e-mail encryption

Since the GDPR came into force, encryption has played an even greater role than before, especially in companies. The reason for this is that they must take appropriate measures to adequately protect personal data, such as customer data, during storage, transmission and processing. This also includes data encryption (see Art. 32 GDPR). Therefore, companies that encrypt their mail traffic significantly reduce the risk of a data breach and thus avoid a hefty fine.

Encrypting e-mails end-to-end—here’s how it works

The most common way to encrypt e-mails and attachments is through end-to-end encryption. In this process, the sender encrypts the content with a public key and the recipient decrypts it with his or her personal key. A digital signature also makes the sender uniquely identifiable, so that the e-mail cannot be manipulated during transmission.

  • Encryption ensures the confidentiality of the content.
  • The signature ensures the authenticity and integrity of the e-mail.

E-Mail encryption with OpenPGP and S/MIME

In practice, the OpenPGP and OpenPGPS/ MIME standards have become established for encrypting and signing e-mails. These standards are not compatible with each other, meaning that as a PGP user, you cannot read e-mails encrypted with S/MIME and vice versa.

S/MIME has the advantage over PGP that it is now integrated in most e-mail clients such as Outlook or Thunderbird. To use PGP, you need additional software, but this is usually available for free, for example, GPG4Win (Outlook), GPGSuite (macOS) or Enigmail (Thunderbird).

However, before you can encrypt and send e-mail, you have to follow a few steps. You first need a certificate for the signature to confirm the authenticity of your sender address. The S/MIME certificates are usually issued by a public certification authority (Public CA), usually upon a fee. A well-known provider of trusted certificates is, for example, Sectigo (formerly Comodo). Although there are also certification authorities that offer free certificates, these are often only for private use. PGP certificates are created using the encryption software itself.

Encrypt e-mails with GPG4Win
Kleopatra – here the German version – is part of GPG4Win. Here you can generate OpenPGP key pairs or apply for S/MIME keys and certificates.

Then you have to generate a key pair. The public key is needed by anyone who wants to send you an encrypted e-mail, while you need the private key to decrypt the e-mail. Conversely, you need your colleagues’ public key if you want to send them an encrypted e-mail that they can decrypt with their private key. Therefore, it is recommended to make the public key publicly available through so-called key servers. Alternatively, it can be provided on a personal homepage or in the email signature. The key pair is normally also generated by the certification authority or, in the case of PGP, within the software.

  • Detailed step-by-step instructions on how to encrypt messages in Outlook with S/MIME can be found directly at Microsoft
  • You can find out how to encrypt e-mails in Thunderbird with OpenPGP or S/MIME at Mozilla.
  • The providers of GPG4Win (Outlook), GPGSuite (MacOS) or Enigmail (Thunderbird) also offer detailed instructions for encryption with OpenPGP on their websites.

As you can see, you can’t just shake an encrypted e-mail out of your sleeve. This is also the main reason why, despite the comparatively high level of security, encrypted mail traffic has  not become established in the everyday lives of many users yet. Nevertheless, companies should never send sensitive information such as personal data or business secrets unencrypted under any circumstances!

Warning, security gap: EFAIL

Efail-Logo by Jana Runde, Zuzana Somorovska, CC0

A team of researchers has discovered vulnerabilities in the OpenPgP and S/MIME encryption standards that attackers can exploit to manipulate encrypted e-mails with active content (e.g., HTML or JavaScript). After the recipient decrypts the message, the active content is executed and the plain text of the e-mail is transmitted to a server of the attackers, for example. The researchers describe the exact attack scenario on the website www.efail.de.

Fortunately, the execution and reloading of content can be disabled in e-mail clients such as Outlook and Thunderbird—however, these must be configured correctly for this. The German Federal Office for Information Security (BSI) shows how to do this on a service page about the vulnerabilities (in German).

Send encrypted attachments with idgard®

Did you know that you can also send sensitive file attachments securely through uniscon’s highly secure business cloud idgard®? You just keep writing e-mails in your client as usual but upload files and documents to idgard® and include the link in your e-mail. You can set a password to increase the security of the content. With the free  add-in for MS Outlook you don’t even have to leave your familiar working environment to do this. Learn more about how to securely send e-mail attachments with idgard®.

How to encrypt your e-mail connection

To reliably protect your mail, you should not only encrypt contents and attachments, but also consider encrypting your connection – in your web browser you can easily recognize this by the https in a web page URL. This stands for “Hypertext Transfer Protocol Secure” and has become a standard.

In your e-mail client, it takes a little more effort to check the encryption. To do this, open the settings in your e-mail program and look for an option for encryption there.

  • In Outlook you’ll find it under File > Account settings > (double-click to select your account) > More settings > Security.
  • In Thunderbird first click on the e-mail account. Then navigate to. Account settings > Server settings > Security and authentication > Connection security. Here, select the “SSL/TLS” option and confirm your selection.

Encrypting archived e-mails—Here’s how it works

If you use an e-mail client such as Outlook or Thunderbird, you should ensure that your stored and archived e-mails are also protected from unauthorized access. To do this, simply encrypt your entire PC or laptop right away – under Windows 10, you can simply use the device backup or Bitlocker to do this.

If you want to encrypt only the archived emails instead, first you have to find out where the program stores your e-mails in the settings of your client. Then right-click on the folder that contains the archived emails, select  Properties > Advanced and check the “Encrypt content to protect data” box.

On macOS, encrypt either folders and files with FileVault or entire storage devices with the disk utility.

Would you like to learn more about secure data exchange and e-mail security? Click here for our overview article: Secure mail: How to protect your emails and attachments