How to send end-to-end encrypted emails using any email provider

Leave a reply

Note to reader: I consider this procedure to be in beta. If you encounter difficulties, I want to know about it. Please leave a comment or get in touch with me.

It turns out that you most desktop email clients support end-to-end encryption using S/MIME. These work using public/private key encryption. You generate a key pair with a private key (which you store securely on your computer) and a public key (which you can share freely).

Using the private key, you can sign your emails so that anyone with the public key knows that the email came from you and hasn’t been modified along the way. Once someone has your public key, they can encrypt an email such that only someone holding the private key (you) can read it. Crucially, the email servers (and your email provider) do not have the ability to decrypt the email because they do not have the key.

It’s a pretty cool bit of tech. It’s highly secure and it’s a somewhat common standard, so you are not limited to exchanging encrypted emails within a single service.

A note of caution at the top: I am not a cybersecurity expert. I will explain this system as well as I can, but if you’re sending sensitive information you probably should not rely on my word alone.

Advantages:

  • End-to-end encrypted email (security)
  • Free
  • Works with any email service
  • Also allows you to cryptographically sign emails, so the receiver knows that it is you

Disadvantages

  • Setup is somewhat complicated.
  • You can only send encrypted emails if both you and the recipient set up a key pairs.
  • Email metadata (subject, to/from info) not protected
  • If you lose your certificate (private key) you lose access to all your sent and received email (e.g. if you lose your computer and you don’t have a backup)
  • Does not work with webmail (any encrypted mail will show up as blank on webmail)
  • Does not work with all email apps like gmail (need to use mail clients like apple mail, outlook, thunderbird (all of these work on desktop or phone))
  • Emails will not be readable in webmail or on other apps or devices where you don’t have the certificate set up. 
  • Need to get a new certificate every year (expires after one year)

Set up

Step 1: Get a certificate

You can make your own self-signed certificate, but that is complicated and it will show up as “untrusted” at first when you email most people, so it’s better to get a certificate from a certificate authority.

Most certificate authorities charge for this service, but Italian certificate authority Actalis offers a basic version for free. Their free certificate lasts for one year and is only associated with your email (it doesn’t include your name or business). (That costs extra).

  1. Go to Actalis’ website
  2. Don’t click the big certificate button at the top, scroll down to the ‘issuance procedure’ and expand, then click the ‘free S/MIME certificates’ button. Or just follow this direct link.
  3. Now enter your email. This will be the email that is on the certificate and the certificate is only valid for sending messages from that specific email (if you want more than one email you will need to make multiple certificates).
  4. They’ll send a code to verify your email. Paste it in and click “submit request.” The next step will take a few minutes since they have to generate the certificate and then sign it with their root certificate (that’s how they vouch for you). If you get an error, just click submit again.
  5. If it’s successful, you’ll see this page (screenshot). Print this page or take a screenshot. You will need this password to set up your certificate and this is the only time you will get it.

Step 2: Set certificate up in email app [MacOS]

  1. Check your email, download the certificate. 
  2. Unzip the certificate
  3. Double click the pfx file to import it into your keychain. MacOS will prompt you for the password. 
  4. Quit and reopen Keychain Access and you should see your new certificate in the ‘login’ keychain under ‘My Certificates’ as “example@gmail.com

  5. If everything worked correctly, the certificate should show up as valid and trusted. 
  6. In Apple Mail: open settings → Accounts →  select email address → Server Settings → Select “Edit SMTP Server List…” from the dropdown menu. [screenshot]
    *Note: these procedures are similar in other mail clients
  7. Select “Advanced” → Then select your certificate from the dropdown menu. (If your certificate doesn’t appear, you may need to reboot mail or try importing into keychain access again). [screenshot]
  8. Now test out your new certificate by opening a new message. If you see the blue circle with a check mark, you’re done! 

Step 3: Set certificate up in Mail app [iOS]

  1. Download certificate from email. 
  2. Open downloads folder → tap on zip file to unzip → tap on .pfx certificate file → Select device to install it on. 
  3. Open Settings → Tap the “Profile Downloaded” button → Install → Enter phone passcode → Install → confirm → Enter password (from Actalis page) → Confirm a few more times.

  4. Open Settings → Mail → Accounts → Choose that email account → Account Settings → Advanced → Sign → Toggle “Sign” to ON and then select the correct certificate.
  5. Tap “Advanced” in the top left to go back. 
  6. Tap “Encrypt by Default” → Select the same certificate, but I recommend leaving the “Encrypt by default” toggle OFF. 
  7. Exit settings. 
  8. Test: Open Mail → Compose and check that it says “Signed” at the top. There should be a blue lock symbol with a slash through it on the right side of the “To:” line. [Screenshot]
  9. If you are sending an email to someone from whom you have previously received signed emails, you will be able to enable encryption by tapping on the lock icon. 

Step 4: Send some encrypted mail

  1. Receive a signed email from the person you want to email. You need for their public key. Your email client will use their public key to encrypt your message so that only someone with their private key can decrypt it. 
  2. Add their public key to your keychain and associate it with their email address. There is usually some way to add the certificate to your contacts, etc. 
  3. Set up your own public/private key pair (following the instructions above).
    In principal, you don’t need your own key to encrypt and email *to* someone else, but it seems both Outlook and Apple Mail require that you have your own key set up. I think their idea is that you need your key set up so that whoever you email can send you an encrypted reply. Also, your email client will use your encryption key to encrypt the copy of the email you keep in your sent folder (if you encrypted it with your friend’s key, you wouldn’t be able to decrypt it). 
  4. Open a new email compose window. 
  5. Select the appropriate email in the “from” field
  6. Type in your friend’s email in the “to” field. 
  7. You should now be able to click the open lock icon 🔓 and it will become a blue closed lock icon to indicate that your email will be encrypted. 🔒
  8. If you can’t get the lock icon to turn on, open keychain access and check that both certificates are trusted for both S/MIME and X.509. You may also need to check settings that the outbound TLS certificate is selected (see step 2).
  9. Fill out your email and send it.

Additional notes:

  • While setting this up, I often found I had to mark the certificate as trusted several times to get it to stick. I also had to quit and reopen Mail a few times.
  • I recommend you set this up for two email addresses at a time on different machines. That way you can test sending and receiving signed and encrypted messages. (Or do this with a friend).
  • Apple help page: Use S/MIME to send…

Leave a comment

This site uses Akismet to reduce spam. Learn how your comment data is processed.