We use email to send close personal secrets, negotiate business transactions and do everything else in between. But most email is sent in plain text and stored in an easily readable format. Encrypted email providers offer more privacy. Your emails will be encrypted in transmission and on the server’s storage, so no one but you and your intended recipients can read them.
Encrypted email providers come in a variety of forms. Some are entirely web-based applications, some are desktop applications and some plug into your existing email account and add a layer of encryption.
Hushmail, which we’ve mentioned in the past, is one of the most widely-known encrypted email providers. With a Hushmail account, your email is stored in encrypted form and decrypted with your password when you log in. Email sent between Hushmail users is encrypted and decrypted automatically. If you’re emailing someone else, you can use a secret question that person must answer to decrypt your email.
Your recipient will get an email with a link they can click. The link takes them to Hushmail’s website.
After clicking the link, they must answer the question to view the encrypted email.
Let’s get this out of the way. In 2007, Hushmail was subject to a court order and turned over emails from three email accounts. How did they do this, if the email is encrypted? They modified their system to capture the specific users’ passwords. In an refreshingly honest interview with Wired’s Threat Level blog, Hushmail CTO Brian Smith said that:
“[Hushmail] is useful for avoiding general Carnivore-type government surveillance, and protecting your data from hackers, but definitely not suitable for protecting your data if you are engaging in illegal activity that could result in a Canadian court order.”
Some people opt for other encrypted email providers over Hushmail because of this, but each of them could also be forced to modify their system and capture your decryption key. The only solution is using Enigmail or a similar program, which is the do-it-yourself alternative. If you did use such a program, many governments could legally compel you to turn over your encryption key, anyway.
VaultletMail, part of the VaultletSuite set of programs, is a desktop program instead of a web app. If both users are using VaultletMail accounts, email messages are fully encrypted in transmission. If you want to email a user using a different email service, you can use VaultletMail’s SpecialDelivery system.
SpecialDelivery allows a receipient to create a secure passphrase, which they can use to decrypt all future emails sent from your VaultletMail account.
VaultletMail offers a lot of control. It can prevent recipients from forwarding, copying, printing or quoting specific emails. It can set an expiration time, after which the message will self-destruct from your recipient’s VaultletMail inbox. You can even send messages from an anonymous email address, providing deniability. We’ve covered VaultletMail and its features extensively in the past.
Enigmail is a free extension for Mozilla Thunderbird – you’ll also find similar plug-ins available for other popular email programs. To use Enigmail, you’ll have to install both the Enigmail extension for Thunderbird and the GNU Privacy Guard software for your operating system.
After you install Enigmail, you’ll find a setup wizard under the new OpenPGP menu in Thunderbird. The wizard will walk you through the setup process, including creating or importing a public and private key pair.
By default, messages are only digitally signed, which lets recipients know the email is actually from you. You’ll have to select the “Encrypt This Message” option under S/MIME in the email-composing window to enable email encryption.
You’ll have to exchange keys with the people you’ll communicate with, so the setup process is a bit complex – this is the traditional way of sending encrypted email. The advantage is that you can use Enigmail with an existing email provider, such as Gmail. You don’t have to set up a new email account. FireGPG, a popular Firefox extension, used to let you do this from your web browser, but it’s no longer being developed and its Gmail support no longer works.
Another option is using a file encryption program and sending encrypted messages and files as email attachments, which your recipient can then decrypt.
While encryption can help protect your privacy, it isn’t a silver bullet that can protect you from the government — even if you’re using an alternative to Hushmail or doing your own encryption with Enigmail. As XKCD once illustrated, encryption is more easily breakable than you think:
Let us know in the comments what email encryption program you use.