How to encrypt emails

Email is part of everyday life, whether for work or personal purposes. Electronic messages used to be simple text files that were sent through the internet in totally transparent form and visible to any administrator. Now, providers have invested heavily in better security. 

But to take advantage of these efforts, it is necessary to follow the instructions and requirements of the provider when setting up an email account. Only then will you enjoy seamless protection for your privacy.  

More protection with end-to-end encryption

If you want more security or want to exchange particularly confidential information regularly by email, there is only one good way to do it: encrypting the message, as well as any attached files. This encryption should hold all the way from the sender to the recipient. This is what is meant by end-to-end encryption. It rules out the possibility that an unauthorized person will gain access to the contents of your electronic mail. After all, even administrators make errors once in a while. And if the email server, for example, is not correctly configured, encryption may not be complete. It is no longer a secret that all kinds of intelligence agencies are interested in the content of email. 

As a means of communication, email has now developed many varieties. Many users swear by special email programs like Microsoft Outlook, Apple’s Mail app, or the free application Thunderbird. 

Other users deliberately do not use an installed email program, handling their electronic correspondence in their browser using a free service or a commercial email provider. 

The options for making email more secure are also extremely varied.

How end-to-end encryption works

When you want to send someone an encrypted message, there is always a problem: How do you tell the message recipient the key that they need to turn the encoded message back into a readable email? 

Asymmetric key encryption methods, as they are known, solve this problem in a very elegant way. It is asymmetric because different keys are necessary for decryption and encryption. Here’s how it works:

  • The two communication partners each have a key. This private key must be kept absolutely secure and may not be disclosed under any circumstances. Then there is a public key. You can even post this one on your website or publicize it by another means. 
  • If Ms. A wants to send an encrypted message to Mr. B, she looks for Mr. B’s public key in her email program. Alternatively, she can copy it from Mr. B’s website. She can now encrypt the message and send the email.
  • Mr. B receives the message addressed to him. It can only be decrypted in one way: with his private key. 

This method has another practical benefit: It allows messages to be signed. If Mr. B wants to sign his message to Ms. A, he chooses “Sign” in his program. His private key is used for this purpose. Ms. A receives the email and verifies the signature with Mr B’s public key. It fits, so the message can only be from him.

However, since there are so many ways to use email, there are various methods of achieving end-to-end encryption.

End-to-end encryption methods you should know about

  • Simple transport encryption
    If you or your communication partner do not want to or cannot use individual end-to-end encryption, at the very least use transport encryption between your system and the mail server. To do this, you will have to ask your access provider for the address and port, as it is known. You will save these in your email program for the server that you use. You can do this in your account settings in Outlook, for example. If you have an SSL (or TLS) connection, your message is protected from inquisitive eyes, at least on the way from your computer to the mail server.
  • E-Mail made in Germany
    In Germany, major email providers have joined forces in the “E-Mail made in Germany” initiative. Currently the email programs offered by Deutsche Telekom, 1&1, GMX,, Freenet, and Strato are part of the initiative. They only permit emails with activated transport encryption. They automatically encrypt customers’ messages during transport and on all transport channels between one another. However, this form of encryption is ineffective when the recipients have other systems or are in another country, because the messages then have to be transmitted to other servers. In such cases you cannot expect the encryption to work correctly on the transport channel as well.
  • Volksverschlüsselung [“Layman’s encryption”]
    This is the name of a software package developed by the Fraunhofer Institute in collaboration with Deutsche Telekom. It helps in creating and installing public and private keys. The user is taken through the entire process. His email program (if supported) is immediately set up for secure communication. However, the software is only available for Windows platforms.
  • S/MIME encryption
    In this method, a certificate that must be purchased from an authorized provider is used to encrypt messages. In this way, it is similar to protecting a connection with a shop or banking website ((LINK ZUM ARTIKEL). All you need to install the certificate is a browser. Most email programs can use this method without requiring more software to be installed, so Mac users can configure S/MIME just as quickly.
  • Encryption with (Open) PGP
    Encoding messages and files with PGP is not compatible with S/MIME. The sender and recipient of a message must therefore decide which method they will use. PGP is available in an open-source version. With this version, there is no central source for the necessary keys. Instead, every user creates keys of their own with the software. However, it is somewhat more labor-intensive to set it up. One alternative to this is to use commercial solutions based on PGP, for example Symantec Desktop Email Encryption.

However, S/MIME or PGP are primarily intended for conventional email programs. S/MIME encryption can also be used in emails that are only read and answered in a browser, but only commercial services can use it. For example, private users of Google Mail cannot use S/MIME. Those who use the paid G-Suite products can set up this kind of certificate.

Set up your own S/MIME encryption

If you want to encrypt your messages quickly and without laboriously installing software, the S/MIME method is a good idea. This is an attractive feature for all Apple users because encryption can easily be used with Apple’s own email program, Mail. 

It is set up in two steps

  • Requesting and downloading the certificate.
  • Incorporating the certificate into the email program.

How to get your S/MIME certificate

There are a number of providers from whom you can request an S/MIME certificate, for example:

  • Certum
  • Comodo
  • DigiCert
  • GlobalSign 

However, your access provider may also offer this type of solution. The term for the certificate is usually a year, but longer contracts are also available. Go through the order process with your preferred provider. After you have completed your order, you can either download the certificate immediately or receive an email with the link to access it. 

Follow the provider’s instructions exactly. Normally, the new certificate will automatically end up in your browser. At that point, it has to be exported from there.

Export the certificate

After the certificate has been ordered and downloaded, it usually saves to a location specially designated for it. However, the email program cannot access it, so you will first have to export the certificate. 

In Internet Explorer, do the following

  1. After Internet Explorer launches, click the Settings icon and select the Internet Options menu item.
  2. Once you are there, switch to the Content tab. Click Certificates.
  3. Then select the Personal tab. In the list, highlight the certificate to be exported. There should actually be only one entry there. 
  4. Clicking Export launches the Certificate Export Wizard.
  5. After the welcome message, enable the Export Private Key option in the second dialog box. 
  6. On the next page, enable the options:
    “Personal Information Exchange - PKCS # 12 (.PFX)”,
    “Include all certificates in the certification path if possible” and “Export all extended properties”. Continue by clicking Next.
  7. To export the certificate, you have to assign a user-defined password. This password is needed as soon as the certificate is imported into other applications. 
  8. Confirm by clicking Next.
  9. Now save the certificate in a folder of your choice. 

In Google Chrome, the procedure is as follows

  1. Open Settings in Chrome. 
  2. Choose Advanced Settings.
  3. Click Manage certificates.
  4. In the next window, choose the desired certificate under Personal and click on Export.
  5. A wizard will open. Be sure to check the option of exporting the private keys as well. 
  6. Here too, you have to confirm the options. Here, you can follow Point 6 of the instructions for Internet Explorer.
  7. Assign a password for the certificate and put the certificate in a folder of your choice. 

Importing the certificate into the email program

After exporting the certificate from the browser, there will be a file ending in “.p7s”.

On a Mac, double-click the file to apply it to the set of keys in the operating system. This automatically integrates the certificate into Apple Mail. This will also allow the buttons for encrypting or signing emails to be used for writing emails in the editor. If you want to use the certificate in Outlook, import it as follows:

  1. Open Outlook and choose the Options item in the File menu. 
  2. This will open the Outlook Options window. Select the Trust Center and click on the Trust Center Settings button.
  3. In the next window, select Email Security.
  4. On the right side of Digital IDs (Certificates), select Import/Export.
  5. A window opens where you can switch to the folder where you exported the certificate by clicking on Browse. Select it and confirm with OK.
  6. This will take you back to the previous dialog. Enter the password that you entered in the Export wizard. 
  7. Then give the certificate a name and confirm it with OK.

This will make the certificate available in Outlook and allow you to use the functions for encrypting and signing in the editor when you are writing a message.

Further reading