Email encryption involves encrypting the content of an email message in order to protect potentially sensitive information from being read by anyone other than intended recipients.
Even when you use a secure network, messages can be intercepted by other users, including your login credentials. Encryption makes the content of your emails unreadable to everyone but the recipient, so even if someone intercepts your messages, they can’t access the content.
Digital Signature is a process that guarantees that the contents of a message have not been altered in transit. It’s a digital code which is attached to your message to verify its contents and the sender’s identity.
The main concept used for email encryption and digital signatures is public-key cryptography, also known as asymmetric cryptography. Both S/MIME and PGP protocols, which eMClient supports, use this concept.
In this encryption system, every user obtains two keys that are connected through user’s email address:
- A Private key – that should be kept secret and not revealed to anybody. It’s used to digitally sign outgoing messages, or to decrypt incoming messages.
- A Public key – that is to be distributed to other users. Public key is used to validate the digital signature of incoming messages, or to send encrypted messages to other users.
This differentiation of keys makes the very foundation of message encryption and signing.
Why and when to use email encryption
Whenever you want to be sure no one without access to your private key (and the password to it) reads your messages, including on your own computer, use encryption. This applies to mailbox providers as well, as the encrypted message is secured during its entire journey.
Why use digital signatures in emails
Email digital signatures give your email recipients assurance that the messages received were sent from the proper sender and not tampered with. You can equally check the senders’ identity of signed received emails and be sure there were no changes made on the road. Digital signatures verify the communication parties’ identity, but do NOT make the emails encrypted as such.
What is PGP
PGP is one of the available cryptographic methods that can be used for encryption and email digital signatures. It stands for “Pretty Good Privacy” and was invented already in 1991. Despite being connected mainly to email communication, PGP can be applied to any texts or files.
PGP uses asymmetric cryptography so it contains two keys – Private key used for digital signatures and decryption of incoming messages and Public key used for encryption and validation of digital signatures.
Each PGP key features a unique Fingerprint consisting of a short string of numbers and letters. This feature allows users to easily verify keys sent via unsecured channels – such as email itself – and to be sure the keys were not altered on the road, which would threaten their future communication safety.
The fingerprints on sender’s and recipient’s side should be compared via a third channel, e.g. a phonecall.
There are two ways to use PGP in emails:
- PGP/MIME, a PGP standard that allows encryption and signature of the entire message, including formatted text and inserted pictures or attachments, or
- Inline PGP, a simpler standard that encrypts plain text only, with no attachments.
In order to maximize compatibility, eMClient supports both PGP standards for sending and receiving messages.
How to set up PGP encryption in eMClient?
eMClient allows you to easily set up encryption for any account, whether you need to create a new PGP keypair or have one ready for import.
Set up encryption
In the first step you can decide if you want to create a new keypair, import an existing key from your old app or continue without encryption for now.
You can create a new keypair or import anytime later in the menu eMCLient > Preferences > Signing and Encryption > Certificates and Keys section of eMClient.
Create New PGP keypair
To create your keypair you need to assign a password to it.
PGP uses a password to encrypt your Private key, so no one but you can use it. The password is needed to decrypt incoming messages or digitally sign your outgoing messages.
You can also specify a key size of your keypair. Key size is the size of the key used in the cryptographic algorithm. A bigger key will be more secure but it will also take a bit longer to create. It will also take more time to encrypt or decrypt messages with.
Save your private key
In this step you can save your Private key to a safe storage.
All encrypted messages you receive once you start using PGP can only be decrypted by using your Private key and password. If you lose your private key, you will not be able to decrypt the messages and read them ever again.
This also applies to the encrypted messages you sent via eMClient, as it encrypts your copy in Sent folder with your public key.
The keypair will be saved into an ASC file which you then need to save to a safe storage. You can save it to the Documents in your device, but in case this device was stolen or damaged in some way, you should make an external backup as well – you can use a protected cloud storage, external usb drive or another device to make sure you can get it back at any time.
If you don’t save the key now, you can do so any time later by saving the key in the menu eMClient > Preferences > Signing and Encryption > Certificates and Keys section.
Share your public key
How to encrypt my message? To encrypt an outgoing email, you need a public key of the person you’re sending a message to. So if you want to receive encrypted messages, you need to distribute your Public key.
You can distribute this key yourself by sending it or bringing it over to your friends and contacts, or you can use our public key directory – eM Keybook.
Once you upload your key, eM Keybook will provide your Public key to the users who want to send you an encrypted message and automatically find Public keys of the contacts you’re writing to when you select to encrypt your message.
What is eM Keybook?
eM Keybook is a Public key directory managed by the company eMClient. It’s an online service where you can upload and manage your public keys so anyone can easily send you encrypted messages and you can easily get public keys of the recipients you want to send encrypted messages to.
We noticed that despite PGP encryption being readily available in eMClient, only a small part of users took advantage of it. This was most often caused by the difficulty of sharing keys – both sender and recipient need to have PGP keypairs of their own and the public key of the other party and getting all these for all your contacts was cumbersome.
So we created eM Keybook to make distribution of public keys faster and more accessible so that anyone who wants to send and receive encrypted messages can easily do so.
eM Keybook stores Public keys that you upload and allows for the exchange of Public keys between all eMClientusers. If the contact you’re writing a new message to has a Public key in the eM Keybook directory, eMClient will automatically download and apply it for you when you enable encryption for your message.
You can either upload the key during the keypair creation or anytime later in menu emClient > Preferences > Signatures and Encryption > Certificates and Keys. In the Manage Certificates/Keypairs window you can use the ‘Upload to eM Keybook’ button to make your public key available to all eMClient users.
You can also remove your keys at any time in the menu eMClient > Preferences > Signatures and Encryption > eM Keybook section – just look up keys for your email address and then use ‘Remove from eM Keybook’ button to delete them from the service.
Please note that eM Keybook does not store or have access to any of your private keys or passwords, does not grant anyone access to your encrypted messages, and does not store them on its servers.
eM Keybook is not a certification authority and does not issue new email encryption certificates or email digital signature certificates.
Key Distribution
Once encryption is set up, you need to distribute your public key to the people you plan to exchange secure messages with.
My friend and I both use eMClient with eM Keybook
This is the simplest setup – if both of you have uploaded your keys to eM Keybook, the option to download and use the public key will automatically appear after entering your friend’s address in the new message window and clicking the “Send” button.
My friend uses an older version of eMClient or a different program
In this case, you can easily send your key via the menu eMClient > Preferences > Signing and Encryption > My certificates/keys. Double-click the certificate to open its details, then select “Send” to distribute the keys to selected recipients. The recipients will receive a message with the key attached, which they can easily import into the eMClient's PGP key storage or any other application.
Recommendation
It is important to verify such a key with the recipients through other communication channels besides email, such as by phone. It is recommended to check whether the key received via email is correct and has not been altered during transmission.
Sending encrypted emails
After exchanging PGP keys with your contacts, you can continue sending signed and/or encrypted emails. The encryption icon (a padlock) and the digital signature icon (a stamp) should appear on the toolbar of the new message editor in eMClient.
When you choose to send an encrypted message, eMClient will automatically determine the appropriate encryption technology to use – S/MIME or PGP – depending on the recipients’ public certificates and keys.
If valid public keys are not available for the selected recipients, a warning notification will be displayed before the message is sent.
The first detected key is automatically used for your digital signature; however, you can manually select a key if you use multiple keys for the same email address.
Different PGP formats for encryption
When using PGP technology, you can choose between the PGP/MIME or Inline PGP formats.
By default, eMClient selects the most appropriate option, typically PGP/MIME, which supports encryption of text formatting and attachments.
In contrast, Inline PGP is a simpler format that encrypts only plain text and is recommended for maximizing compatibility with other applications.
You can adjust the automatic PGP format settings in menu eMClient > Message > Format of PGP.
Reading of encrypted/signed messages
Opening and reading a signed and/or encrypted message in eMClient is straightforward. The digital signature is automatically validated when you open the email. For signature validation to work, the sender’s public key must be stored in eMClient or the operating system. If the signature is valid, meaning the message has not been altered, a notification stating “This message was signed” will appear below the message header.
To read an encrypted message, eMClient requires your private PGP key, which is protected by a password. Once you enter the password, the message is decrypted, allowing you to access its content.
