How do you secure an email message sent to a person who has no interest in secure communication? One way to do it is by using encryption.
Typically, email encryption takes time and effort—and a bit of collaboration between the sender and recipient. But, if you're using Gmail, Mailvelope, or Virtru, you can encrypt your email in a littler easier. Let's start by looking at the basics of email encryption.
SEE: Three ways encryption can safeguard your cloud files (Tech Pro Research)
Encrypted email: The basics
You can encrypt every email you send in a few steps. First, you and everyone you email have to create keys for locking and unlocking the encryption. You, as the sender, create a key pair of a public key and a private key. Then, your intended recipient also creates a key pair of a public key and a private key. You each publish your public key so that the other person can access it.
Next, you encrypt each message.
- Write your message.
- Take your text and apply math. Encrypt your message with a series of steps that use your private key and your intended recipient's public key.
- Send your message.
- Your recipient decrypts the message—and verifies that it came from you—with a process that uses their private key and your public key.
Repeat the process for everyone you email and for each message you send.
Gmail: Encrypted inside
You may not realize you already benefit from encryption if you use Gmail or Google Apps. Google takes several steps to secure Gmail, without either the sender or recipient needing to take any action. It's security by default. When you access your email, the company secures the connection between your browser and Gmail with an HTTPS-encrypted tunnel. The company encrypts your messages within Google's system. Third-party audits provide external reviews of Google's security compliance.
Google also supports "encryption in transit using TLS, and will automatically encrypt your incoming and outgoing emails if it can." Messages sent among people who use Gmail and Google Apps are encrypted in transit. (Learn more about TLS and which providers support it from Google's transparency report: https://www.google.com/transparencyreport/saferemail/.)
Mailvelope: More secure
If both you and your recipient choose to communicate securely, you can both use public key encryption with Gmail and Google Apps.
Mailvelope, however, gives you public key encryption with a browser extension. Add the Mailvelope extension (for Chrome or Firefox), then generate (or import) your keys. Type your message and add your recipient's address. Mailvelope can look for the recipient's key on the Mailvelope Key Server. You can publish your public key there, too. As long as both you and your recipient have created and shared public encryption keys, Mailvelope will encrypt and send your message.
For people who send and receive email from multiple devices (e.g., a phone, a laptop, and a tablet), key management across devices becomes a challenge.
Virtru: More usable
Virtru provides a way to encrypt a message to a person at any email address. It works with Gmail and Google Apps, and offers Chrome, Firefox, and Outlook support.
To use it, install the Virtru extension, open Gmail, then compose a new email. Move the slider above your email to "on" to encrypt your message. Add an attachment and Virtru encrypts that, too.
Your recipient will get an email that says, "I use Virtru to send and receive encrypted email. Click the 'unlock message' button below to decrypt and read my message. If you have any questions, please contact me." You can add your own unencrypted message to accompany every encrypted email, as well.
When the recipient clicks the link, a web page opens that asks the user to authenticate. The recipient gains access to the message after they confirm their identity—either with a Google account or an email account confirmation process. Virtru also supports OAuth, OpenID, and SAML. The recipient doesn't need to create any accounts or keys. After the recipient has authenticated, they'll see the decrypted message display in their browser.
Because Virtru is encryption-as-a-service, you (the sender) gain added control. You can remove access to a message anytime. You might think of it somewhat like sharing a Google Doc: When you share a document with a specific person, they have to login to that account to access the document. The difference is that a Google Doc stays on Google's servers, whereas with Virtru, the message remains both in your "sent mail" and in the recipient's inbox.
The enterprise version adds data loss prevention controls, among other features. For example, the system can identify a credit card number or social security number in an email, then suggest that the email should be sent securely.
Virtru also offers Android and iOS apps that let you send and receive mail secured with Virtru. You can use this app in addition to your current email app. I suggest that you configure the app to show only messages secured with Virtru.
Virtru encrypts your message on your device, sends it, and then decrypts it for the recipient. The system keeps your message encrypted in transit.
Issues with email and encryption
None of these systems are perfect. You need to trust both Google and Virtru to appropriately manage encryption keys. And, not all code is open source and available for review. But, just because code is open source doesn't mean it is secure. And public key encryption requires people to understand and manage many details. And... it's complicated.
SEE: Encryption Policy Template (Tech Pro Research)
Google makes every effort to secure email for Gmail and Google Apps users. Security-savvy people might prefer a public key encryption solution, such as Mailvelope, to secure communications.
For most people and organizations, Virtru offers a usable way to extend encrypted communication to email users outside the Gmail and Google Apps system.
What do you think?
What additional encryption system do you use with Gmail or Google Apps? Have you found a system that works simply across multiple devices?
- Google agrees to sign BAA as a means to HIPAA compliance (TechRepublic)
- Google Cloud Platform tells customers to bring their own encryption keys (ZDNet)
- Email encryption: Using PGP and S/MIME (TechRepublic)
- Gmail to warn when an email arrives over an unencrypted connection (ZDNet)
- Why citizens need encryption as a fundamental human right (TechRepublic)
Andy Wolber helps people understand and leverage technology for social impact. He resides in Albuquerque, NM with his wife, Liz, and daughter, Katie.