A: We first need to define your parameters for “encrypted”, and from what/who are you attempting to protect your communications.
VULNERABILITIES
Common points where email is vulnerable to penetration, hijacking, or otherwise accessed by unauthorized personnel:
- Unencrypted storage device. Your email may be end-to-end encrypted, but if either the sender or recipient have a computer or mobile device with an unencrypted storage device, it is child’s’ play to access the data. In the case of macOS, the boot drive should have FileVault 2 full disk encryption enabled. In the case of Windows, BitLocker full disk encryption. iOS devices have built-in hardware encryption. Android, well, good luck with that. Newer Android phones allow you to manually enable encryption. Most older phones do not.
- Weak email passwords. If the sender or recipient email accounts have weak passwords, it is easy to access the email.
- Weak computer passwords. If the sender or recipient computers have weak passwords, it is easy to access the computer, and then instantly access email.
- Weak mobile device passwords. Many people don’t even put a password on their mobile device. Turn your back, the device is taken, and all data is accessible.
- 2-Factor Authentication (2FA). 2FA is the only way we have to secure your email account. Should someone gain access to your email password, with 2FA active, they still will be unable to access your email.
TLS
At the most basic of encryption levels is the communication between the sender and their email server, and the recipient and their email server. The current standard is TLS. If either the sender or recipient do not have a TLS connection to their email servers, the email may be sent in clear text on at least one leg of the journey. You can verify if TLS is active for both sender and recipient at https://checktls.com.
Paubox.com is an inexpensive commercial service that can enforce TLS encryption between computers.
If you are only relying on TLS, beware the email is readable at the sender and recipient email servers. Granted, normally only the email host staff and government personnel have access to this data, but this may include hundreds of unwanted eyes.
ENCRYPTION AT REST
TLS takes care of the encryption in transit, but full security means that your communications are also encrypted at rest – while on the email server. This prevents the email host from accessing your communications, as well as criminals and government personnel. you will need to talk with your email provider and that of the other party to determine if the email is stored encrypted at rest.
END-TO-END ENCRYPTION
The ultimate email standard is end-to-end encryption. This means that the email is encrypted at the sender’s device, all the way through to the recipient’s device. In this way, even the email hosts have no access to the communications. There are several ways to accomplish this:
- PGP/GPG encryption
- S/MIME encryption
- Use a secure server
- Use encrypted attachments
PGP/GPG is free, but is technically challenging to implement.
S/MIME is less technically challenging but requires both sender and recipient pay for S/MIME certificates ( $10-$200/year/account).
Using a secure server is inexpensive ($0-$100/year/account), and very easy to implement. Not much more than signing up for an account. I recommend ProtonMail.com for their long-standing commitment to security and privacy, and offering both free and for-fee services.
Another alternative is to just use the same email service you currently use, but when needing security and privacy, craft your communication as a document, securely encrypt the document, attach the encrypted document to an email, and then send. This has the advantages of keeping the email service you are comfortable with, using applications you are comfortable using, and using strong encryption. The options include (but are not limited to):
- Microsoft Office products. As long as you are using current versions, Word, Excel, and Powerpoint allow you to encrypt their files using AES 256 bit encryption – an industry standard and best practice.
- If using an application that does not include built-in encryption, you can use a commercial or freeware utility that performs 7Z encryption with AES 256. For Windows, WinZip is the most popular. For macOS, Keka does a great job.
Which is the best compromise? I think that is a bit like asking what is a good compromise between chocolate ice cream and vanilla cake. It all comes down to your pain thresholds for cost, ease of use, level of security, and need for the other party to have the same setup.