Emailing Data: A Secure Alternative?

G5 Cyber Security

2 weeks ago

TL;DR

While emailing data seems like avoiding web storage, it’s generally not a secure alternative. Emails are often stored on multiple servers and can be intercepted. Use proper encryption (like PGP/GPG) if you absolutely must email sensitive information, but consider dedicated file sharing or cloud services with strong security features instead.

Is Emailing Data Secure?

Many people think emailing data is a good way to keep it off the web. However, this isn’t usually true. Here’s why:

Emails are stored: Your email provider (Gmail, Outlook, etc.) stores copies of your emails on their servers.
Transit risks: Emails travel across many networks before reaching the recipient. This means they can be intercepted.
Recipient storage: The person you send it to will also likely store a copy on their systems.

Steps to (Attempt) Secure Emailing

If you have to email data, here’s how to make it as secure as possible. Warning: This is complex and requires technical skill from both sender and receiver.

1. Understand the Risks

Before you start, be aware that even with encryption, there are risks:

Key Management: If either you or the recipient lose their encryption key, the data is unrecoverable.
Implementation Errors: Incorrectly configured encryption can leave your data vulnerable.
Phishing Attacks: Attackers might try to steal your keys through phishing emails.

2. Choose an Encryption Method (PGP/GPG)

Pretty Good Privacy (PGP) or GNU Privacy Guard (GPG) are the most common methods for encrypting emails. They use a pair of keys: a public key and a private key.

Public Key: You share this with anyone you want to receive encrypted messages from.
Private Key: This must be kept secret. It’s used to decrypt messages sent to you.

3. Install PGP/GPG Software

You’ll need software on both your computer and the recipient’s computer.

Windows: Gpg4win is a popular option. Download Gpg4win
macOS: GPG Suite is commonly used. Download GPG Suite
Linux: Use your distribution’s package manager (e.g., sudo apt install gnupg on Debian/Ubuntu).

4. Generate Key Pair

Follow the instructions in your chosen software to generate a public and private key pair.

5. Exchange Public Keys

Important: Do this securely! Don’t just email it. Verify the recipient’s key through a trusted channel (e.g., in person, over a secure phone call).

6. Encrypt Your Email

Most email clients have plugins or extensions to integrate with PGP/GPG.

Thunderbird: Enigmail is a popular plugin.

The process usually involves selecting the recipient’s public key before sending the message.

7. Recipient Decrypts

The recipient uses their private key to decrypt the email.

Example using command line (advanced)

gpg --encrypt --recipient 'recipient@example.com' filename.txt

This will encrypt filename.txt for the specified recipient. You’ll need to know their public key ID.

Better Alternatives

Emailing data is complex and risky. Consider these alternatives:

Secure File Sharing Services: Dropbox, Google Drive, OneDrive (with two-factor authentication enabled).
End-to-End Encrypted Messaging Apps: Signal, WhatsApp (ensure end-to-end encryption is active).
Dedicated Cloud Storage with Encryption: Tresorit, pCloud.