End-to-End Encrypted Email: Keyless Options

G5 Cyber Security

2 weeks ago

TL;DR

Yes, some email services offer end-to-end encryption where *you* control the keys, meaning they don’t store them on their servers. This significantly improves your privacy. We’ll look at a few options and how to set them up.

Understanding Key Control

Most standard email providers (like Gmail, Outlook) encrypt emails while in transit and at rest on *their* servers. However, they hold the keys to decrypt those messages. This means they could theoretically access your content. End-to-end encrypted services differ because only you and the recipient have the keys.

Services That Prioritise Key Control

Proton Mail: A popular choice with a strong focus on privacy. They offer end-to-end encryption by default for emails sent to other Proton Mail users. For sending to non-Proton Mail addresses, you can use encrypted email messages (requires the recipient to create a temporary account or enter a password).
Tutanota: Similar to Proton Mail, Tutanota provides end-to-end encryption and focuses on user privacy. They also offer encrypted calendars and contacts.
Mailbox.org: Offers end-to-end encryption as an optional feature using PGP (Pretty Good Privacy). This gives you more flexibility but requires a bit more technical setup.
Disroot: A cooperative, free/libre email service that supports end-to-end encryption with PGP. It’s a good option if you want to support open-source projects and have full control over your data.

Setting Up End-to-End Encryption

The setup process varies depending on the service. Here’s a breakdown for each:

1. Proton Mail

Automatic Encryption: When emailing another Proton Mail user, encryption happens automatically.
Encrypted Emails to Non-Proton Mail Users: You’ll be prompted to set a password when sending an email to a non-Proton Mail address. The recipient will receive a link and need this password to view the message on Proton Mail’s web interface (or create a temporary account).

2. Tutanota

Automatic Encryption: Similar to Proton Mail, encryption is automatic for emails between Tutanota users.
Sending to External Addresses: Tutanota provides an option to encrypt messages for external recipients using a password.

3. Mailbox.org (PGP Setup)

This requires more technical knowledge.

Generate a PGP Key Pair: You’ll need to generate a public and private key pair. You can use tools like GnuPG (GPG).

gpg --gen-key

Import Your Public Key into Mailbox.org: Add your public key to your Mailbox.org settings.

Encrypt Emails: Use the PGP encryption features within Mailbox.org’s web interface or a compatible email client (like Thunderbird with Enigmail). You’ll need the recipient’s public key to encrypt messages for them.

4. Disroot

PGP Integration: Disroot supports PGP encryption, similar to Mailbox.org. You will need to generate a key pair and manage it yourself. Refer to their documentation for detailed instructions.

Important Considerations

Recipient Support: End-to-end encryption is most effective when both sender and recipient use the same service or compatible PGP implementations.
Key Management: Protect your private key! If you lose it, you won’t be able to decrypt your emails. Consider using a strong password manager and backing up your key securely (offline).
Metadata: While the *content* of your emails is encrypted, metadata (sender/recipient addresses, timestamps) may not be. Consider this when evaluating privacy needs.