When the Internet was born, there came a few standards on how to send and receive e-mail. All of these standards were written on the idea of everything being in “clear text”. Meaning, every part of the transmission is completely viewable by anyone “watching” the network.
This means that if you have a person on your network segment that has a “network sniffer” (which are free and easy to use) – they can capture all of your network traffic. Anything that is in clear-text, they can read and potentially use in harmful ways.
Worse, no one else thinks you have an “expectation of privacy”, in your personal e-mails. The e-mail providers, internet providers, the courts, NSA, and other government agencies – they all say “if it’s not encrypted, it’s fair-play” for them to do whatever they wish with your data. Also, as of this writing – your digital data is not considered your “personal papers and effects”, so it is not protected by the 4th amendment either.
So, for this and many other reasons, you may wish to encrypt your e-mail. This article will explain a bit about how this works – and I’ll have some examples on how to actually do this – depending on which e-mail applications you use.
By the way, nothing in this article costs money – this is using all FREE tools.
STEP 1: Get a certificate
In the olden days, several companies used to offer these certificates – but now there seems to be just one: Comodo. Go to this page:
It’s pretty self-explanatory, just put in your name, e-mail, and a password.
A few minutes later you get an e-mail with a link that says “Click & Install Comodo Email Certificate” – click that.
If you use Internet Explorer, you will see a prompt like this:
you can click Yes.
If you use Google Chrome, you will see this:
STEP 2: View and protect your certificate
So, what just happened? Well, Comodo generated a certificate for you – and when you clicked on the link from the e-mail, it “installed” the certificate on your computer.
“Where?”, you might ask. The certificate was put into the “certificate store”, for your user profile, on your computer.
Depending on your version of Windows, click the Start button or just hit the WindowsKey on your keyboard and type “certmgr.msc”. Alternatively, you can click Start, then Run… – and type “certmgr.msc”
This, is your certificate store – which is associated with your account on your PC. As you can see, our new certificate is installed. To make sure that you have a copy of it off of this computer, and in case you need to install it on other computers where you get e-mail – you should “export” the certificate to a file, for safe-keeping.
To export, right-click on the certificate, choose All Tasks, then “Export…”:
This starts a wizard. First thing, if this is for your own usage (you want to be able to encrypt and sign e-mail) – then choose YES here:
If you are trying to just extract your “public key” for someone else, make sure to choose NO, here! Click Next:
This will be a big part of the security of your certificate. Make sure to pick a really good password, here. (See: Picking a good password)
Click Next, and Finish and you should see:
This means that you have the certificate in the “certificate store” in your user profile – and now you have a copy of it, in a file.
You should ideally put this certificate on an encrypted thumb drive. (See: Using TrueCrypt + USB drive to make a portable encrypted drive)
STEP 3: Using the certificate with e-mail
For home use, I use Windows Live Mail. It has all the features I need, is simple, and it just works. You can get it for free from Microsoft.
In Live Mail, click the main File ribbon in the top-left and choose Options, and then Safety Options:
Then click the Security tab. On this tab, click the “Digital ID’s” button:
If this is on a new PC where the certificate is not installed yet, you will see this screen – and you can just click “Import” to get the certificate set up:
If you already had the certificate installed (like, this is the computer where you download the certificate, from the earlier step) – then you will see it populated. Either way, you should end up with something like this:
Just click close from here, the mail program will figure out which certificate to use, based on which e-mail address you are using. Now, one more thing while you are back on the Safety Options screen, I like to check-off the “Encrypt contents…” and “Digitally sign…” – that way, the program will always try to encrypt every message (if it has the other persons public key) – or at the very least, it will sign each outgoing e-mail:
So what was all of this for? Now, we can send encrypted e-mail, if we have someone else who has a certificate. When you go to create a new e-mail, and you are sending to someone where you DO have their public key, the mail message window looks like this:
Notice by default, the “Encrypt” and “Digitally Sign” buttons are depressed. This was because of that setting above. Also note on the right have side, there are icons to signify that the e-mail will be encrypted AND signed – well, it will attempt to.
Below is an example where I am sending e-mail from my Joe Doe account to my Rob Seder account – but I don’t have the public key. This means I can’t encrypt it. Note how the message looks the same as above.
The big difference is when I click send, I’m given a warning that it couldn’t encrypt the message:
This is basically saying “you asked me to encrypt all outgoing e-mail, but I don’t have a certificate for this person”. You can choose to send the message unencrypted, or cancel until you can rectify it.
Microsoft Outlook 2013 is very similar, the Settings screens are just a little different. Click on the File ribbon, then Options:
And click on the “Trust Center” item in the left-side list.
Then, click the Trust Center Settings button:
When composing a mail message, you’ll see similar buttons as Live Mail for encrypting and signing, which we turned on, by default:
Also, you go into the File –> Properties of the composed e-mail, you can see this:
and click on the Security Settings button.
PLEASE NOTE: to get started with this, you need to send someone a “signed” e-mail (which contains your public key) – and that person then needs to respond with at least a “signed” e-mail – so that your e-mail program can correlate that certificate with that e-mail account. Once you do that, you can sign and encrypt e-mails going back and forth.
STEP 4: Securely get your certificate to other devices
Assuming you got this working, you likely also want to be able to read and send encrypted e-mails from other devices like your phone, your tablet, or perhaps another PC or MAC.
What I suggest, is to create a new message in your mail account, attach that .pfx file you created and save it in your “Drafts” folder. This way, it is securely transferred to the mail server – but not sent out over the internet, in clear-text.
Now, with each new mail client – you can open up that unsent e-mail in your Drafts folder, get the certificate and set up your mail client.
Once you have mail set up on all of your devices – delete that message (that contained your certificate) from your Drafts folder – and also make sure you put that thumb drive that has your private key on it, somewhere safe too.
If you are looking to set up encryption on other devices, here is a place to start – some links I found: