How to encrypt emails
Emails are inherently insecure. Consider a scenario where you are receiving the results of a
blood test from your doctor via email. There is no guarantee that the email was not viewed by anyone else before it reached your inbox unless it was encrypted. This page demonstrates a very simple way of encrypting emails ensuring no one but the actual recipient will be able to see the message.
Design Goals
Before discussing how to encrypt emails, let's talk about a few design goals for such a system.
Privacy |
No one but the intended recipient should be able to open the message. Not even administrators or a junk filtering
email system. |
No Plugins |
No plugin should be required to open the original message. It uses software that is commonly available on every computer
or mobile device. |
Off-line Access |
Recipients should not have to rely on external websites in order to view the message. They should be
able to view the message even if Internet access is not available. |
Mobile Access |
Recipients should be able to open the message on their mobile devices, running on iOS, Android or Windows. |
No Expiration |
A previously sent message should never expire. |
SSL/TLS A misconception
Many individuals incorrectly think they can achieve end-to-end encryption when using SSL/TLS. SSL can only encrypt
in-transit data.
Consider the image below as an example:
Legend
Red | Encrypted |
| |
Gray | Not Encrypted |
Since SSL/TLS only encrypts in-transit data (represented by
red lines in the diagram),
it is potentially stored in clear once the message gets to the next SMTP server. Therefore, both humans and
software can look into the message, defeating the purpose of having an end-to-end encryption system.
Using Xeams to the Rescue
Starting from v6.6 of Xeams, local users can send encrypted emails to recipients on the Internet without using any
special software on the client's machine.
Steps to Encrypt
The following steps demonstrate how to encrypt emails in Xeams.
- Ensure you're using version 6.6 or higher
- Select Plugins under Home and click the Manage button for End-to-End Encryption
- Click Enabled
Composing Emails
Users can compose emails using their normal email composing tool such as MS Outlook, Mozilla Thunderbird or any other
web-based email client. Modify the subject line with a pre-configured suffix word. This word by default is
encpass
.
Here is an example of a subject line:
Before
Your tax returns for 2018
After
Your tax returns for 2018 encpass(magicWords2018)
Sensitive Keywords
As a company policy, you can define certain words/pattern as sensitive. For example, if an email contains a social security
number or a credit card number, you may want to force your users to encrypt that message.
Using the following steps you can force your users to use encryption:
- Select Plugins under Home and click Manage button
- Check Require encryption for sensitive content
- Specify keywords in the field for Sensitive Words
- This field can accept patterns specified as regular expressions
Specifying Predefined Passwords
Users can predefine encryption passwords for common recipients. For example, a doctor's office can specify individual
passwords for every patient before sending a blood report.
Click here for details.
Background Processing
Xeams takes the following steps when users indicate they need to encrypt the message:
- Xeams searching for the subject line for the pre-configured suffix word
- Extracts the body as well as attached files from the email, creates an encrypted PDF document using 256-AES encryption
and sends the encrypted PDF instead
- The PDF reader, either on desktop or mobile device, will prompt the recipient for the encryption password, which
should be relayed to the recipient by the sender using a channel other than email.