How to encrypt emails

Emails are inherently insecure. Consider a scenario where you are receiving the results of a blood test from your doctor via email. There is no guarantee that the email was not viewed by anyone else before it reached your inbox unless it was encrypted. This page demonstrates a very simple way of encrypting emails ensuring no one but the actual recipient will be able to see the message.

Design Goals

Before discussing how to encrypt emails, let's talk about a few design goals for such a system.
Privacy No one but the intended recipient should be able to open the message. Not even administrators or a junk filtering email system.
No Plugins No plugin should be required to open the original message. It uses software that is commonly available on every computer or mobile device.
Off-line Access Recipients should not have to rely on external websites in order to view the message. They should be able to view the message even if Internet access is not available.
Mobile Access Recipients should be able to open the message on their mobile devices, running on iOS, Android or Windows.
No Expiration A previously sent message should never expire.

SSL/TLS A misconception

Many individuals incorrectly think they can achieve end-to-end encryption when using SSL/TLS. SSL can only encrypt in-transit data.

Consider the image below as an example:

STARTTLS-encryption.png

Legend

Red     Encrypted
  
Gray     Not Encrypted
Since SSL/TLS only encrypts in-transit data (represented by red lines in the diagram), it is potentially stored in clear once the message gets to the next SMTP server. Therefore, both humans and software can look into the message, defeating the purpose of having an end-to-end encryption system.

Using Xeams to the Rescue

Starting from v6.6 of Xeams, local users can send encrypted emails to recipients on the Internet without using any special software on the client's machine.

Steps to Encrypt

The following steps demonstrate how to encrypt emails in Xeams.
  • Ensure you're using version 6.6 or higher
  • Select Plugins under Home and click the Manage button for End-to-End Encryption
  • Click Enabled

Composing Emails

Users can compose emails using their normal email composing tool such as MS Outlook, Mozilla Thunderbird or any other web-based email client. Modify the subject line with a pre-configured suffix word. This word by default is encpass. Here is an example of a subject line:

Before
Your tax returns for 2018
After
Your tax returns for 2018 encpass(magicWords2018)

Sensitive Keywords

As a company policy, you can define certain words/pattern as sensitive. For example, if an email contains a social security number or a credit card number, you may want to force your users to encrypt that message. Using the following steps you can force your users to use encryption:

  • Select Plugins under Home and click Manage button
  • Check Require encryption for sensitive content
  • Specify keywords in the field for Sensitive Words
  • This field can accept patterns specified as regular expressions

Specifying Passwords

There are multiple ways to specify a password for an end-to-end encrypted email:

  • Put the password in the subject line
  • Ask the recipient to create a password for their email on your system. Click here for details.
  • Create passwords in Xeams for different recipients. Xeams can do this for administrators as well as non-admin users. Click here for details.

Background Processing

Xeams takes the following steps when users indicate they need to encrypt the message:

  • Xeams searching for the subject line for the pre-configured suffix word
  • Extracts the body as well as attached files from the email, creates an encrypted PDF document using 256-AES encryption and sends the encrypted PDF instead
  • The PDF reader, either on desktop or mobile device, will prompt the recipient for the encryption password, which should be relayed to the recipient by the sender using a channel other than email.