Sign in Subscribe
Cybersecurity

Secure email

Salt and Sugar

Salt and Sugar

— 4 min read
Secure email
A slide showing email services covered by the US surveillance program, PRISM, obtained from the Guardian
💡
We no longer recommend Proton Mail as it has been experiencing repeated outages. In its place, we recommend Posteo.
💡
Mailvelope offers you protection if and only if the other party you are communicating with already uses Pretty Good Privacy (PGP). It is not an email service.

In 2019, CNBC reported that Gmail was the "most dominant online email service" with more than 1.5 billion active users around the world. Chances are, you have and use a Gmail account.

The Guardian's report on PRISM, a US surveillance program, describes how it allows the National Security Agency (NSA) and other intelligence services "direct access" to emails from service providers such as Microsoft, Yahoo, and Google.

A slide showing email services covered by the US surveillance program, PRISM, obtained from the Guardian

The slide obtained from the Guardian suggests that the NSA and other intelligence services have been able to directly access user emails in Gmail accounts since 2009.

If you need to send and receive emails securely, you will need to use encryption.

Businesses in regulated industries and other large businesses use certificates, issued by a trusted Certificate Authority (CA) to, among other things, encrypt emails. However, obtaining certificates from a CA is costly and complex for the average consumer. And to enjoy the protection they offer, you and the other party you are communicating with need to exchange your respective certificates.

As the average consumer, you can take two alternative approaches to sending and receiving emails securely with different pros and cons.

The first is to use Mailvelope, a browser add-on available in Google Chrome, Mozilla Firefox, and Microsoft Edge. Mailvelope offers you protection if and only if the other party you are communicating with already uses Pretty Good Privacy (PGP). But this allows you to encrypt emails using your existing Gmail account, provided that your contacts already use PGP. If this is not a typical use case for you, scroll down to learn about the other approach. To get started with Mailvelope, you can use one of these browsers, head over to Mailvelope, and click the Download Mailvelope button. We will be using Google Chrome in our example.

On the page to which you are directed, click the Add to Chrome button.

Once the Mailvelope extension is installed, click on the extension icon and pin the extension.

Click on the Mailvelope icon and click on the Let's start! button.

On the Setup page, click on the Generate key button.

Fill in the information and click on the Generate button. It's important to use a secure password. It may take a few minutes to generate a key pair.

Once the key pair is generated, go to your Gmail inbox. There, you will see a Mailvelope icon next to the Compose button. Click on the icon.

When you click on the Mailvelope icon for the first time, you will be directed to a page where you will be asked to Sign in with Google. Click on the button and sign in. Mailvelope needs your permission to read and send your emails because this is required to encrypt and decrypt emails. This permission does not mean that anyone at Mailvelope can read your emails. Encryption and decryption of emails take place locally only on your device.

Once the necessary permission has been provided, clicking on the Mailvelope icon will allow you to compose a secure email. Messages and attachments are encrypted. However, the subject line is not encrypted. Therefore, you should refrain from using a subject line that contains sensitive information.

Another approach to sending and receiving emails securely is to use Posteo. Unlike Mailvelope, Posteo is an email service. It has been audited and you can access the details of their audits here. As it is an email service itself, you will not be able to use your Gmail account or the email address that you have been using with Posteo but you will be able to enjoy the protection it offers even when the other party you are communicating with does not use PGP. There is a nominal cost with Posteo - 1 EUR per month, which you can pay by cash.

We recommend Posteo for the average consumer. This means getting a new email address for yourself and updating your contact information with friends, family and businesses with whom you exchange emails. You can give yourself time to transition. This means keeping both your existing email address and the new address while you transition. For those of you who already have contacts that are already set up to exchange emails securely using PGP, you can try out Mailvelope and keep your existing email address.

Read more