Email encryption
Encrypted emails ensure that email contents can only be read by those directly involved in an email conversation. When an email is encrypted, the contents are scrambled and unreadable. Email security ensures only those with the encryption key can unlock the email and decrypt the contents back into the original form.
The email encryption process may also include authentication, with encryption used as a secure method of disguising communication between two or more recipients involved in an email conversation.
Email encryption is designed to block hackers and other third parties who may attempt to access information stored on a private or corporate email account. Although many email providers encrypt email contents during transmission, the actual email is usually held on the email servers in a plain text format. For those seeking a more secure email service, the encryption process can also prevent the email provider from reading the contents of the email, as long as an encrypted account is used or the encryption feature is activated on the email service.
There are several types of email encryption available for those interested in secure email communications, with most services based on standard encryption protocols, including transport-level encryption and end-to-end encryption.
How does encrypted email work?
Email encryption utilises public-key cryptography; this assigns the account holder for each email address a pair of keys unique to that particular email address. Using an encryption process known as public critical infrastructure (PKI), a 'public key' is linked to the account holder's name/email address. A 'private key' is assigned but not shared publicly. Only by having access to both keys can an email be encrypted or decrypted.
Public keys are entered into a public directory for third-party email providers involved in sending an email to an encrypted email account to access. Any email sent to an encrypted account is encrypted using the public key, and the email contents can only be unlocked and read by the email account holder with the private key. This key pairing process makes it possible to securely send an encrypted email, knowing that only the email recipient with the private key can open the contents.
Transport-level encryption uses a STARTTLS email encryption extension. STARTTLS utilises a TLS (SSL) layer that upgrades the plain text format used by an email server to a securely encrypted format, as long as the sender and recipient email servers both support the use of the encrypted email format.
When using end-to-end encryption, email contents are encrypted at the source and decrypted at the endpoint. End-to-end encryption ensures emails sent with end-to-end encryption are unreadable to email service providers whilst in transit.
There are several standard protocols used with end-to-end encryption, and OpenPGP is a popular standard of data encryption that allows the end-users email contents to be encrypted. Some email providers integrate end-to-end encryption automatically for their users. For those with an email provider that doesn't offer end-to-end encryption as standard, Companies can implement OpenPGP via email and software plugins that work by encrypting the email using the recipient's public key. Once the email is encrypted, users can securely send it to the recipient.
Is it a good idea to encrypt your email?
Email communications can be exposed to hacking and phishing attacks, mainly when using public Wi-Fi networks. Should an email be intercepted, hackers cannot read the contents of emails without utilising the email encryption key.
When using end-to-end encryption, it is worth considering that OpenPGP encrypts the email content only. The metadata featuring details such as when the user sent the email and who sent it can still be viewed by a third party with access to the sender or recipient email server. Users can resolve this issue by using a transport-level STARTTLS email encryption option.
How to set up email encryption in Microsoft 365
Microsoft Office 365 offers message encryption (OME) for Microsoft 365 Business Premium users and certain 365 Office/Enterprise/Government subscriptions. OME utilises rights management features from Azure Information Protection. Specific subscription packages, including Microsoft 365 Business Basic/Standard, allow users to add the Azure Information Protection Plan 1 to activate the email encryption features.
Once the OME feature is enabled, encrypted messages can be sent from several Microsoft email clients, including Outlook 2016/2013 (Windows and Mac) and Outlook online. Setting up email encryption involves verifying that Azure Rights Management (Azure RMS) is active in an organisation's tenant, as this allows Microsoft 365 to activate OME automatically.
As Azure RMS is activated automatically for most subscriptions, and the default setting in Microsoft Office 365-OME plans sets to the recommended best practice for email encryption, this feature should require minimal setup time.
Ultimately, whichever email encryption service is chosen, an individual or organisation will benefit from more secure email communications.