How to Encrypt Email: S/MIME for Email Encryption

Why Email Encryption Is Important

The point of encryption is to ensure authentication, confidentiality, integrity, and non-repudiation. Apart from secure email, encryption is used in secure browsing (HTTPS), secure file storage in hard drives or the cloud, cryptocurrencies, and several others. Simply put, it prevents eavesdropping, phishing, tampering, man in the middle attacks, and others.

SSL (Secure Sockets Layer)

SSL protects data, bank details, passwords, usernames, and other confidential info. It uses RSA asymmetric (public key) encryption to encrypt data transferred over SSL connections.

TLS (Transport Layer Security)

TLS comes with a Handshake Protocol that allows both client and server to authenticate each other, select an encryption algorithm, and exchange symmetric key prior to data exchange. It also has a Record Protocol, which provides secured connections with Data Encryption Standard (DES) or other encryption methods. Moreover, it uses message authentication codes for message integrity; symmetric key for bulk encryption; and asymmetric key for key exchange and authentication. TLS uses the RSA algorithm with 1024- and 2048-bit strengths.

PGP (Pretty Good Privacy)

PGP is a protocol used to encrypt and decrypt data that provides authentication and cryptographic privacy. Often used for data compression, digital signing, encryption and decryption of messages, emails, files, and directories, PGP combines the best of both conventional and public key cryptography. It is therefore known as a hybrid cryptosystem. PGP uses RSA (asymmetrical) for computing digital signatures. Meanwhile, it uses MD5 for computing message digests.

GlobalSign helps me protect Blue Ocean Law Group’s brand whilst providing a positive point of cybersecurity differentiation in our email exchanges. GlobalSign’s Secure Email (using the S/MIME protocol) includes the ability to sign your emails using a Digital Signature. Our clients & colleagues are relieved & achieve peace of mind when they see a GlobalSign-enabled visual icon displayed in our email header [assuming they use a mainstream email client (e.g., Outlook)].

– James D. Ford Esq., GAICD CIPP/US | innovative Counsel [iC]℠ | General Practice Lawyer | Corporate Governance | Founder of Blue Ocean Law Group

Get a Digital Certificate (Digital ID)

This requires an S/MIME (Secure/Multipurpose Internet Mail Extensions) certificate. You can obtain one from a popular and trusted certificate authority like GlobalSign. Once you receive the certificate, install it on your Mac. Typically, this simply involves double-clicking the file and following the prompts to add it to your Keychain.

Configure Apple Mail to Use Your Certificate

Once your certificate is all set, you can configure Mail to use it:

1. Open the Mail app.
2. From the Mail menu, select Preferences.
3. Click Accounts then select the account you want to use to send encrypted email.
4. Click Advanced, and then select the checkbox next to Sign outgoing messages with S/MIME. If your certificate isn’t selected, click “Choose” and then choose your certificate.

Sending an Encrypted Email

Before you start composing and encrypting an email for someone, you will need their public key. Your intended recipient can share this by sending you a signed email, after which you can take on these next steps:

1. Compose a new email.
2. Click on the lock icon to the right of your recipient’s email address.
3. This lock will become blue and show a tool tip stating Encrypt.
4. Should the lock be gray it only means you still don’t have your recipient’s public key.

Reading an Encrypted Email

Once you receive an encrypted email, the Mail app will automatically decrypt it using your private key.

Get a Digital Certificate

Again, you’ll need to obtain a digital certificate from a Certificate Authority (CA) like GlobalSign to sign and encrypt your emails.

Install the Certificate

This involves downloading the certificate and then double-clicking the file. Don’t worry, Windows will open a wizard that guides you through the process.

Outlook Set Up

1. Open Outlook and go to the File tab.
2. Click Options > Trust Center > Trust Center Settings > Email Security > Settings.
3. Set a name for your settings.
4. Click Choose next to Signing Certificate.
5. Choose your signing Certificate from the list. Press OK.
6. Repeat the same process for Encryption Certificate.
7. Once you’ve set your Signing & Encryption certs, press OK on each window to save your settings.
8. Your Certificate is now configured in Outlook.

Send an Encrypted Email

1. Compose a new email in Outlook.
2. Go to the Options and click Encrypt.
3. If you haven’t previously received a signed email from your recipient (this includes their public key), you should be prompted to find their digital ID before you can send them an encrypted email.

Write Your Email as Usual

1. Load into your account.
2. Click Compose and start writing your email.
3. Add your recipient, fill out the subject line, and include necessary attachments.

Turn Confidential Mode On

1. Notice the small security padlock icon at the bottom of your Compose window.
2. Click it to set the expiration date.
3. You can choose to require an SMS passcode, depending on your preference.
4. Once done, your item will be sent as an encrypted email.

Secure Email (S/MIME)

In particular, GlobalSign’s Secure Email is scalable and natively compatible with popular email clients. It requires very minimal user training like you will read in our use cases. Encryption can easily be set to automatic for all outgoing messages.

Likewise, it ties your sender’s third party-verified identity to their email. Their identity is clearly presented to the recipient to help differentiate from spoofed emails. It supports non-repudiation, too.

Secure Email (S/MIME) vs. Competitors

Here are GlobalSign’s Secure Email (S/MIME) notable features that many other providers do not support:

1. Something that fast-changing corporate environments will appreciate: We offer efficient, secure, and easy processing of certificate requests. Our technology and interface enable easier and faster processes. Our setup can be completed and rolled out in days, when others’ can take months.
2. We have a strong presence complete with physical offices here in APAC. Our dedicated technical support offers reliable and efficient phone and email response in multiple languages. This tends to be a limitation found in other brands.
3. GlobalSign offers service warranty until the end of your certificate’s validity period. Many others provide only 30 days or none at all.
4. Some other S/MIME providers tend to have limited storage, which pretty much limits what you can do. That’s not the case for us.
5. Our Secure Email can readily be used through our high-speed cloud certificate management software called Atlas. Overall, it frees a lot of bandwidth for your IT and security teams through automatic certificate issuance.
6. Our Active Directory Integration feature supports key recovery and archival.
7. Our Mobile Device Management connectors enable integrations with AirWatch, MobileIron, and InTune.