• Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 560
  • Last Modified:

eMail Encryption


I want to help a friend set up here business with eMail encryption, so that he can encrypt all correspondence. I'm familiar with gpg, but this requires  the recipient to actively configure his key and client. Is there anything else out there that is easier for the recipient?

2 Solutions
in order to encrypt the mails, the sender needs to encrypt the data with a certificate.

The receiver in order to read the data that has been sent to him needs a key from the sender in order to decrypt it.

It needs to be done only one. The receiver  needs to trust the key of the sender.

With Outlook is very simple. If you need further help let me know.

You can get a certificate for encrypting mails for free at comodo.com.

Email encryption with thunderbird:
Dave HoweCommented:
Answer is really no (well, conditionally no - there are trusted oracle solutions out there, but they are expensive; Ironport PXE - owned by cisco now - and ZixMail are probably the best known)

Best supported are the S/Mime based solutions - mostly because s/mime is related strongly to ssl, so the libraries are the same (and because almost all email clients integrate web browser code into themselves to render html emails, they had that library already, so why not use it? :) but because ssl is dominated by the commercial cas, an effective certificate is rarely free (that said, you could generate for and send to your correspondents a pkcs#12 file with their certificate, their key, and your root key; this is secure enough as the pkcs itself is encrypted with a password, and you can give them that in some other manner - preferably in person - or instruct them how to generate a CSR which you then fill for them).

gpg is a good solution, and you can automate the setup for them quite easily (sending them a .bat file that will run the command line gpg key generation tool). Gpg also has the unique strength (amongst the common solutions) that you aren't reliant on any third party to ensure security, the security stands or fails dependent on the actions of the two parties to the exchange (which is the best solution) What it doesn't have is widespread client support - yes, thunderbird has enigmail, and gpg4windows comes with an outlook plugin, but still, its not as universally accepted across clients as s/mime is.
What does it mean to be "Always On"?

Is your cloud always on? With an Always On cloud you won't have to worry about downtime for maintenance or software application code updates, ensuring that your bottom line isn't affected.

alpha-lemmingAuthor Commented:
..,.(that said, you could generate for and send to your correspondents a pkcs#12 file with their certificate, their key, and your root key..

This sounds like a great way to go.
..So, I would use openssl to:
1)Create a CA key and cert
 2) for each client, create a key, csr, sign with the CA, create pkcs12 cert, including
the client cert, their key, and the root cert.
What should the Common Names be?

It'd be great if you could step by step this for me...


 Could you describe this more in detail?
Dave HoweCommented:
well, yes - but you don't want to use openssl. its a pain in the rear, hard to maintain, and really is meant for unix systems.

for windows, your best choice is the gui tool "xca" which you can find here:


create a CA, create a user key (or if they can generate their own CSR, which some versions of outlook have a button for iirc, get them to send you that) and then send it back to them for import.

Featured Post

Put Machine Learning to Work--Protect Your Clients

Machine learning means Smarter Cybersecurity™ Solutions.
As technology continues to advance, managing and analyzing massive data sets just can’t be accomplished by humans alone. It requires huge amounts of memory and storage, as well as the high-speed power of the cloud.

Tackle projects and never again get stuck behind a technical roadblock.
Join Now