eMail Encryption

Posted on 2010-01-05
Last Modified: 2013-11-08

I want to help a friend set up here business with eMail encryption, so that he can encrypt all correspondence. I'm familiar with gpg, but this requires  the recipient to actively configure his key and client. Is there anything else out there that is easier for the recipient?

Question by:alpha-lemming
    LVL 5

    Expert Comment

    in order to encrypt the mails, the sender needs to encrypt the data with a certificate.

    The receiver in order to read the data that has been sent to him needs a key from the sender in order to decrypt it.

    It needs to be done only one. The receiver  needs to trust the key of the sender.

    With Outlook is very simple. If you need further help let me know.

    You can get a certificate for encrypting mails for free at

    LVL 22

    Expert Comment

    Email encryption with thunderbird:
    LVL 33

    Accepted Solution

    Answer is really no (well, conditionally no - there are trusted oracle solutions out there, but they are expensive; Ironport PXE - owned by cisco now - and ZixMail are probably the best known)

    Best supported are the S/Mime based solutions - mostly because s/mime is related strongly to ssl, so the libraries are the same (and because almost all email clients integrate web browser code into themselves to render html emails, they had that library already, so why not use it? :) but because ssl is dominated by the commercial cas, an effective certificate is rarely free (that said, you could generate for and send to your correspondents a pkcs#12 file with their certificate, their key, and your root key; this is secure enough as the pkcs itself is encrypted with a password, and you can give them that in some other manner - preferably in person - or instruct them how to generate a CSR which you then fill for them).

    gpg is a good solution, and you can automate the setup for them quite easily (sending them a .bat file that will run the command line gpg key generation tool). Gpg also has the unique strength (amongst the common solutions) that you aren't reliant on any third party to ensure security, the security stands or fails dependent on the actions of the two parties to the exchange (which is the best solution) What it doesn't have is widespread client support - yes, thunderbird has enigmail, and gpg4windows comes with an outlook plugin, but still, its not as universally accepted across clients as s/mime is.

    Author Comment

    ..,.(that said, you could generate for and send to your correspondents a pkcs#12 file with their certificate, their key, and your root key..

    This sounds like a great way to go.
    ..So, I would use openssl to:
    1)Create a CA key and cert
     2) for each client, create a key, csr, sign with the CA, create pkcs12 cert, including
    the client cert, their key, and the root cert.
    What should the Common Names be?

    It'd be great if you could step by step this for me...


     Could you describe this more in detail?
    LVL 5

    Expert Comment

    LVL 33

    Assisted Solution

    by:Dave Howe
    well, yes - but you don't want to use openssl. its a pain in the rear, hard to maintain, and really is meant for unix systems.

    for windows, your best choice is the gui tool "xca" which you can find here:

    create a CA, create a user key (or if they can generate their own CSR, which some versions of outlook have a button for iirc, get them to send you that) and then send it back to them for import.

    Write Comment

    Please enter a first name

    Please enter a last name

    We will never share this with anyone.

    Featured Post

    How to improve team productivity

    Quip adds documents, spreadsheets, and tasklists to your Slack experience
    - Elevate ideas to Quip docs
    - Share Quip docs in Slack
    - Get notified of changes to your docs
    - Available on iOS/Android/Desktop/Web
    - Online/Offline

    Even if you have implemented a Mobile Device Management solution company wide, it is a good idea to make sure you are taking into account all of the major risks to your electronic protected health information (ePHI).
    If you're not part of the solution, you're part of the problem.   Tips on how to secure IoT devices, even the dumbest ones, so they can't be used as part of a DDoS botnet.  Use PRTG Network Monitor as one of the building blocks, to detect unusual…
    This video is in connection to the article "The case of a missing mobile phone (". It will help one to understand clearly the steps to track a lost android phone.
    Sending a Secure fax is easy with eFax Corporate ( First, Just open a new email message.  In the To field, type your recipient's fax number You can even send a secure international fax — just include t…

    779 members asked questions and received personalized solutions in the past 7 days.

    Join the community of 500,000 technology professionals and ask your questions.

    Join & Ask a Question

    Need Help in Real-Time?

    Connect with top rated Experts

    12 Experts available now in Live!

    Get 1:1 Help Now