Encrypting Your Mail
From iA wiki
Note: this howto currently leans towards Windows users.
Send a ZIP or RAR file
The fastest way to encrypt your mail is to ZIP a separate text file, add a password, and send the file as an attachment. While there are more than one standard of password-protection on zip files, the absolute easiest way is to use the same ZIP program that your recipient uses.
Negatively, you must have a shared password, which may be possible to be overheard or guessed. Other encryption systems do not have this problem but are often more complicated for the average user. In the absense of other security methods, this is ideal.
Check your software help guide for information on how to add a password-protection but find out what software your recipient uses (such as "WinZIP" or "PKZip" products as they add incompatible security. Although different ZIP programs have different ways of doing this, most have an option for "portability" that is almost universally accepted.
Many ZIP utlities are now incorporating strong encryption AES standards as implemented by WinZip, into their programs. RAR also uses this strong encryption by default and often provides better compression but is not as ubiqious as ZIP.
AES encryption is much stronger, but less compatible with older zip utlities than the original Zip 2.0 encryption standard. AES (both 128 bit and 256 bit strength) encryption provides government-strength security to zip and is suitable for securing important documents (generally requiring an 8+ character) password is used. ZIP 2.0 encryption will keep casual attacks at bay, but only AES 128 or AES 256 should be relied upon for sending crucial data.
A recent trend in using AES encryption is software that manages the passwords to automate the encryption/decryption of zip files. For example, MessageLock is a plug-in for Outlook that stores passwords and encrypts/decrypts zip file attachments, and also uses zip AES encryption to secure the contents of email messages.
Again, true security of symmetric-key AES encryption requires a secure means of sharing a password. However it is generally much more simple.
Zip and RAR Programs that incorporate AES encryption:
- Winzip, (trial) www.winzip.com
- TugZip (free) www.tugzip.com
- WinRar (trial) www.winrar.com
- MessageLock for Outlook (trial) www.encryptomatic.com
Use Pretty Good Privacy - Remotely
One system allowing users to talk securely without ever meeting is Pretty Good Privacy, or PGP.
The fastest way to get started is with a Web Mail service such as those listed below. This provides a great starting point understanding and use of PGP.
- HushMail - Free and PGP compatible. HushMail has been in the business for several years now and provides the users with both free and premium accounts. Their for-pay services also include file storage, support for custom domain names, instant messaging, spam filters and more. Features include a Disclosed Source Front End. From the HushMail Corporation.
- Lokmail - Non-free - Features standards-compliant PGP service except older RSA keys. From LOKMAIL, Inc.
- s-mail Another PGP-compatible commercial service
Negatively, these services sometimes can take too much time on a slow connection (encrypted transmissions require more data) and occasionally go offline for maintenance.
Use Pretty Good Privacy - Locally
Use normal E-mail Clients with downloaded encryption software:
- PGP and GPG - also compatible programs for the PGP system of encryption. Visit the PGP page for more information. Some packages integrate easily with Mozilla, Eudora and/or Outlook.
- S/MIME - Common for business customers and very similar to PGP, S/MIME is popular for its simplicity. This is easy to use for most E-Mail Clients and almost totally transparrent to the user. But it puts the burden on the admin and requires some setup time. The downside is that it would require all clients have POP/IMAP capability (not just webmail).
Send A Self-Decrypting File
Many software packages allow users to send an executable file that automatically self-decrypts upon entry of a password. This is even easier than sending a ZIP file, needing no extra software, but requires that the person using it trusts the sender, as viruses can be delivered this way. However, many e-mail services will not allow sending exe files over e-mail.
If you are absolutely certain that your computer is uninfected by a virus - either because you do not run strange programs, have up-to-date anti-virus software, or because you are tech-savvy enough to avoid them, this is a good option. However, some users never run executable files received through e-mail.
Some software that uses self-decryption include:
- Iron Key freeware (note: this program uses the weak DES algorithm)
- Softmode Vigilant commercial software
- Many RAR and ZIP products can be configured to allow self-decompressing archives that also include their encryption options turned-on.
For Administrators: server based e-mail encryption
- STARTTLS - hooks into mail servers, not mail clients)
- Webopedia: S/MIME
- Cryptomail - Free. CryptoMail.org provides you with free, encrypted, anonymous email. Unfortunately its security features are only available to those individuals who use the cryptomail service. Sending outside of their network is insecure. The source code for the system available under an open source license (GPL), which make it possible for anyone to set their own secure web mail. Features include an Open Source Back+Front End. From the CryptoMail Organization. A non-profit organization.
- VGP - (no relation to PGP) - Free and very simple software for e-mail encryption. Users are encouraged to edit in a different window than the provided editor as the "Undo" function is buggy.
- http://www.dekart.com - Free Digital ID - (no relation to PGP) - Free digital certificate. Signing a document, verifying its authenticity, decrypting or encrypting it can be easily done using modern cryptographic methods based on the pair of cryptographic keys. Note: In testing, the service does not appear to work. Since this ID is installed using Internet Explorer and not a simple cert file, it may contain adware/spyware. There was no mention in the User Agreement of such items.