How to Send Encrypted Email in Gmail?

What is Email Encryption?

Email encryption is the process of transforming the content of an e-mail into a coded format that can only be read by the intended recipient. This is crucial for protecting sensitive information, such as personal data, financial details, and confidential communications, from unauthorized access. 

Email encryption typically employs cryptographic techniques to ensure that even if an email is intercepted during transmission, its contents remain secure and unreadable to anyone without the appropriate decryption key.

Types of Email Encryption

There are two main types of email encryption protocols:

• S/MIME (Secure/Multipurpose Internet Mail Extensions): This protocol uses a centralized authority to manage encryption keys and certificates. S/MIME is widely supported by major email clients like Gmail and Outlook, making it a popular choice for both personal and business use. It allows for both encryption and digital signing of emails.
• PGP (Pretty Good Privacy): PGP operates on a decentralized trust model, where users generate their own key pairs (public and private keys). This method provides more flexibility and control over encryption but requires additional setup through third-party tools. PGP is often used for personal communications and is compatible with various email clients.

How Does Gmail Protect Your Emails?

Gmail employs several security measures to protect emails:

• TLS (Transport Layer Security): Gmail uses TLS to encrypt emails during transmission between servers. While this protects emails in transit, it does not secure them once they reach the recipient's inbox.
• S/MIME Support: For Google Workspace users, Gmail supports S/MIME, allowing users to send encrypted emails if both sender and recipient have S/MIME enabled.
• Confidential Mode: This feature allows senders to set expiration dates for emails, revoke access, and restrict forwarding or copying of messages. However, it does not provide true end-to-end encryption.

Third-Party Plugins: Users can enhance their email security with third-party tools like Flowcrypt or Mailvelope, which provide additional encryption options.

How do you Send an Encrypted Email in Gmail?

Gmail uses TLS to encrypt emails in transit. This leaves emails vulnerable to unauthorized access on reaching the destination server, especially if they linger in the recipient's inbox. You can encrypt emails using S/MIME, Confidential Mode, and other third-party plugins to protect sensitive information. Learn how to use these options to secure your email communications.

S/MIME: Encrypt and digitally sign emails for enhanced security

S/MIME, or Secure/Multipurpose Internet Mail Extensions, is a security protocol that encrypts emails using public key cryptography. When sending an S/MIME encrypted email, the sender encrypts it using the recipient's public key, ensuring only the recipient with the corresponding private key can decrypt it. 

You can also use S/MIME to digitally sign emails, verify your identity, and ensure the email has not been tampered with. To digitally sign an email, the sender uses their private key to create a digital signature and attach it to the email. When the recipient receives the email, they can use the sender's public key to verify the digital signature. This can help prevent phishing attacks and other forms of fraud.

Supported editions for S/MIME in Google Workspace: 

• Enterprise Plus
• Education Fundamentals
• Education Standard
• Teaching and Learning Upgrade
• Education Plus

How to turn on hosted S/MIME in the Google Admin console?

1. Log in to your Google Admin console
2. Click “Apps” > “Google Workspace” > “Gmail” > “User settings”
3. On the left, under Organizations, select the domain or organization you want to configure.
4. Scroll to the “S/MIME” setting and check the “Enable S/MIME encryption for sending and receiving emails” box.
5. Save your settings to activate S/MIME encryption.

Pros and cons of S/MIME encryption

​S/MIME offers robust security but has intricacies and dependencies that warrant careful consideration. Let's explore its pros and cons.

 Pros:

• S/MIME encrypts email content, ensuring robust protection against interception.
• Digital signatures verify sender authenticity, reducing phishing risks.
• Strict access control ensures that only intended recipients can decrypt emails.
• Clear lock icons indicate encryption levels, promoting transparency.
• S/MIME complies with security regulations, making it ideal for corporate use.

Cons:

• Implementation may require IT support due to its complexity.
• Both parties must support S/MIME to send and receive encrypted emails.
• S/MIME does not encrypt the subject line or metadata of emails.
• Server issues may expose encrypted emails.

Confidential mode: Prevent accidental sharing of sensitive information

Confidential mode in Gmail is a feature that restricts the forwarding, copying, printing, or downloading of emails and their attachments. Senders can set message expiration dates, revoke access at any time, and require an SMS verification code to allow message access.

This mode is available for personal Gmail and Google Workspace (formerly G Suite) accounts. 

Confidential mode doesn't prevent recipients from taking screenshots or utilizing malicious software to copy or download the email content.

How to turn on confidential mode?

For Google Workspace (paid) accounts - Organization level:

1. Sign in to an administrator account.
2. In the Admin console, navigate to "Menu" > "Apps" > "Google Workspace" > "Gmail" > "User settings."
3. In User settings, scroll down to "Confidential mode."
4. Check or uncheck the "Enable confidential mode" box.
5. Save your changes.

For Personal Gmail accounts

1. Open Gmail on your computer.
2. Click "Compose" to create a new email.
3. In the bottom right corner of the email composition window, click "Turn on confidential mode."
4. Set an expiration date and choose whether to include a passcode.

• If you opt for "No SMS passcode," Gmail app users can open the email directly, while non-Gmail users will receive an email containing the passcode.
• If you choose "SMS passcode," recipients will receive a passcode via text message. Ensure you enter the recipient's phone number, not your own.

         5. Click "Save."

Pros and cons of confidential mode

Confidential mode, while not an encryption method, adds an extra layer of security to your emails. Let’s look at its pros and cons:

Pros:

• It is convenient for regulated industries to send secure emails.
• Simplifies the process of sending secure emails to all Gmail users.

Cons:

• Recipients can still take screenshots or photos of confidential emails.
• Recipients can find ways to bypass the expiration date and passcode requirements.
• You can’t use confidential mode while scheduling emails.

Related: Learn what constitutes confidential data.

How to Send & Open Confidential Emails

To send confidential emails in Gmail:

1. Compose a new email as you normally would.
2. Enable Confidential Mode by clicking on the lock icon at the base of the compose window. Set expiration dates and access restrictions as needed.
3. Send the email. The recipient will receive a link or code (if SMS verification is enabled) to access the message.

To open a confidential email:

1. Check your inbox for the confidential email notification.
2. Follow the link supplied in the email or enter the verification code if required.
3. Read the message within the designated time frame before it expires.

How to Ensure you’re Sending an Encrypted Email?

Here's how you can verify email encryption:

1. Begin composing your email as usual.
2. Add the recipient to the "To" field.
3. Notice a small lock icon to the right of the recipient's name; it shows the level of encryption that your message's recipients support. If there are multiple users with various encryption levels, the icon will show the lowest encryption status. 
4. Click the lock to adjust your S/MIME settings or gain insights into your recipient's encryption level.

How to Verify the Encryption of Received Emails?

Follow the steps below to check whether you’ve received an encrypted email:

1. Open the received email.
2. Select "View details" on Android and then "View security details." On iPhone, tap "View details."
3. You'll now see colored icons indicating the encryption level. 

• Green (S/MIME enhanced encryption): The highest level of encryption, only the recipient with the private key can decrypt.
• Gray (TLS or standard encryption): Used when an email service doesn't support S/MIME.
• Red (No encryption icon): The email is unencrypted.

Security Best Practices With or Without Email Encryption

Regardless of whether you use email encryption, implementing security best practices is essential:

• Use Strong Passwords: Create complex passwords that combine letters, numbers, and symbols to enhance account security.
• Enable Two-Factor Authentication (2FA): This adds an additional layer of security by requiring a second form of identification when logging in.
• Be Cautious with Links and Attachments: Refrain from clicking on fishy links or opening attachments from unknown sources to prevent malware infections.
• Scan Attachments: Use antivirus software to scan all attachments before opening them, even if they are from trusted sources.
• Avoid Public Wi-Fi for Sensitive Communications: Public networks can be insecure; use a VPN or avoid accessing sensitive accounts on these networks altogether.

By following these guidelines and utilizing available encryption methods, you can significantly enhance your email security and protect your sensitive information from potential threats.

Alternative Options to Secure Gmail Emails

Besides Gmail’s native security features, third-party plugins can enhance your email security further. 

Option 1: Flowcrypt

Flowcrypt is a desktop extension available for Firefox and Chrome. It seamlessly integrates with Gmail and introduces a "Secure Compose" button to your interface. Flowcrypt secures your messages using industry-standard Pretty Good Privacy (PGP) encryption. Here's how to use Flowcrypt:

• Install the Flowcrypt extension for your preferred browser.

• Click the "Secure Compose" button.

• Enter a message password in the input field at the bottom of the “Secure Compose” window.

• Click “Encrypt and Send” to send your email.

‍

Option 2: SendSafely

SendSafely is an end-to-end encryption platform that ensures only you and your intended recipients can access shared information. It eliminates the need for pre-shared encryption keys or passwords. Here are the steps to send encrypted emails using SendSafely:

• Install SendSafely Extension from the Chrome Web Store.

• Authenticate and obtain the API Key and API User ID.
• Enable "Google Mail Integration" in SendSafely settings.
• Encrypt Attachments - Use the SendSafely icon in Gmail to encrypt attachments.
• Encrypt Entire Message - Choose this for complete email encryption.

Option 3: Mailvelope

Mailvelope is a Chrome extension offering PGP encryption for Gmail. It provides robust end-to-end encryption. However, it may require some technical knowledge to set up. 

Here's how to use Mailvelope:

1. Install Mailvelope Extension from the Chrome Web Store.
2. Open the Mailvelope editor by clicking the Mailvelope icon next to the compose button.
3. Enter the recipient's email address in the Mailvelope Editor.
4. Mailvelope will attempt to find the recipient's key. Green indicates success, red means no key found.
5. Compose your email, add attachments, and click "Submit" to send securely.

Related: How to share sensitive documents with end-to-end encryption?

Introducing Strac: Real-time Gmail Data Loss Prevention (DLP)

Strac’s Gmail DLP solution uses advanced algorithms to promptly detect and redact sensitive content in emails, protecting you from accidental data exposure. 

When sending an email with sensitive content (in the body or attachment), you can choose from a variety of data protection measures, including:

• Redact sensitive content
• Encrypt the email
• Receive an alert when sensitive content is detected
• Block the email from being sent
• Quarantine the email for review
• Log the email
• Forward the email to a specific tag