EMail Encryption

EMail Client Encryption

EMail encryption and signature requires either s/mime support or a PGP add on or support built in. See this page for additional information on PGP. There are several places where you can get free security certificates for use with email. Generally the certificate is only valid for one year thus must be renewed annually. CA's (Certificate Authority) that I am aware of are:

I am sure there are other places, trying do a web search on "free email certificates" for additional locations. Another option is to setup your own Certificate Authority and generate your own certificates. See my page on Certificate Generation for further details. However, this is not really recommended for email clients.

One problem with using security certificates is that they have a private and public key. You need to guard your private key and make sure that it is secure. I have been using TrueCrypt for a while to keep personal data at work encrypted. TrueCrypt will create a virtual secure volume as a disk file, then TrueCrypt will mount that volume to the operating system as a drive letter. This is a good place to put your private keys and then mount the volume when needed. Additional information can be found on TrueCrypt here.


S/MIME was originally developed by RSA Data Security Inc. The original specification used the recently developed IETF MIME specification with the de facto industry standard PKCS #7 secure message format.

Before S/MIME can be used in any of the above applications, one must obtain and install an individual key/certificate either from one's in-house certificate authority (CA) or from a public CA. Best practice is to use separate private keys (and associated certificates) for Signature and for Encryption, as this permits escrow of the encryption key without compromise to the non-repudiation property of the signature key. Encryption requires having the destination party's certificate on store (which is typically automatic upon receiving a message from the party with a valid signing certificate). While it is technically possible to send a message encrypted (using the destination party certificate) without having one's own certificate to digitally sign, in practice, the S/MIME clients will require you install your own certificate before they allow encrypting to others.

A typical basic personal certificate verifies the owner's identity only in terms of binding them to an email address and does not verify the person's name or business. The latter, if needed (e.g. for signing contracts), can be obtained through CAs that offer further verification (digital notary) services or managed PKI service.

Depending on the policy of the CA, your certificate and all its contents may be posted publicly for reference and verification. This makes your name and email address available for all to see and possibly search for. Other CAs only post serial numbers and revocation status, which does not include any of the personal information. The latter, at a minimum, is mandatory to uphold the integrity of the public key infrastructure.

Mozilla Thunderbird

Thunderbird has smime built in and GNUPG (the GNU version of PGP) is available as an add on via Enigmail, information on Enigmail can be found here. Either or both of these can be used to encrypt and/or sign email messages.

Add your encryption private key and certificate

  • Select Tools - Options
  • In Options select the Advanced Icon
  • Under Advanced selected the Certificates tab
  • Click on the "View Certificates" button
  • On the "Your Certificates" tab, click the Import button
  • Browse to your pkcs#12 file (with .p12 extension, see Certificate Generation)

Microsoft Outlook

Microsoft Office Outlook uses certificates (certificate: A digital means of proving your identity. When you send a digitally signed message you are sending your certificate and public key. Certificates are issued by a certification authority, and like a driver's license, can expire or be revoked.) in cryptographic e-mail messaging to help provide more secure communications. To use cryptography when you send and receive e-mail messages, you must first obtain a digital ID (digital ID: Contains a private key that stays on the sender's computer and a certificate (with a public key). The certificate is sent with digitally signed messages. Recipients save the certificate and use the public key to encrypt messages to the sender.) from a certificate authority (certificate authority (CA): An entity, similar to a notary public, that issues digital certificates, keeps track of who is assigned to a certificate, signs certificates to verify their validity, and tracks which certificates are revoked or expired.) (CA). Digitally signing a message applies the sender's certificate and public key (public key: The key a sender gives to a recipient so that the recipient can verify the sender's signature and confirm that the message was not altered. Recipients also use the public key to encrypt (lock) e-mail messages to the sender.) to the message. Your certificate is sent with the message to help authenticate you to the recipient.

A certificate contains a contact's public key. After you add or import the certificate to your contact list, Outlook can use it to verify digitally signed mail from the contact.

Add your encryption private key and certificate

  • Select Tools - Trust Center
  • In Trust Center select E-mail Security
  • Click Import/Export button
  • Browse to your pkcs#12 file (with .p12 extension, see Certificate Generation)

Add a contact and certificate received in an e-mail message to your contact list

  • Open the digitally signed message from the recipient.
  • Right-click the name in the From box, and then click Add to Contacts on the shortcut menu.

If you already have a contact entry for this person, select Update new information from this contact to the existing one.
Notes: To view the certificate for a contact, in the Contacts folder, double-click the contact to open it, and then click the Certificates tab.
To import a certificate (.cer (.cer file: A file that contains a certificate with a public key but no private key. Import the .cer files into Contacts by clicking Import in the Certificates tab, and then use the certificate to send encrypted messages.)) file for a contact into Outlook when viewing the Certificates tab, click Import. You usually import a certificate when a contact sends it to you as an attachment.

Import a certificate into your contact list

  • In Contacts, open the contact form (contact form: A view of an individual contact that contains all the information stored in the contact.) for the contact whose certificate you want to import.
  • On the Contact tab, in the Show group, click Certificates, and then click Import.
  • Locate and select the certificate file that you want, and then click Open.

Note: Certificate files have either a .p7c or .cer file extension.

Unless otherwise stated, the content of this page is licensed under Creative Commons Attribution-ShareAlike 3.0 License