How to encrypt your email

Reader Jack Burns is a bit disconcerted by some recent news. He writes:

After reading stories about the U.S. government's program to collect phone and Internet data I'm a little concerned about my email privacy. What can I do to encrypt my email?

I'd first suggest that you take a gander at How To Protect Your PC From PRISM Surveillance from my pals over at PCWorld. As its name implies, it offers some hints on how to attempt to make your computing life more private.

I use "attempt" for good reason. Without being overly paranoid about it, there's every chance in the world that if the NSA and other government agencies want to read your email--encrypted or not--a way will be (or has been) found. On the other hand, the vast majority of the email we generate would be of no interest to your second-cousin, much less the government.

Still, these recent events do provide a perfect excuse for running through the steps for encrypting your email on a Mac. They go this way:

Obtain and install a personal certificate

You must first get your hands on a personal certificate. This is a small file, added to the Mac's keychain, that verifies your identity in sent mail. Symantec sells such things for $23 per year (you can also try one for free for 25 days). You'll need a separate certificate for each email address you wish to send encrypted messages from.

You'll be asked to register your email address with the certificate seller. An email message will be sent to that address that contains a link to the certificate. A password will also be sent to you. Click on the link and your default web browser will launch and take you to the certificate download page. Enter the password you received, click Continue, and the certificate will download to your Mac.

Double-click on it and Keychain Access should launch and install the certificate. You'll know that it has if you see the certificate when you click the Certificates category in Keychain Access.

Encrypting your mail

Now that you've installed the certificate, launch Apple's Mail and create a new message. In the New Message window choose the account you've obtained the certificate for from the From pop-up menu. To the right of that pop-up menu you'll see a couple of buttons that you haven't seen before. The first is the Encrypt button that's almost certainly grayed out. The second is the Digital Signing button. By default, this button will bear a check mark, indicating that when you send a message from this account it will be certified to be well and truly from you. Click that button, and you turn off digital signing.

In order for the Encrypt button to become active, you must have a certificate from the person you're sending the message to--their public key, in the parlance of the encryption game. And that means that they too must have installed a certificate. If that condition has been met, this is how the exchange works.

You first send a digitally signed (not encrypted) message to them. When you do this, your public key is also sent to them and added to their list of certificates. They then reply to that message using their certified address. In that reply is their public key, which will be added to your keychain. Now that the two of you have swapped keys, the Encrypt button will become active when you enter their address in a new message's To field.

Complicated? Yes, a little. But it makes sense that each party has a key to unlock the other's messages. This is something to bear in mind for company email that you want protected from a competitor or personal email that you'd prefer not be seen by friends or family. But, again, it's unlikely to do you any good with agencies that possess The Big Key.

Join the CSO newsletter!

Error: Please check your email address.

Tags emailpcworldsymantecsecurityOS Xencryptionsoftwareoperating systems

More about AppleNSASymantec

Show Comments

Featured Whitepapers

Editor's Recommendations

Solution Centres

Stories by Christopher Breen

Latest Videos

  • 150x50

    CSO Webinar: The Human Factor - Your people are your biggest security weakness

    ​Speakers: David Lacey, Researcher and former CISO Royal Mail David Turner - Global Risk Management Expert Mark Guntrip - Group Manager, Email Protection, Proofpoint

    Play Video

  • 150x50

    CSO Webinar: Current ransomware defences are failing – but machine learning can drive a more proactive solution

    Speakers • Ty Miller, Director, Threat Intelligence • Mark Gregory, Leader, Network Engineering Research Group, RMIT • Jeff Lanza, Retired FBI Agent (USA) • Andy Solterbeck, VP Asia Pacific, Cylance • David Braue, CSO MC/Moderator What to expect: ​Hear from industry experts on the local and global ransomware threat landscape. Explore a new approach to dealing with ransomware using machine-learning techniques and by thinking about the problem in a fundamentally different way. Apply techniques for gathering insight into ransomware behaviour and find out what elements must go into a truly effective ransomware defence. Get a first-hand look at how ransomware actually works in practice, and how machine-learning techniques can pick up on its activities long before your employees do.

    Play Video

  • 150x50

    CSO Webinar: Get real about metadata to avoid a false sense of security

    Speakers: • Anthony Caruana – CSO MC and moderator • Ian Farquhar, Worldwide Virtual Security Team Lead, Gigamon • John Lindsay, Former CTO, iiNet • Skeeve Stevens, Futurist, Future Sumo • David Vaile - Vice chair of APF, Co-Convenor of the Cyberspace Law And Policy Community, UNSW Law Faculty This webinar covers: - A 101 on metadata - what it is and how to use it - Insight into a typical attack, what happens and what we would find when looking into the metadata - How to collect metadata, use this to detect attacks and get greater insight into how you can use this to protect your organisation - Learn how much raw data and metadata to retain and how long for - Get a reality check on how you're using your metadata and if this is enough to secure your organisation

    Play Video

  • 150x50

    CSO Webinar: How banking trojans work and how you can stop them

    CSO Webinar: How banking trojans work and how you can stop them Featuring: • John Baird, Director of Global Technology Production, Deutsche Bank • Samantha Macleod, GM Cyber Security, ME Bank • Sherrod DeGrippo, Director of Emerging Threats, Proofpoint (USA)

    Play Video

  • 150x50

    IDG Live Webinar:The right collaboration strategy will help your business take flight

    Speakers - Mike Harris, Engineering Services Manager, Jetstar - Christopher Johnson, IT Director APAC, 20th Century Fox - Brent Maxwell, Director of Information Systems, THE ICONIC - IDG MC/Moderator Anthony Caruana

    Play Video

More videos

Blog Posts