Email encryption: how far down the rabbit hole should you go?

When you think of encryption, your thoughts might run to The Matrix, depicted as a bunch of green, alien symbols raining down on a computer screen. Well, turns out that reality is not that different.

The concept of "encryption" is to make information unreadable to anyone who shouldn't be able to read it. Pretty easy concept to grasp, right? Encryption is as old as language itself, but these days it mostly centers around digital communication. Which begs two questions: Do you need encryption? and What is encryption really?

Do you need encryption?

Yes.
But before you close this window: not all encryption is created equal, so let’s explore how encryption benefits you:

What is email encryption?

You probably won't be surprised to hear that email encryption simply means to make an email and its contents unreadable. The aim is to ensure no unauthorized person can get hold of the data contained in the email.

So how do you read an encrypted email? Let's jump back to The Matrix. You're Neo, you've just met Morpheus and he gives you the choice between a blue pill and a red pill. The red one lets you see the world as it really is, while the blue one lets you continue living in The Matrix. As the recipient, just like in The Matrix, you must have a red pill to see the information behind an encrypted message. Well, figuratively speaking anyway. In reality, you'd need a decryption key. These can come in different forms, depending on the type of encryption you use.

Why do you need encrypted email?

To protect your information from agents, i.e. third parties, of course! Using email encryption doesn't mean that no one else can access your messages. What it does mean is that no one can access the contents of your email in a meaningful way - if you manage your encryption keys properly, that is.

First step is keeping your keys separate from your data protection or cloud provider. Why? Because US authorities have the right to request data stored in US-owned clouds, under the CLOUD Act. Therefore, if the keys are stored with the provider, the authorities may access the decrypted version of your emails. But if the keys are stored separately, these authorities will only be able to see the encrypted version of your email. Watch our webinar with GDPR and data protection expert Alexander Hanff here to learn more about how you can be GDPR compliant in the cloud.

In short, a primary reason to encrypt your emails is to prevent unauthorized people from accessing it. Just like in the Matrix, this means keeping your data safe from cybercriminals and unauthorized authorities alike.

Another reason for encrypting privacy-sensitive information however is even more straightforward: GDPR compliancy demands it. You can compare an email to a postcard: other people can see the message if they want to. This could be your own data administrators or internet service providers. Therefore, it is considered illegal to send information, such as personal data, unencrypted through emails.

Want to read more about encryption? You can find everything you need to know about encryption here.

One encryption is not the same as another

So if encryption is like The Matrix, where you need a pill (or a decryption key) to read the underlying information, does that mean that there's only one way to encrypt?

Nope! There are several different encryption techniques. The most common ones are:

• TLS encryption
• End-to-end encryption

TLS encryption

This is the standard encryption used by big-name email clients like Outlook and Gmail. TLS encryption is also known as ‘encryption in transit’ which, as the name suggests, means that the encryption takes place while the email is being sent between internet connections.

TLS encryption alone is unfortunately not a secure option when exchanging sensitive data. Firstly, because there is no guarantee that your email is protected all the way through! Both the sender and the recipient must be using TLS encryption or the message will only be encrypted from the sender to the server, but not from the server to the recipient.

Another factor is that TLS encryption only encrypts the channel itself, and not the message. This means that if someone were to break into the channel, the message will appear unencrypted.

In other words, TLS encryption alone is not a good choice for secure email.

End-to-end encryption

End-to-end encryption is often viewed as the be-all-end-all of encryption. Why? It's much more secure: it protects your email from start to finish by making sure both the email and its contents are encrypted. This makes it unreadable to anyone except the recipient, who is in possession of the decryption key.

However, as we mentioned before, it's important that these keys are kept separate from your providers. This is called zero knowledge and means that no one except the recipient and the sender has access to the encryption keys.

In fact, end-to-end encryption with zero knowledge means that no suppliers have access to your encryption keys. Remember the CLOUD Act we mentioned before? Even if the US authorities, or other third parties, demand an insight in your email traffic, the data they can view will be completely useless. End-to-end encryption with zero knowledge means that no one other than the recipient and the sender have access to the encryption keys. This is why SmartLockr uses end-to-end encryption with zero knowledge!

What are CLOUD Act and Screens II? And what impact do they have on the AVG and its citizens? That and much more explained here.

To sum up: secure digital communication cannot exist without encryption, but not all encryption is equally secure. To protect your data and comply with GDPR, you need: an encrypted data protection system that uses end-to-end encryption with zero knowledge.

Read here how to lock your digital front door with zero knowledge encryption.

Now that you've read our blog, will you continue using a non-encrypted email solution, or are you ready to take the red pill and go all the way down the rabbit hole…all the way to zero knowledge end-to-end encryption?