Email Encryption and Digital Signature

Quick guide to email encryption and digital signatures in eM Client

Email encryption involves encrypting the content of an email message in order to protect potentially sensitive information from being read by anyone other than intended recipients.

Even when you use a secure network, messages can be intercepted by other users, including your login credentials. Encryption makes the content of your emails unreadable to everyone but the recipient, so even if someone intercepts your messages, they can’t access the content.

Digital Signature is a process that guarantees that the contents of a message have not been altered in transit. It’s a digital code which is attached to your message to verify its contents and the sender's identity.

The main concept used for email encryption and digital signatures is public-key cryptography, also known as asymmetric cryptography. Both S/MIME and PGP protocols, which eM Client supports, use this concept.

In this encryption system, every user obtains two keys that are connected through user’s email address:

  • A Private key that should be kept secret and not revealed to anybody. It’s used to digitally sign outgoing messages, or to decrypt incoming messages.
  • A Public key that is to be distributed to other users. Public key is used to validate the digital signature of incoming messages, or to send encrypted messages to other users.

This differentiation of keys makes the very foundation of message encryption and signing.

Why and when to use email encryption

Whenever you want to be sure no one without access to your private key (and the password to it) reads your messages, including on your own computer, use encryption. This applies to mailbox providers as well, as the encrypted message is secured during its entire journey.

Why use digital signatures in emails

Digital signatures give your email recipients assurance that the messages received were sent from the proper sender and not tampered with. You can equally check the senders’ identity of signed received emails and be sure there were no changes made on the road. Digital signatures verify the communication parties’ identity, but do NOT make the emails encrypted as such.

What is PGP

PGP is one of the available cryptographic methods that can be used for encryption and digital signatures. It stands for "Pretty Good Privacy" and was invented already in 1991. Despite being connected mainly to email communication, PGP can be applied to any texts or files.

PGP uses asymmetric cryptography so it contains two keys – Private key used for digital signatures and decryption of incoming messages and Public key used for encryption and validation of digital signatures.

Each PGP key features a unique Fingerprint consisting of a short string of numbers and letters. This feature allows users to easily verify keys sent via unsecured channels – such as email itself – and to be sure the keys were not altered on the road, which would threaten their future communication safety.

The fingerprints on sender’s and recipient’s side should be compared via a third channel, e.g. a phonecall.

There are two ways to use PGP in emails:

  • PGP/MIME, a PGP standard that allows encryption and signature of the entire message, including formatted text and inserted pictures or attachments, or
  • Inline PGP, a simpler standard that encrypts plain text only, with no attachments.

In order to maximize compatibility, eM Client supports both PGP standards for sending and receiving messages.

How to set up PGP encryption in eM Client:

eM Client 8 allows you to easily set up encryption for any account, whether you need to create a new PGP keypair or have one ready for import.

Set up encryption

In the first step you can decide if you want to create a new keypair, import an existing key from your old app or continue without encryption for now.

You can create a new keypair or import anytime later in the Menu > Settings > Signing and Encryption > Certificates and Keys section of eM Client.

Create New PGP keypair

To create your keypair you need to assign a password to it.

PGP uses a password to encrypt your Private key, so no one but you can use it. The password is needed to decrypt incoming messages or digitally sign your outgoing messages.

You can also specify a key size of your keypair.

Key size is the size of the key used in the cryptographic algorithm. A bigger key will be more secure but it will also take a bit longer to create. It will also take more time to encrypt or decrypt messages with.

Save your private key

In this step you can save your Private key to a safe storage.

All encrypted messages you receive once you start using PGP can only be decrypted by using your Private key and password. If you lose your private key, you will not be able to decrypt the messages and read them ever again.

This also applies to the encrypted messages you sent via eM Client, as it encrypts your copy in Sent folder with your public key.

The keypair will be saved into an ASC file which you then need to save to a safe storage. You can save it to the Documents in your device, but in case this device was stolen or damaged in some way, you should make an external backup as well - you can use a protected cloud storage, external usb drive or another device to make sure you can get it back at any time.

If you don’t save the key now, you can do so any time later by saving the key in the Menu > Settings > Signing and Encryption > Certificates and Keys section.

Share your public key

To encrypt a message, you need a Public key of the person you're sending a message to. So if you want to receive encrypted messages, you need to distribute your Public key.

You can distribute this key yourself by sending it or bringing it over to your friends and contacts, or you can use our public key directory - eM Keybook.

Once you upload your key, eM Keybook will provide your Public key to the users who want to send you an encrypted message and automatically find Public keys of the contacts you’re writing to when you select to encrypt your message.

What is eM Keybook

eM Keybook is a Public key directory managed by the company eM Client. It’s an online service where you can upload and manage your public keys so anyone can easily send you encrypted messages and you can easily get public keys of the recipients you want to send encrypted messages to.

We noticed that despite PGP encryption being readily available in eM Client, only a small part of users took advantage of it. This was most often caused by the difficulty of sharing keys - both sender and recipient need to have PGP keypairs of their own and the public key of the other party and getting all these for all your contacts was cumbersome.

So we created eM Keybook to make distribution of public keys faster and more accessible so that anyone who wants to send and receive encrypted messages can easily do so.

eM Keybook stores Public keys that you upload and allows for the exchange of Public keys between all eM Client users. If the contact you’re writing a new message to has a Public key in the eM Keybook directory, eM Client will automatically download and apply it for you when you enable encryption for your message.

You can either upload the key during the keypair creation or anytime later in Menu > Settings > Signatures and Encryption > Certificates and Keys. In the Manage Certificates/Keypairs window you can use the ‘Upload to eM Keybook’ button to make your public key available to all eM Client users.

You can also remove your keys at any time in the Menu > Settings > Signatures and Encryption > eM Keybook section – just look up keys for your email address and then use ‘Remove from eM Keybook’ button to delete them from the service.

eM Keybook does not save nor have access to any of your Private keys or passwords. It does not give anyone access to your encrypted messages or save any of your encrypted messages on our servers.

eM Keybook is not a Certification authority and does not issue new certificates.

Key distribution

When you are set up, you will want to distribute your Public key to people you plan to exchange secured messages with.

My friend and I both use eM Client with eM Keybook

This is the easiest setup – if you both uploaded your keys to eM Keybook, the public key will be automatically downloaded and used once you insert your friend’s address in a new message window.

My friend uses an older version of eM Client or a different program

In this case, you can send your key easily from the Menu > Settings > Signing and Encryption > My certificates/keys section. Double-click onto a certificate in order to open the certificate detail, and click the “Send” button to distribute your keys to recipients of your choice. The recipients will get a message with an attached key, which they can easily import into the eM Client PGP key storage or any other app.

Professional tip:

It is important to verify such a key with recipients also via other communication channels than just email – e.g. via phone. You simply call each other and compare the Fingerprint code of incoming and outgoing keys (which you can find in the key details).

Sending encrypted emails

After having exchanged PGP keys with your contacts, you can proceed with sending signed and/or encrypted emails. Icons for encryption (a lock) and digital signature (a stamp) should appear in the new message editor toolbar in eM Client.

Once you decide to send an encrypted message, eM Client will automatically select the proper encryption technology to apply – S/MIME or PGP – based on the recipients’ public certificates and keys.

If there are no valid public keys available for selected recipients, a warning notification appears before the message is actually sent out.

The first detected key is used for your digital signature, but it is possible to select a key manually, should you use more keys for the same email address.

Different PGP formats for encryption

When using the PGP technology, you can decide for PGP/MIME or Inline PGP format.

eM Client automatically selects the most suitable option, in most cases PGP/MIME that allows encryption of text formatting as well as attachments.

In comparison, Inline PGP is a simpler format that only encrypts plain text and is a preferred choice if you wish to maximize compatibility with other applications.

The automatic selection of PGP format settings can be changed in Menu > Message > Format of PGP.

Reading of encrypted/signed messages

To open and read a signed and/or encrypted message is very simple in eM Client. The digital signature gets automatically validated upon opening the email. To enable the signature validation, you need to have the sender’s public key saved in eM Client or in the operating system. As long as the signature is valid, ergo the message was not tampered with, a notification with “This message was signed” would appear under the message header.

In order to read a message with encryption, eM Client requires your private password-protected PGP key. After entering the password, the message gets decrypted and you are free to read its content.

Please let us know if you would like to help us with the localization into any language.