Gmail Encryption: Your practical guide to safeguarding emails in Gmail
Seeking to safeguard your Gmail correspondence? Explore our detailed 2023 tutorial that explains the Ins & Outs of Gmail encryption.
What makes Gmail encryption an essential feature? As a Gmail user, it’s crucial to understand that after creating a Gmail account Google can access and analyze the content of your emails. This ability, while primarily employed to filter out spam from your inbox, implies that your email data isn’t entirely private. Hence, to enhance your privacy and security, employing Gmail’s encryption becomes paramount.
But while you may appreciate Google looking out for you when it comes to spam and computer viruses, you may not want Google’s eyes on your strategic business plans, intellectual property, or trade secrets.
So how can you send encrypted emails in Gmail, so that your email content is truly for your (and your recipient’s) eyes only? The following guide explains the security measures that Google does (and does not) take with your emails, why Google doesn’t already use the strongest measures of encryption to protect your privacy, and what you can do to secure your email content when using Gmail.
When should you use Gmail encryption?
Here are a few examples of email content or situations where the hassle of encrypting your Gmail might be worthwhile:
Sensitive Personal Information
If you send emails that contain personal and sensitive information, such as financial details, social security numbers, medical records, or legal documents, encryption ensures that only the intended recipient has access to this sensitive data.
Trade Secrets and Intellectual Property
If you exchange emails containing trade secrets, proprietary information, or intellectual property, encryption minimizes the risk of unauthorized access or potential data breaches that could lead to the theft or misuse of valuable information.
Confidential Business Communication
If you send emails discussing strategic plans, negotiations, mergers, or acquisitions, encryption can mitigate the risk of sensitive business information falling into the wrong hands or being intercepted by competitors or unauthorized parties.
Whistleblowing and Investigative Journalism
If you handle sensitive information, you may want to communicate securely to protect your sources and maintain the confidentiality of your investigations. End-to-end encryption ensures that your email content remains secret, even from the email server, reducing the risk of potential surveillance or compromising the identity of sources.
Political Dissent and Activism
If you are engaged in political dissent and activism, encryption can protect your privacy, prevent potential surveillance or targeting, and allow for free and open dialogue without fear of repercussions.
It’s important to note that while end-to-end encryption can help protect the content of your Gmail emails from Google’s email servers, metadata such as sender, recipient, and timestamps may still be accessible to Google. For complete anonymity and privacy, additional measures like using anonymous, encrypted email services – Proton Mail is a well-regarded one – or encryption tools that don’t rely on email servers may be necessary.
What does Google do to secure Gmail emails – and why isn’t that enough?
Google uses secure HTTPS and TLS connections for data in transit. That means that when data is passing from your web browser to a Google email server, or from one Google email server to another, it is encrypted and protected from interception.
When the data is actually on a Google email server, however, it is in cleartext, meaning it is not encrypted and can be understood in its usual and expected form. This is how Google is able to check your emails for spam: by scanning and understanding the content. Once your email is in readable form on someone else’s server, it can potentially be intercepted and read if that server is compromised.
The only thing that solves this privacy issue is end-to-end encryption: where the message is encrypted on your local device before it even gets sent to the servers of the messaging system (in this case, Google’s). WhatsApp, for example, has built-in end-to-end encryption. From the time your message leaves your device, it is never in cleartext until it reaches the device of your recipient.
Why doesn’t Google use end-to-end encryption for Gmail?
Gmail, as a widely used email service, does not provide native end-to-end encryption for a few reasons:
User Experience and Convenience
End-to-end encryption adds complexity to the email experience. It requires users to manage encryption keys, exchange keys securely with recipients, and handle the encryption and decryption process. While this level of security is valuable to some users, it can be challenging for the average email user to set up and use effectively.
Interoperability and Compatibility
End-to-end encryption requires both the sender and the recipient to use compatible encryption methods and have the necessary encryption software or tools. While WhatsApp sends messages only to WhatsApp, Google has to send its email messages to Hotmail, Yahoo Mail, AOL Mail, and hundreds of other providers. Achieving widespread adoption and interoperability across different email providers can be challenging, as it would require a standardized encryption protocol that all email services would need to support.
Spam and Security Measures
Gmail employs various spam filters and security measures to protect users from malicious emails and phishing attempts. These measures involve scanning email content to detect potential threats and filtering out spam. Implementing end-to-end encryption could hinder these security measures, as the content would be encrypted and not easily scannable.
How to encrypt your Gmail emails:
Now that you have the full picture and all info relating to Gmail encryption, let’s get practical.
To send a truly secure, private email in Gmail, you have two different options:
- Use a browser extension
- Use manual PGP/GPG encryption
Let’s go through these in more detail.
Use browser extensions to encrypt your Gmail emails
Several browser extensions and add-ons offer end-to-end encryption for Gmail. These extensions work by encrypting the email content locally on your device before it is sent. The recipient also needs to have the same extension installed.
Some of the best secure mail extensions for Gmail:
Mailvelope
Mailvelope is a browser extension available for various browsers, including Chrome and Firefox. It integrates with popular webmail services like Gmail, Yahoo Mail, and Outlook.com. Mailvelope utilizes the OpenPGP standard for encryption and digital signatures. It allows users to generate encryption keys, import existing keys, and exchange public keys with their contacts. Mailvelope provides a user-friendly interface for encrypting and decrypting emails, along with key management features.
FlowCrypt
FlowCrypt is another browser extension designed to add end-to-end encryption to webmail services. It works with Gmail and supports both Chrome and Firefox browsers. FlowCrypt uses the OpenPGP standard and provides a user-friendly interface for generating and managing encryption keys. It also offers additional features like key backup, searching encrypted emails, and integrating with third-party PGP tools.
The upside of browser extensions is that they make the encryption process much easier for the average businessperson or other non-technical individuals.
There are a few downsides, however:
- you are giving a third party access to your Gmail and relying on them for your security
- anything you do in a browser (clicks, keystrokes, etc.) can technically be monitored by the owner of the website you’re on
- not all browser extensions enable you to encrypt and send secure Gmail attachments
So if you don’t mind getting a little more technical for more flexibility and peace of mind, then you can move up to:
Use manual PGP/GPG encryption for Gmail
PGP (Pretty Good Privacy) is a proprietary encryption software around which an OpenPGP standard was developed, and GPG (GNU Privacy Guard) is an open-source implementation of that standard.
In order to manually do Gmail PGP encryption for your emails, you’ll need to download a PGP or GPG software program to your local device. If you have Windows as your operating system, a good option is GPG4Win. If you have a different operating system, here is GPG’s list of software.
Once you download and install GPG4Win (for example), you will have a local software program where you can do all your encryption, and only then paste the encrypted message into Gmail.
Here’s what the process looks like:
You don’t necessarily need the GpgOL (for Outlook) or GpgEX, but you will need Kleopatra.
After installation, Kleopatra should open automatically.
Create a New Key Pair if this is your first time using encryption for your email address.
Key pair: A little bit of technical background:
This key pair consists of two distinct cryptographic keys: a public key and a private key. The public key is intended to be shared with others and is used to encrypt messages that are sent to you. The private key, on the other hand, must be kept confidential and is used to decrypt messages that are encrypted with your public key. The key pair is generated together and mathematically linked, ensuring that only the private key can decrypt messages encrypted with the corresponding public key.)
Once you’ve created your Key Pair, Kleopatra will prompt you to put in the name and email address to associate with this Key Pair. This will create an OpenPGP Certificate, which has details such as the user’s name, email address, and the public key itself. It serves as a way to verify the association between a person’s identity and their public key.
Your recipient’s public key
One big caveat for relying on PGP/GPG and encryption keys for security, whether you’re doing it manually or through a browser extension: You do need to be 100% sure that the Key Pair and/or OpenPGP Certificate with its public key was created by the person you want to be communicating with. Your recipient should have told you their public key in person, through a different secure channel, or in any other way that leaves no doubt in your mind that this public key was not created by an impersonator claiming to be them.)
Kleopatra gives you the option to encrypt text content for an email and also encrypt files, so you can send secure Gmail attachments.
Here’s what you get:
Copy your encrypted message (total gibberish, right?) and paste it into Gmail.
When your intended recipient opens your email, they will see that it is encrypted. They will copy and paste the encrypted text into Kleopatra or a similar program to decrypt it and verify that it did, in fact, come from you.
And that’s how you send an encrypted email in Gmail!
Why Gmail’s confidential mode is not encryption
Gmail’s Confidential Mode sounds like it should make your emails secure, but it’s really only an extra layer of security that makes it a bit harder for your email contents to get passed along.
When you enable Confidential Mode, you can set an expiration date for the email, prevent recipients from forwarding, copying, or printing the message, and even require a passcode for access.
But the email is still stored as cleartext on Google’s email servers, and it’s still saved in your Gmail Sent emails, and all one needs to do to pass your email contents along is to take a screenshot of the email.
So while Confidential Mode is certainly helpful to prevent accidental distribution of sensitive information, it’s not encryption and it’s not wise to rely on it for any information you really want to stay private.
Gmail encryption: Your email is your own business
Gmail is one of the most popular email providers globally – and for good reason. It’s user-friendly, well-supported, and integrates with all the other Google services. But it’s not end-to-end encrypted, and therefore sending a secure email in Gmail requires special effort.
Ultimately, the decision to adopt encryption measures should be based on individual needs and the sensitivity of the information being shared. By leveraging encryption options and following best practices for online security, you can enhance the privacy, confidentiality, and integrity of your Gmail communication, ensuring that your emails remain secure and your sensitive information stays protected in an increasingly interconnected world.