It often happens that our clients or prospects desire confidentiality regarding the projects we develop for them. We do sign NDAs (Non-Disclosure Agreements) and include confidentiality contract clauses, but we also advise to use digital certificates to sign and encrypt email communication.
This page explains how to easily make and use signed and/or encrypted email. This page does not go too much into underlying technical details, since it is thought to be easily understood by anyone who reads it.
Signed email refers to email messages which have been signed with a digital certificate.
This helps in knowing that the received email message comes indeed from the declared sender (a warning appears if someone else intercepted and modified the message before it arrived).
Encrypted email refers to email messages which have been encrypted with a digital certificate.
This helps in making sure that only the intended recipient can read the email message. If the message is intercepted and opened by someone else, he/she won’t be able to decrypt it.
Yes, fortunately, email signing and email encryption can be simple. In practice, most email clients (such as Outlook, Windows Mail, Windows Live Mail, Thunderbird etc.) handle all complicated aspects for us.
Let’s assume that you want to have confidential discussions with Bluemind Software.
First of all, both parties must have digital certificates issued for email signing and encryption (one certificate is sufficient for both actions). If you don’t have one, we tell you how to get one bellow (and you can get it for free).
You start by sending us a signed email message (you can’t send encrypted email yet; you need to receive our certificate). To send signed email, you must write the message as usually and press the “Digitally Sign” (or similar) button, in your email client. If you have a modern email client, it automatically attaches (only) the public part of your certificate.
We receive your message. The public part of your certificate, which we find attached, allows us to send you encrypted messages which are readable only by you.
We reply with a signed email message (signed with our certificate). When you receive our answer, the attached public part of our certificate enables you to write us encrypted messages that only we can read. This means that, from the next email message to us, you can press the “Encrypt” (or similar) button in your email client.
And this is all of it! By sending only two signed emails (one signed with by you, to us, and one signed by us, to you), we become able to send encrypted emails end have secret communication.
The email client does all the work for you. It knows to use different certificates to encrypt email messages to different people and it knows which one to use for whom. You don’t even need to remember. Everything happens automatically!
A digital certificate comes with two keys: a private key (which only the owner can have) and a public key (which anyone can have). The keys are related (one key can be used to decrypt what was encrypted with the other) but it is close to impossible to obtain one of them from the other.
Email encryption uses the public key of the recipient to encrypt the message. Only the intended receiver can decrypt the email because only he/she has the private key.
Email signing uses the private key and anyone who is in possession of the public key can be sure that the sender is the expected person (you may think of it as encryption with the private key and decryption with the public key).
This may start to seem complicated, if you think about how to send and get public keys.
Fortunately, this is handled invisibly to you by almost all email clients (such as Outlook, Windows Mail, Windows Live Mail, Thunderbird etc.). It is so easy that you only have to press buttons to sign and/or encrypt a message. The email client applications automatically use the public key of the intended receiver to encrypt the message, if you have it (and, usually, you get it the first time you receive a signed message from him/her).
To learn more, we recommend reading:
Digital certificates are issued by trusted Certification Authorities (CA). There are plenty of them.
Because we have used certificates issued by Comodo (the world’s second largest CA) and we know that the ones for email signing and encryption are free, we recommend getting one from them. They are issued per email address, not per person (which we find wise), and are valid for one year. To apply for one, please go to http://www.comodo.com/home/email-security/free-email-certificate.php .
Please note that these certificates have to be replaced each year and that they have to be installed on every device from which you want to be able to send signed and encrypted email messages! And the email client applications have to be configured to use them!
Different CAs can give different ways to easily install the certificate via your browser (most online scripts will work only in Internet Explorer!). If you get a certificate from Comodo, you will receive an email with instructions for easy installation.
To import or export certificates from/to files, use the Internet Explorer menu (Tools -> Internet Options -> Content tab -> Certificates button) or run certmgr.msc from the Start menu. There you will find tools to import and export certificates.
Warning: keep your original certificate file safe (it contains your private key)! If you export a certificate to send it to someone for any reason, be careful not to export the private key!
This depends on the email client application that you use. Please remember that you need to install the certificate on the device, before configuring your email client.
In case you don’t find the instructions easily on Google, the University of Texas at Austin maintains a list of steps for the different Outlook versions and for Thunderbird. You can find the links to the different setups on the bottom of the page at http://www.utexas.edu/its/help/digital-certificates/819.
Windows Live Mail made it a little easier. Right-click on your email account and choose Properties. Go to the Security Tab and there you can choose the certificates to use for signing and encryption (the encryption certificate is used only to tell others to use it when they write to you). You can select the same certificate for both purposes, of course. These instructions apply to versions of Outlook Express and Windows Mail too.