How does an encrypted email svc work with an unencrypted one (gmail, etc)?

[gretah]

Can a E-R fan help me?

I am low tech.

I would like to leave gmail and get an email service that encrypts my emails.

What I don't understand -
Do my emails remain encrypted when I send them to someone using gmail, yahoo, or some other unencrypted / free service?

Or should I consider only those emails I send encrypted to others with their own encrypted email system as safe?

Thanks for your help!

 

[SecondCor521]

I'm not an expert, but I have done some encryption work.

In order for emails to be encrypted, the usual way is to use what is called public key cryptography. For the sake of your questions, what you need to understand is that everyone who wants to send or receive encrypted emails needs to obtain a public key and a private key.

To send an encrypted email to someone, your email program will encrypt it with their public key. They will decrypt it and read it using their private key. If they reply to you, their reply will encrypt it with your public key, and you will decrypt and read it with your private key.

From the above I conclude:

If you send an email to someone with a gmail or yahoo address, one of two things will happen: Either your message will be sent entirely unencrypted and the recipient can read it (more likely), or your message will be sent encrypted and the recipient will have no way to read it (less likely but still possible). The latter case is conceivable in encryption services like PGP that use multiple layers of encryption. I would guess that the way this will work would depend on which encrypted email program and service you choose.

As for your second question, I think you should understand that successful encryption generally relies on both the sender and the recipient agreeing on and using a common system. This is because decrypting a message to read it is essentially the inverse operation of encryption, so the two processes need to be symmetric. Think of tying and untying a knot - if you tie a knot one way and then try to untie it a different way it won't work. So you'll only be able to communicate in an encrypted way with people who are also using the same system. I believe PGP (pretty good privacy) has a standards-based framework so in principal you could use a PGP-based email service with an Android app on your phone and send it to someone using a different PGP-based email service on, say, a Windows desktop.

Also, as a general note, you're a lot safer using something like a PGP-based system, but whether or not you're completely safe depends on the implementation being correct, and using correct settings in the program (defaults are probably fine), and depending on how paranoid you are, whether someone at the NSA really wants to read what you wrote. But if you're just an ordinary citizen who wants to maintain your privacy and you're not a foreign spy, then it should be much safer than unencrypted email. This safety is a trade-off with the inconvenience of switching and trying to get your intended communication partners to switch.

 

[target2019]

Can a E-R fan help me?

I am low tech.

I would like to leave gmail and get an email service that encrypts my emails.

What I don't understand -
Do my emails remain encrypted when I send them to someone using gmail, yahoo, or some other unencrypted / free service?

Or should I consider only those emails I send encrypted to others with their own encrypted email system as safe?

Thanks for your help!

1) Do my emails remain encrypted when I send them to someone using gmail, yahoo, or some other unencrypted / free service?
If you use end-to-end encryption add-in (like PGP), then it is encrypted all the way to other end. But the receiver must have ability to untie your shoelaces (thanks secondcor).
2) Or should I consider only those emails I send encrypted to others with their own encrypted email system as safe?
You'd have to define "their own encrypted email system" better. For example, gmail is encrypted in transit, and when at rest on gmail servers. Obviously, if I use gmail with, say, Comcast, at some point my email must be decrypted (when handed over to Comcast email servers, where their encryption takes over).

Whatever your concern is, maybe specify a bit better. For example, I communicate with son all over world for > 10 years. We hardly use email because of the security concerns. Of course we can put into place email encryption, but not worth the time spent. We use WhatsApp, which uses end-to-end encryption (messaging, pix, attachments) between two accounts. You need a cell no., though. I use this on my PC also (need cell on local net nearby).

 

[jim584672]

If you want to do it right you must encrypt / decrypt it on your machine, that way no trust is required. It leaves / enters your machine as scramble, the provider has no way of knowing the contents. If you are want the provider to do the encrypting then you have to trust the provider. You can use Thunderbird with the enigmail plugin to automate the process using PGP. Your recipient should use the same.

 

[clobber]

Let's get a little more simplistic. If you are using Gmail, the encryption is between you and them. You can make no assumptions about what happens after the email leaves Google, or before Google receives it. In fact, most likely it will not be encrypted.

 

[MRG]

Why?

 

[sengsational]

To send a password or a bank account number, you could create an entry in LastPass and share that with the other party. You can also attach a document and share the entry with the other LastPass user. This is what I do instead of trying to do encryption fo all emails.

 

[target2019]

If you open an email in Gmail, and click the down arrow next to sender's name, it will tell you that the email has been protected in transit by TLS, end to end. What this means is that the email was protected by encryption when sent between servers.

 

[easysurfer]

Do all your emails really need that much security?

Only you will know the answer.

If you only send emails that need to be very secure once in while, could send a password encrypted data. Then call the recipient with the password after the recipient downloads. Not 100% secure probably, but better than nothing.

 

[jim584672]

7zip has AES256 built in as an option.
GPG has been very well reviewed and is trusted by many.

 

[gretah]

Thank your for your posts! Very helpful!

I'll be traveling a lot starting next year and trying to think of ways to stay in touch with my accountant and a few others. Emails with documents attached would be better for me than phone calls due to time zone differences and my preference for reading.

 

[target2019]

Create a shared google drive folder with your accountant. Put sensitive documents there, and you're assured the data is secured at rest and in transit.

 

[gauss]

If you open an email in Gmail, and click the down arrow next to sender's name, it will tell you that the email has been protected in transit by TLS, end to end. What this means is that the email was protected by encryption when sent between servers.

But it does not mean that the email was encrypted while on all the hard drives, "at rest", in the intermediate servers that it passed through - correct?

There would be no end to end encryption in this case if I understand this correctly. TLS only protects the email when it is transmitted from one machine to another - similar to the HTTPS we see in our web browsers for certain pages. Once the email comes out of the secure TLS pipeline between 2 machines it is decrypted.

 

[target2019]

But it does not mean that the email was encrypted while on all the hard drives, "at rest", in the intermediate servers that it passed through - correct?

There would be no end to end encryption in this case if I understand this correctly. TLS only protects the email when it is transmitted from one machine to another - similar to the HTTPS we see in our web browsers for certain pages. Once the email comes out of the secure TLS pipeline between 2 machines it is decrypted.

Talking about a shared doc, not email.

 

[MRG]

When one wants to improve security many people ask: What am I protecting from what?

 

[kgtest]

Create a shared google drive folder with your accountant. Put sensitive documents there, and you're assured the data is secured at rest and in transit.

+1 This is how I help others with investments. Keep in mind if the recipient is signed into Google though, and they are complacent with their devices, technically an accessible yet lost phone would compromise them.



Explained in simple real life scenario... My dad, whom I share a google folder with, signed into my mom's computer on google but never signed out. She was able to access the file because he failed to sign out on her device.



They got their panties in a bunch when they discovered this. Of course through their eyes it was my fault for sharing the file, not my dad's for not signing out of his accounts.

 

[jim584672]

Nothing in Google drive is secure. Google looks at the content of everything if they can. Same with other cloud services and email providers. You need to encrypt it BEFORE it gets uploaded. Preferably encrypted with the public key of the recipient and signed by you.

 

[TwoByFour]

Create a shared google drive folder with your accountant. Put sensitive documents there, and you're assured the data is secured at rest and in transit.

WRONG! Read the Google privacy statement. They explicitly tell you that by using their service (Google Drive) you are granting them the right to read and use for their own purposes anything you put up there. In intellectual property terms, this is known as no-cost perpetual license you are giving Google to your property.

So, you need to encrypt it before uploading it, and you cannot create the doc in Google Docs since it has the same licensing terms.

But, you can create the docs in Microsoft Office (the Windows app, not the service) and use the built-in encryption capability. You can encrypt a Word doc (or Excel spread sheet) with a password before uploading it to Google Drive (or before emailing it), then Drive cannot snoop at it, at least not easily, and it probably won't bother with trying to decrypt it. Tell the recipient beforehand the password you will use for the docs he/she will receive from you.

 

[jim584672]

But, you can create the docs in Microsoft Office (the Windows app, not the service) and use the built-in encryption capability. You can encrypt a Word doc (or Excel spread sheet) with a password before uploading it to Google Drive (or before emailing it), then Drive cannot snoop at it, at least not easily, and it probably won't bother with trying to decrypt it. Tell the recipient beforehand the password you will use for the docs he/she will receive from you.

I would never trust Microsoft encryption for anything. Use a known trusted program like GPG. Public key crypto doesn't require a secret channel to transmit the keys which is a huge hole in just sharing a password. Also cryptographic signature verifies that the document came from you and hasn't been altered or replaced.

 

[gauss]

Talking about a shared doc, not email.

I was talking about email not shared documents. I thought you were describing email/gmail also.

 

[TwoByFour]

I would never trust Microsoft encryption for anything. Use a known trusted program like GPG. Public key crypto doesn't require a secret channel to transmit the keys which is a huge hole in just sharing a password. Also cryptographic signature verifies that the document came from you and hasn't been altered or replaced.

Public key cryptography has other problems, the primary one of which is trust and identity - how do you know that the public key you have from John Doe actually came from the John Doe that you want to send an encrypted doc to? Key Rings try to solve that but it still comes down to trust.

Pass phrase encryption of a Word doc is simple and requires nothing special. It is fine for things that aren't national security. I used to use PGP at work for email, for CERT vulnerability discussions. It was a pain.

 

[jim584672]

Public key cryptography has other problems, the primary one of which is trust and identity - how do you know that the public key you have from John Doe actually came from the John Doe that you want to send an encrypted doc to? Key Rings try to solve that but it still comes down to trust.

Pass phrase encryption of a Word doc is simple and requires nothing special. It is fine for things that aren't national security. I used to use PGP at work for email, for CERT vulnerability discussions. It was a pain.

It only requires the key be verified once via the key fingerprint and from that point on it can be trusted.

 

[sengsational]

If you have one person, or a small set of people that you will see before you leave, you can use a pre-shared key arrangement with a symmetric encryption scheme. This way, each of you encrypts with the same key, and as long as that key isn't compromised, nobody in the middle will be able to see the content of the message (they will, of course know that you communicated, though). But, like I said before, for the occasional sensitive bit, you can use LastPass and if both parties turn off password recovery, this is also a "trust no one" solution.

 

[TwoByFour]

A couple of years ago I had to send all my financial docs to a CPA and I used WinZip to bundle them all up into one file that was password encrypted, which I then emailed. Pretty easy. I think PKZip works the same.

 

[sengsational]

That would be an example of symmetric encryption that I mentioned above. You need to communicate the password "out of band" and it needs to be something not found in a rainbow table (should be gibberish).