A client needs recommendations on how to secure their email communications
Edit me

Secure Email Recommendations

FAQ article on secure email providers and encryption tools

Problem

  • The client needs to secure their email communications.
  • Using a secure IM protocol like Signal or Jabber and OTR would not satisfy the client’s needs, for example because the people they need to communicate with don’t use a smartphone, or communications cannot be ephemeral, or they need a more secure way to communicate.

Solution

In general, email is an insecure channel of communication unless the email provider is trusted and secure and the messages are end-to-end encrypted. Therefore, we should guide the client to choose a trusted email provider and learn how to encrypt their emails, based on their capacities and threat model.

Trusted email providers

When assessing email providers, what we should make sure is that they offer TLS/SSL encryption and possibly 2-factor authentication (better if based on an app or a secure key, rather than on SMS), and that they allow downloading messages with an email client (POP3/IMAP).

Depending on the client’s preferences, habits, location, and focus, we can suggest them to use one of the following providers:

  • Gmail - If the client is already using Gmail, and they don’t have state-level adversaries, this solution is safe enough.
    • 2FA
    • TLS/SSL
    • POP3/IMAP
    • Other services: GApps; can add own domain and other functionalities for companies (paid option)
  • Posteo - Based in Germany. Can encrypt emails for other Posteo users. Website does not save IPs. Basic contract costs 1 euro per month. It’s possible to add additional storage, additional alias addresses and additional calendars for a low fee.
    • 2FA
    • TLS/SSL
    • POP3/IMAP
    • Other services: basic contract - 2 alias addresses, calendar, address book, 2GB storage, unlimited number of subfolders, attachments up to 50MB
  • Autistici/Inventati (A/I) - An autonomous server based in Europe that offers free email and other services and keeps no logs of their users’ activities. A/I offers its services to individuals and groups who share the principles expressed in their manifesto and policy. We should explain this to the client before they request an email. The creation of the account might take some days, as it’s not automatic and managed by volunteers.
    • 2FA
    • TLS/SSL
    • POP3/IMAP
    • Other services: 5 alias addresses, VPN and Jabber/XMPP included
  • Kolab Now - Based in Switzerland, paid service, a good alternative to GSuite for organizations
    • 2FA
    • TLS/SSL
    • POP3/IMAP
    • Other services: includes several features (file sharing, calendar, task manager, notes, own domains, group accounts)
  • Riseup - an autonomous server based in the United States that offers free email and other services to activists and organizations for social change. They don’t keep logs, and issue a canary statement. To obtain an account, 2 invite codes generated by 2 different Riseup users are needed. These codes can be generated by members of the tech team who have a Riseup account.
    • No 2FA
    • TLS/SSL
    • POP3/IMAP
    • Other services: alias address, VPN and Jabber/XMPP included

For activists, other options are listed here.


Email Provider Jurisdiction Keeps logs NGO-friendly Webmail POP3 IMAP TLS Encryption at rest 2FA Custom domains Office suite Max. storage Free/Paid
Gmail USA Yes No Yes Yes Yes Yes No Yes Yes Yes 15 GB Freemium
Posteo Germany No No Yes Yes Yes Yes Yes Yes No Calendar + Address book 2 GB Paid
Autistici/Inventati Italy (servers abroad) No Activist-friendly Yes Yes Yes Yes No Yes No No Unlimited Free
Kolab Now Switzerland Yes No Yes Yes Yes Yes None Yes Yes Yes 2 GB Paid
Riseup USA No Yes Yes Yes Yes Yes Yes No No No 1 GB Free

GPG encryption tools

Whatever email provider the client is using, we should explain that, unless they are encrypted with GPG, their messages will be potentially readable for anybody who has access to the providers’ servers or to their or their recipients’ devices, or can otherwise intercept their communications.

Based on the capacities of their adversaries and on the degree of confidentiality of their communications, we might need to instruct them on how to encrypt their email messages.

Depending on the client’s operating system and capacities, we can suggest them one of the following tools for encrypting their email with GPG:

  • Thunderbird+Enigmail - If the client is ready to read their email on a client in their computer, the solution to recommend is Thunderbird with Enigmail.
  • Mailvelope - If the client prefers to read their email in a web interface, they can encrypt and decrypt their email with Mailvelope, a Firefox and Chrome extension that is easy to use, but has some limitations both in terms of usability and security (add details) and should not be used by high-risk users.
  • GPG4USB is a PGP tool that can be ran off of a USB drive and works on both Windows and GNU/Linux. This solution can be recommended to keep the client’s key pair on a separated USB stick rather than in their device.
  • GPG Suite is the tool we can recommend to Mac users as an easy way to install GnuPG. It can be used with Mail for MacOS or Thunderbird and Enigmail.
  • K9 and OpenKeychain are the recommended tools for Android users. Before we suggest this solution to our clients, we should warn them that mobile phones are not secure and that storing a private GPG key in smartphone is risky, as the device can be lost or stolen. We should recommend they use native end-to-end encrypted messaging applications like Signal or Wire.

    If the client still wants to encrypt their email from their phone, we should make sure that the client’s device is protected with full-disk encryption and a strong password. We should also recommend to use a different GPG key pair or a subkey.

Note: We should warn the client that even with PGP encryption, metadata included in the header, like the sender’s and recipient’s addresses, the subject and the timestamp, won’t be encrypted. If they need to encrypt metadata too, at the moment the only tool that allows to encrypt the header is Torbirdy, an addon for Thunderbird.

Web apps for encrypted email

For less high-risk situations where communications need to be encrypted but the client is not ready to learn how to use GPG, they can use a web service that offers a webapp for encrypting emails, like Protonmail and Tutanota. We should warn them that this solution is not as secure as using GPG and make sure that the service they choose is based on open source software.

If the web app is not completely open source, it is JavaScript-based, and/or the encryption keys are not stored in the client’s device, these web apps cannot be considered secure. The only level of security they offer is the TLS-encryption, which is also offered by all the trusted providers listed above. If the client is not already using a web app for encrypted emails, we should explain that they can achieve a comparable level of security by exchanging emails with users of the same trusted providers (e.g. between Google accounts).


Comments