I prefer to exchange encrypted email
When you are writing to me, the messages we send to each other are stored inside the servers of one or more private corporations. This is true even if you use
...@uniud.it as the recipient, because the University of Udine outsources its email services (both for students and employees) to one of those big corporations. You might trust a third-party entity to keep your personal data safe, but it is a fact that such data can be mined, for instance to sell ads, stolen, or collected by various “intelligence” agencies using more or less unethical means and for more or less unethical purposes. As long as you are using a service “in the cloud”, you should always encrypt your data. This holds for email messages as well as for other data.
Confidentiality can be attained by end-to-end encryption (“end-to-end” means that the message is encrypted before it leaves the device of the sender and it is decrypted only in the device of the recipient). The most popular email clients (including those in mobile devices) support signing and encryption out of the box and transparently, through a standard called S/MIME. The only thing you need is a valid certificate. Contrary to what many people think, it is possible to obtain a personal valid certificate for free from a few certificate authorities.
There are two ways you can send me an encrypted message: if you have received a digitally signed message from me you already have my public certificate and can start using encryption right away. Just read the documentation of your email client to learn how to use S/MIME. (If you want my certificate, just drop me a plain text email.) For me to send you encrypted messages, you need to obtain a certificate and send me a message signed with that certificate.
The other (possibly better, in some respects) solution is to use OpenPGP instead of S/MIME. This typically requires a plugin for your email client. Once you’ve got the plugin working, all you need to do is download my GPG public key from my home page or from a public keyserver and import it into your GPG keyring. For me to send you encrypted messages, you need to create a private-public key pair, for example with GnuPG, and send me your public key.
Currently, I mostly use macOS and iOS. These are a few resources that I have found useful to set up my system:
- Email Self-Defence
- How to Create an Anonymous Email: private email services are another way to mitigate the issues mentioned at the beginning (at least when sender and receiver use the same service).
- Making end-to-end encryption easier to use (well, if Google says that…)
Encrypting email has some potential disadvantages:
you won’t be able to read encrypted messages with web mail interfaces. If you rely on web mail, maybe you should limit the number of messages you encrypt, or search for some browser plugin.
Some services may not fully support S/MIME. I have tried Google, iCloud, Microsoft, and Yahoo services without problems, but your mileage may vary.
Yeah, very very few people encrypt emails. And encrypted email is not the most secure way to exchange messages. But someone has to start somewhere…
Other things to keep in mind:
Email subjects are not encrypted. Attachments usually are, but you’d better make some experiments, because it may depend on your configuration.
Search in email clients usually works with encrypted messages, that is, encryption does not prevent you from searching messages.
If you use IMAP, you should not store draft messages on the server, because they would be stored in clear text.
Please, prefer encrypted mail!