How do you Send an Encrypted Email in Gmail?

Gmail uses TLS to encrypt emails in transit. This leaves emails vulnerable to unauthorized access on reaching the destination server, especially if they linger in the recipient's inbox. You can encrypt emails using S/MIME, Confidential Mode, and other third-party plugins to protect sensitive information. Learn how to use these options to secure your email communications.

S/MIME: Encrypt and digitally sign emails for enhanced security

S/MIME, or Secure/Multipurpose Internet Mail Extensions, is a security protocol that encrypts emails using public key cryptography. When sending an S/MIME encrypted email, the sender encrypts it using the recipient's public key, ensuring only the recipient with the corresponding private key can decrypt it. 

You can also use S/MIME to digitally sign emails, verify your identity, and ensure the email has not been tampered with. To digitally sign an email, the sender uses their private key to create a digital signature and attach it to the email. When the recipient receives the email, they can use the sender's public key to verify the digital signature. This can help prevent phishing attacks and other forms of fraud.

Supported editions for S/MIME in Google Workspace: 

• Enterprise Plus
• Education Fundamentals
• Education Standard
• Teaching and Learning Upgrade
• Education Plus

How to turn on hosted S/MIME in the Google Admin console?

1. Log in to your Google Admin console
2. Click “Apps” > “Google Workspace” > “Gmail” > “User settings”
3. On the left, under Organizations, select the domain or organization you want to configure.
4. Scroll to the “S/MIME” setting and check the “Enable S/MIME encryption for sending and receiving emails” box.
5. Save your settings to activate S/MIME encryption.

Pros and cons of S/MIME encryption

​S/MIME offers robust security but has intricacies and dependencies that warrant careful consideration. Let's explore its pros and cons.

 Pros:

• S/MIME encrypts email content, ensuring robust protection against interception.
• Digital signatures verify sender authenticity, reducing phishing risks.
• Strict access control ensures that only intended recipients can decrypt emails.
• Clear lock icons indicate encryption levels, promoting transparency.
• S/MIME complies with security regulations, making it ideal for corporate use.

Cons:

• Implementation may require IT support due to its complexity.
• Both parties must support S/MIME to send and receive encrypted emails.
• S/MIME does not encrypt the subject line or metadata of emails.
• Server issues may expose encrypted emails.

Confidential mode: Prevent accidental sharing of sensitive information

Confidential mode in Gmail is a feature that restricts the forwarding, copying, printing, or downloading of emails and their attachments. Senders can set message expiration dates, revoke access at any time, and require an SMS verification code to allow message access.

This mode is available for personal Gmail and Google Workspace (formerly G Suite) accounts. 

Confidential mode doesn't prevent recipients from taking screenshots or utilizing malicious software to copy or download the email content.

How to turn on confidential mode?

For Google Workspace (paid) accounts - Organization level:

1. Sign in to an administrator account.
2. In the Admin console, navigate to "Menu" > "Apps" > "Google Workspace" > "Gmail" > "User settings."
3. In User settings, scroll down to "Confidential mode."
4. Check or uncheck the "Enable confidential mode" box.
5. Save your changes.

For Personal Gmail accounts

1. Open Gmail on your computer.
2. Click "Compose" to create a new email.
3. In the bottom right corner of the email composition window, click "Turn on confidential mode."
4. Set an expiration date and choose whether to include a passcode.

• If you opt for "No SMS passcode," Gmail app users can open the email directly, while non-Gmail users will receive an email containing the passcode.
• If you choose "SMS passcode," recipients will receive a passcode via text message. Ensure you enter the recipient's phone number, not your own.

         5. Click "Save."

Pros and cons of confidential mode

Confidential mode, while not an encryption method, adds an extra layer of security to your emails. Let’s look at its pros and cons:

Pros:

• It is convenient for regulated industries to send secure emails.
• Simplifies the process of sending secure emails to all Gmail users.

Cons:

• Recipients can still take screenshots or photos of confidential emails.
• Recipients can find ways to bypass the expiration date and passcode requirements.
• You can’t use confidential mode while scheduling emails.

Related: Learn what constitutes confidential data.

How to Ensure you’re Sending an Encrypted Email?

Here's how you can verify email encryption:

1. Begin composing your email as usual.
2. Add the recipient to the "To" field.
3. Notice a small lock icon to the right of the recipient's name; it shows the level of encryption that your message's recipients support. If there are multiple users with various encryption levels, the icon will show the lowest encryption status. 
4. Click the lock to adjust your S/MIME settings or gain insights into your recipient's encryption level.

How to Verify the Encryption of Received Emails?

Follow the steps below to check whether you’ve received an encrypted email:

1. Open the received email.
2. Select "View details" on Android and then "View security details." On iPhone, tap "View details."
3. You'll now see colored icons indicating the encryption level. 

• Green (S/MIME enhanced encryption): The highest level of encryption, only the recipient with the private key can decrypt.
• Gray (TLS or standard encryption): Used when an email service doesn't support S/MIME.
• Red (No encryption icon): The email is unencrypted.

Alternative Options to Secure Gmail Emails

Besides Gmail’s native security features, third-party plugins can enhance your email security further. 

Option 1: Flowcrypt

Flowcrypt is a desktop extension available for Firefox and Chrome. It seamlessly integrates with Gmail and introduces a "Secure Compose" button to your interface. Flowcrypt secures your messages using industry-standard Pretty Good Privacy (PGP) encryption. Here's how to use Flowcrypt:

• Install the Flowcrypt extension for your preferred browser.

• Click the "Secure Compose" button.

• Enter a message password in the input field at the bottom of the “Secure Compose” window.

• Click “Encrypt and Send” to send your email.

‍

Option 2: SendSafely

SendSafely is an end-to-end encryption platform that ensures only you and your intended recipients can access shared information. It eliminates the need for pre-shared encryption keys or passwords. Here are the steps to send encrypted emails using SendSafely:

• Install SendSafely Extension from the Chrome Web Store.

• Authenticate and obtain the API Key and API User ID.
• Enable "Google Mail Integration" in SendSafely settings.
• Encrypt Attachments - Use the SendSafely icon in Gmail to encrypt attachments.
• Encrypt Entire Message - Choose this for complete email encryption.

Option 3: Mailvelope

Mailvelope is a Chrome extension offering PGP encryption for Gmail. It provides robust end-to-end encryption. However, it may require some technical knowledge to set up. 

Here's how to use Mailvelope:

1. Install Mailvelope Extension from the Chrome Web Store.
2. Open the Mailvelope editor by clicking the Mailvelope icon next to the compose button.
3. Enter the recipient's email address in the Mailvelope Editor.
4. Mailvelope will attempt to find the recipient's key. Green indicates success, red means no key found.
5. Compose your email, add attachments, and click "Submit" to send securely.

Related: How to share sensitive documents with end-to-end encryption?

Introducing Strac: Real-time Gmail Data Loss Prevention (DLP)

Strac’s Gmail DLP solution uses advanced algorithms to promptly detect and redact sensitive content in emails, protecting you from accidental data exposure. 

When sending an email with sensitive content (in the body or attachment), you can choose from a variety of data protection measures, including:

• Redact sensitive content
• Encrypt the email
• Receive an alert when sensitive content is detected
• Block the email from being sent
• Quarantine the email for review
• Log the email
• Forward the email to a specific tag