Certificates, signed emails, symmetric and asymmetric encryption, S/MIME, TLS and PGP – for many who do not regularly deal with email encryption these terms are quite foreign. However, with the new basic data protection regulations (DSGVO) these terms have been pushed to the top of the to-do lists for many SMBs. Although, many companies lack the necessary knowledge to implement the new requirements in regards to the encryption of their email communication. In this article, Hornetsecurity aims to explain some of the basic terms and technologies around email encryption.
Symmetric email encryption uses the same key to encrypt and decrypt the email. This means that the sender and recipient of an email share the same key. Thus, this procedure is very simple, but its security is essentially tied to the secrecy of the keys – if the key falls into the hands of a third party that person can decrypt the entire communication.
Asymmetric email encryption uses a total of four keys, one key pair each – a public and a private key per communication partner. The public key is accessible to everyone who wants to communicate and is transferred with the certificate exchange. It is used to encrypt the data, in our case, emails.
To decrypt the encrypted data again, the private key belonging to the public key is required. Although the key pair is mathematically interdependent and it’s practically impossible to calculate it.
PGP and S/MIME are asymmetric encryption methods. Both procedures have a decisive advantage and disadvantage. The advantage is that the email provider of the sender and recipient also has no insight into the email. The disadvantage is that only the message is encrypted. The sender and recipient as well as the subject can still be read.
The main difference between email encryption with S/MIME and PGP is the issue of certificates. While PGP (also known as OpenPGP) is an open source solution in which everyone can create their own certificates, certification at S/MIME takes place via official certification authorities, the so-called Certificate Authorities (CA).
TLS differs fundamentally from email encryption with S/MIME or PGP. Here it’s not the email itself that is encrypted, but only the connection between the two communicating servers. This means that the email cannot be accessed during transport, but it is not encrypted on the respective mail servers.
With on-premise solutions, the emails are encrypted directly on site, i.e. at the companies themselves. The email encryption software can be purchased, rented or operated completely independently from an external provider. Although this procedure offers the company a high degree of transparency and decision-making freedom, it involves an administrative effort that should not be underestimated. The costs for maintenance and operation are also quite significant. Today, on-premise solutions are considered a thing of the past and are increasingly being replaced by modern cloud-based computing.
With the cloud-based computing alternative, also known as “Software as a Service” (SaaS) solution, the security provider relieves the company of all expenses, such as administrative and operational costs. All of the company’s email traffic is then handled by the security provider’s servers, including Hornetsecurity’s email encryption service. The route between the customer’s mail server and the service provider is protected by TLS. This solution is characterized by the elimination of administrative work for any particular company. However, to fully ensure secure email communication, TLS and S/MIME can and should be used simultaneously. This is the only way to encrypt the email itself and its transport route.