Links on Android Authority may earn us a commission. Learn more.
How to encrypt email in Gmail like a secret agent
Gmail is a great email service, but the one thing they’re not known for is respecting your privacy. After all, their business model is to monitor your online activity to serve you “relevant ads.” They may be up-front about it, but that doesn’t excuse it. So what do you do if you want your emails to remain secret? Here’s how to encrypt your email in Gmail like a secret agent.
Read more: What is encryption?
To encrypt emails in Gmail, there's the easy way and the hard way. The hard way is to use IMAP to download all of your emails to a local email client, such as Outlook or macOS Mail, and then install PGP. This requires a steep learning curve. A much easier method is to use a third-party Chrome extension, which also uses PGP but does all of the heavy lifting for you.
How to encrypt email in Gmail
Many years ago, if you wanted to encrypt your emails, you were faced with the very daunting task of installing PGP onto a local email client, figuring out public and private keys, and hoping you didn’t get anything wrong. You then decided it wasn’t worth the effort and gave up. These days, with the advent of browser extensions, you can now get these processes simplified, to the point where it’s just a case of a simple click and send.
Google only has three possible encryption extensions in the Chrome Web Store. Out of those three, the most highly rated one is FlowCrypt.
Once you’ve installed it, it will ask you to enter an existing PGP key if you have one, or create a new one. For the purposes of this demonstration, let’s assume you don’t have one.
You first need to set up a really secure passphrase, the longer the better. As you type, you’ll be told how secure it is. Get to GREAT at the very least. PERFECT would be even better. Obviously, make the passphrase memorable, so you don’t forget it. And before you hacker-types get excited, that isn’t my passphrase. I changed it after making this screenshot.
When you click Create and Save, it will direct you to the FlowCrypt website to create your first encrypted message. But if you now go to your Gmail inbox, you’ll see a new Compose button called Secure Compose. Click that to get started.
A brand new email compose window will now open. Enter the email address you want to send your secret message to, then click Encrypt, Sign and Send.
When an encrypted email arrives in your inbox, FlowCrypt will automatically decrypt it for you back into plain text. However, if someone was to intercept the email between you and the sender, this is what they would see. Without the decryption key, it’s useless gibberish.
Obviously, the following always applies. Keep your private key private. Keep your passphrase private. If you think either has been compromised, change them immediately.
Is Gmail encrypted by default?
While encryption has become a critical component of most internet-based services today, it wasn’t as prevalent during the early days of email. Back when Google first unveiled Gmail in 2004, encrypted emails had only just begun gaining momentum.
Over the years, however, email providers have increasingly adopted TLS, or Transport Layer Security. This form of encryption is always active when you send and receive emails via Gmail, as long as the sender or recipient’s email provider also support TLS. That’s not really a concern though, most major providers have adopted it already.
However, keep in mind that TLS is only effective till the email reaches its destination. As its name suggests, TLS only offers “transport-level” security.
Put simply, your sensitive data is only encrypted in transit. Once it arrives at its destination, the email is stored in plain text. In fact, this is how spam filters can detect malicious or fraudulent emails for you. The downside is that you’re trusting the security of your inbox to a corporation, like Google or Microsoft. A security breach could easily leak the contents of every email you’ve ever sent or received.
If that level of encryption sounds unacceptable to you, you’ll need the end-to-end encrypted solution described higher up in this article.
What is encryption-in-transit?
Encryption-in-transit prevents your data from getting eavesdropped on while it’s transmitted across the internet. In the context of email, your data gets encrypted when you hit send and then decrypted once it arrives at the destination.
What is end-to-end encryption?
End-to-end encryption ensures that nobody except the sender and receiver can read the contents of a message. Rather than relying on third parties, end-to-end encryption takes place at the device level using a set of private and public keys that only the sender and receiver have access to. While most email providers don’t offer end-to-end encryption, it’s the standard across many chat messaging services, including WhatsApp and Signal.
For a more in-depth explanation, check out our dedicated guide on public-key encryption.
Read more: How to encrypt your Android device
If you use the end-to-end encryption method described above, the email recipient needs to have some email encryption program, but it doesn’t necessarily have to be the same one you have. When Flow Crypt sends your email, they also send your public key so that the other person can email you back securely, regardless of their encryption platform.
Yes, attachments are also encrypted.
As far as Flow Crypt is concerned, a 2018 blog entry stated they were starting to test the Android version. No other word has been said since. There doesn’t appear to be an iOS version yet. It’s probably best to stick to the desktop version.