REVIEW: Email encryption has gotten so much better, so you’d be crazy not to use it

I once co-wrote a book on enterprise email where I likened email encryption to a “sucking chest wound.” That was in 1997, when you had to do all the encryption key management on your own, a daunting task to say the least.

While things have improved considerably since then, encrypting messages is not as simple as it could be, and requires careful study if you want to have truly private communications that can’t be viewed by your competitors – or your government.

In the past, recipients of encrypted emails had to share the same system as the sender, and many email clients were difficult to configure. Today, many products have a “zero knowledge encryption” feature, which means you can send an encrypted message to someone who isn’t on your chosen encryption service. Just provide them a passphrase to decrypt their message and to compose a reply to you, or in some cases they can read the message by just authenticating themselves. After this first communication, your recipient is able to exchange encrypted messages with you quite easily.

Apart from zero knowledge encryption, modern products make sending and receiving messages easier, with advances like an Outlook or browser plug-in that gives you nearly one-button encryption. And all of the products reviewed have better control over the message traffic, such as setting expiration dates, or being able to revoke unread messages or prevent them from being forwarded once your recipient has read them. These are all good signs that encryption has finally come of age.

But there is one remaining problem: the ways we use email has also evolved and gotten more complex. Some of us alternate between desktop and mobile clients, or also turn to webmail as our mail client. Some people prefer Outlook and many organizations depend on Microsoft Exchange, while there are dozens of SaaS-based hosted email providers, such as Google Apps and Office 365. That means any encryption solution has to cover different use cases and endpoint clients. And there still is a lot of end user apathy towards encrypting messages, even in spite of the Snowden saga and other object lessons in keeping messages secure.

To analyze the current state of the art, we examined seven products, and found that they fall into three functional categories.

First are hosted email services that make use of end-to-end encryption of their message traffic. Typically, you use the hosted provider’s webmail client to have a secure connection to send and receive email. If you are already using a hosted email service, you would need to replace that provider with one of these services. We looked at Hushmail and ProtonMail in this category. Hushmail has been around for more than a decade, while ProtonMail is relatively new and still in an extended beta. This category is appealing for smaller networks or places that see an immediate need for encryption and want to get started quickly.

Second are email encryption gateways. These were the first kinds of encryption products, and can still be found on the market. They require special plug-ins or an on-premises server to be setup inside your firewall to connect to your main email server. Datamotion SecureMail and HP’s Voltage SecureMail fit into this category.

Gateways offer tremendous control over how emails are processed, whether any message residue can be found on local storage devices, and how you can go about recovering passwords. While this is appealing, with all this control comes the higher pain point of getting them setup properly. That’s why gateways have somewhat fallen out of favor, especially now that there are so many other choices.

Gateways are still useful for businesses that either are reluctant to use the cloud or who have particular compliance reasons for encrypting their message traffic, such as a brokerage house or a medial practice.

Finally, there are client-only products that supplement existing desktop email software, such as Outlook or Apple Mail. These are typically add-on tools that encrypt messages using your existing email infrastructure. Tutanota, Virtru and AppRiver fit into this category. This is popular for businesses which have a variety of email clients in use and don’t want to deploy a universal encryption service immediately, or who can’t easily swap out pieces of their email infrastructure. 

There are numerous other encryption services that we didn’t test, for two reasons. First, many of them are like ProtonMail that only offer encryption to single mailboxes and aren’t suitable for an enterprise-wide deployment. A good article listing many of these services can be found here. Second, several of the long-time encryption vendors didn’t want to participate, including gateway vendors Symantec (the current keeper of the PGP flame) and Zix Corp.

Winners and losers

Because of the variety of email situations and product types, we couldn’t declare an overall Clear Choice winner. However, each of these products can be very useful for specific situations. Despite having some innovative features, we would hold off on recommending Tutanota until the product matures.

If you make use of an Internet standard IMAP/SMTP server for your email, then Hushmail or Virtru are the best ways to go. Hush uses a combination of various industry standard encryption technologies to move mail from your desktop through the Internet. Virtru has its own ecosystem and collection of add-ons to Outlook, browsers and Gmail that can protect your messages.

If you use Exchange or Notes, then Datamotion is the better solution, using its gateway. While it is the most expensive of the seven products we tested, it offers a lot of flexibility in configuration. Voltage is also a good gateway-based alternative if you need the plethora of controls to handle your mail flow, and it runs on both Linux and Windows servers.

If you don’t want to deploy encryption for everyone and just want a few employees to have this feature, or if you have a POP-based system, then look at AppRiver. They are also appealing because of a very large attachment limit of 5GB; most of the other products could only accommodate smaller attachments.

While ProtonMail is mainly for individuals, it is a demonstration of what the current level of privacy and paranoia can do to deliver an easy-to-use encryption product. While its user interface lags behind some of the more mature products, it has a couple of features that are worth examining, including default double message encryption and how it can automatically notify new correspondents of a waiting encrypted message.

How we tested

We used a combination of Mac and Windows 7 desktop clients and an iPhone to run the various programs, using Firefox and Chrome browsers. We set up several Internet-based mail domains, changed MX records when they were needed, and added plug-ins to Windows 7 machines running Outlook 2013 and Mac Mail clients. In setting up this entire infrastructure, we looked at the following evaluation criteria:

1) Enterprise management and control features

These include how a product can recover from error conditions and how useful it is in troubleshooting email problems. We looked at how easy it was to set up new mailboxes or terminate existing ones and how to recover a lost password. We also noted in the summary chart what the various total mailbox and attachment size limits, if any, are specified by each vendor.

2) Documentation

We looked at the different user interfaces (Web, mobile and desktop clients) and how they differ and how they are documented or supported with online tutorials and help files.

4) Encryption security features

Can you hide subject or other metadata surrounding the message? Who holds the encryption keys? Do customer messages reside on cloud-based servers owned by the vendor and if so where are they located?

5) Silk Road scenario

If you are ultra-paranoid, you might have read how the FBI arrested Ross Ulbricht for his activities with Silk Road. The FBI got around the encryption protocols he was using by seizing his laptop while he was using it in a public library in San Francisco. If this is a scenario that you want to avoid, then the only encryption products that can help you would be Datamotion and possibly Tutanota. While we recognize that none of these products is designed to evade the law, we got some interesting responses from the vendors as they pondered this scenario and we wanted to share them with you as an illustration of how the encryption products can be used in ultra-secret situations.

Here are the individual results: