How to Encrypt Your Gmail, Outlook, and Other Webmail
Whatsapp Pinterest
Advertisement

Encryption is vital to privacy and security. Our privacy is under constant threat from social media, governments, businesses, and otherwise. So, encrypting your web traffic and email accounts is a vital step to clawing back some of the seclusion that was natural just a few decades back.

Secure your inbox with our free Email Security Course!

This will sign you up to our newsletter

Enter your Email

Email accounts are important. They hold the keys to your digital kingdom as well as personal information. Here’s how you encrypt your Gmail, Outlook.com, and other webmail accounts.

Which Encryption Is Best to Protect Webmail?

Before we look at the encryption tools, it is important to understand what types of encryption are available to you when using Gmail, Outlook.com, or other webmail services. You will use either symmetric or asymmetric encryption to protect your data. But what does that mean?

Asymmetric encryption is the most common encryption type found on the internet today. An asymmetric encryption tool involves two separate keys: a private key and a public key. Your public key is just that; public. You can send your public key into the wild because with it, people can encrypt messages specifically for you. When the encrypted messages hit your inbox, you decrypt it using your private key. Unlike the public key, the private key must remain secure at all times. If someone else acquires it, they can unlock your messages. This asymmetric encryption is also known as public key cryptography.

Symmetric encryption is a very secure but more simply encryption method. You essentially encrypt your message using a single cryptographic key, and the recipient cannot unlock your message without that key. Symmetric encryption is also known as secret key cryptography.

Both encryption types have pros and cons. Want to understand more? Here are basic encryption terms you should know 10 Basic Encryption Terms Everyone Should Know and Understand 10 Basic Encryption Terms Everyone Should Know and Understand Everyone's talking about encryption, but if you find yourself lost or confused, here are some key encryption terms to know that'll bring you up to speed. Read More .

Encrypting Messages in Webmail

I’m going to list several of the best webmail encryption tools, where you can use them, and how they help you send encrypted emails.

1. Mailvelope

mailvelope encryption extension options

Mailvelope remains one of the best and easiest webmail encryption tools around. It uses asymmetric encryption to secure your emails. The Mailvelope browser extension seamlessly integrates with your webmail accounts in Gmail, Outlook.com, Yahoo Mail, GMX, mail.ru, Zoho Mail, and more.

Mailvelope works directly from your browser. Once you download the app, the Mailvelope icon will appear alongside the address bar. Clicking the icon gives you several options: Dashboard, Keyring, and File Encryption. To get started:

  1. Select Keyring > Generate Key
  2. Enter your name and the email address you want to link to the encryption keys. Next, add a secure, unique password, then select Generate to create your key.
  3. Head to your webmail account and verify your new key by opening the verification email and confirming the unique password from the previous section. Once you decrypt the message, you can select the verification link.
  4. After verification, you receive a link containing your public key. (It is a long alphanumeric string.) You can share the public key with other people so they can encrypt messages they send to you.

You can access the public key from the Keychain option. If you want to send it to someone, locate the key, then select Export and either Display Public Key or Send Public Key by Mail. Once the recipient has the key, you can send them a secure message from your webmail account.

For instance, the Mailvelope icon appears to the top-right in a new Gmail message. Click the message icon and start typing!

mailvelope select key

Download: Mailvelope for Chrome | Firefox

2. FlowCrypt

flowcrypt intial setup page

FlowCrypt is another excellent encryption option for those using Gmail. Like Mailvelope, Flowcrypt syncs perfectly with your Gmail account, allowing to you send email using the PGP encryption standard.

Once you download Flowcrypt, select the Flowcrypt icon alongside your Chrome address bar. To set up Flowcrypt:

  1. Select Create a new key
  2. Create a secure passphrase. (A passphrase is a unique string of words, rather than a password Why Passphrases Are Still Better than Passwords & Fingerprints Why Passphrases Are Still Better than Passwords & Fingerprints Remember when passwords didn't have to be complicated? When PINs were easy to remember? Those days are gone, and cybercrime risks mean fingerprint scanners are next to useless. It's time to start using passcodes... Read More , which uses letters, numbers, and symbols.) Head to Use a Passphrase if you’re struggling to think of something—but make sure you make a copy!
  3. Head to your Gmail account. Above the regular “Compose” button is a new option: Secure Compose.
  4. Select Secure Compose and type your message.

A handy FlowCrypt feature is the PK button in the bottom right corner of the email compose window. The PK button adds your public key to the email so that recipients without FlowCrypt can still read your email.

flowcrypt secure compose button gmail inbox

FlowCrypt is available for Gmail on Chrome, Firefox, and Android. Also, you can use the Android app with any webmail app on your Android device, extending the functionality of FlowCrypt to numerous accounts.

However, FlowCrypt is planning apps for Windows, macOS, Linux, iOS, Thunderbird, and Outlook. The iOS version is due for 2019, with the FlowCrypt team looking to extend their mobile functionality before integrating other webmail services in the future.

Download: FlowCrypt for Chrome | Firefox | Android Beta

3. InfoEncrypt

infoencrypt message example string

InfoEncrypt is different from the previous two entries. It uses secret key—symmetric—encryption, rather than public key encryption. That means instead of sharing your public key to let people encrypt messages for you, you must arrange a password or passphrase before you can send and receive secure messages. InfoEncrypt uses the extremely strong AES-128 encryption algorithm, which is one of the strongest available for public use 5 Common Encryption Types and Why You Shouldn't Make Your Own 5 Common Encryption Types and Why You Shouldn't Make Your Own Is it a good idea roll your own encryption algorithm? Ever wonder what types of encryption are the most common? Let's find out. Read More .

InfoEncrypt is extremely simple to use.

  1. Head to the website and type your message.
  2. Enter the secure unique password you have previously shared with the recipient.
  3. Select Encrypt and watch the magic unfold.
  4. Then, copy the ciphertext (that’s a text with encryption) to your webmail client and send it.

Your recipient should receive the message, copy the contents to the InfoEncrypt site, enter the password, and select Decrypt.

4. Encryption in Outlook.com

Office 365 subscribers have the option to add S/MIME encryption to their Outlook.com account. Free users will have to stick with one of the awesome options already mentioned. (The free options above are probably easier to use, too.) You also need a personal Digital Certificate for Outlook.com S/MIME encryption, which you can do below.

Obtain a Free Digital Certificate

  1. Using Mozilla Firefox, head to Comodo’s InstantSSL site. (You cannot use Microsoft Edge or Google Chrome for this task.)
  2. Scroll down and alongside Trial Certificates select Free.
  3. Enter the details for the email account you want to secure (that you use within Microsoft Outlook). Add a password. Accept the terms of the Subscriber Agreement and press Next, and follow the on-screen instructions.
  4. Head to your email account and open the Comodo collection email. Copy the collection link and paste it into the Mozilla Firefox address bar and press Enter. Enter your corresponding email address. Now, copy the Collection Password from the email into the Collection Password field and press Enter. Your Digital Certificate should immediately begin downloading (it will only take a second or two).
    email security course collect digital certificate
  5. Next up, and still working within Mozilla Firefox, you need to extract the Digital Certificate from the browser Certificate Store. Reason being that the automatically downloaded certificate is in the wrong format. In Mozilla Firefox, head to Menu > Options > Privacy & Security, then scroll down to the Security section and select View Certificates.
  6. Select the Your Certificates tab, then select the Certificate Name for the relevant email address, and press Backup. Select a relevant and memorable filename, then Save the file to a memorable location. You must now create another password. This password is very important. It protects the backup file you are creating, as well as serving as a password when you install the Digital Certificate in another program.
    firefox certificate backup extract

The free certificate will last for 90 days. You will have to renew it after that time.

Chrome Users: Import Your Digital Certificate

At this point, Google Chrome users must import the new Digital Certificate into the Windows Certificate Store. Chrome uses the Windows Certificate Store to validate the authenticity of your Digital Certificate, so you need to import the Digital Certificate to use the Outlook.com S/MIME encryption.

Please note if you are using Firefox, you can proceed to the next section as your Digital Certificate is ready to use (Chrome and Firefox use different Digital Certificate authentication methods).

  1. In Windows, press Windows Key + R, then type certmgr.msc and press Enter.
  2. Highlight the Personal folder. Now, right-click and select All tasks > Import.
    windows certificate manager import certificate
  3. Browse to the backup Digital Certificate location, locate your Digital Certificate, then Open.
  4. Enter the password created during the backup process in the previous section. Now, select Mark this key as Exportable and leave the option to Include all extended properties, then hit Next.
  5. Select Place all certificates in the following store.
  6. Make sure Personal is the folder selection, then hit Okay, followed by Next.
  7. Finish the import. You’ll see a notification that the process was successful.

Install the S/MIME Control

Your Outlook.com account uses “S/MIME Control” to manage your encryption certificates.

  1. Open your Outlook.com account in your browser.
  2. Create a new message, select the more options icon (three dots), then Message options > Encrypt this message (S/MIME).
  3. When the “Install S/MIME Control” prompt appears, select Run, verify the Windows Account Control prompt, and select Run

Once you install and configure the S/MIME encryption options, you can use the Gear icon > S/MIME Settings menu to select whether to encrypt the contents of all your messages.

5. Send & Open Confidential Emails Using Gmail

gmail confidential mode settings

Gmail recently introduced “Confidential Mode.” Confidential Mode is a way of sending secure messages, within Gmail, using a passcode and an expiration timer. Please note at the current time Confidential Mode isn’t available to paid-for G Suite members.

Here’s how you use it:

  1. Head to Gmail and select
  2. Alongside the Send button, locate the Turn Confidential Mode On/Off
  3. Alter your Confidential Mode settings; set an expiration date and select if the user requires a passcode to read your email, then select Save.
  4. Send your email as usual.

Recipients cannot forward, copy, or print Confidential Mode emails. Also, make sure you input the recipient mobile number if you use the passcode option. Otherwise, they cannot open your email!

What Is the Best Webmail Encryption?

For me, Mailvelope and FlowCrypt are the two best options for fast and secure webmail encryption. The FlowCrypt Android app certainly extends the functionality of that tool, while you can encrypt a wide range of webmail providers using Mailvelope.

If you’re in a pinch, InfoEncrypt is handy, but you do need to work out a secure password beforehand which is a downside.

Unfortunately, there aren’t many respectable, secure webmail encryption tools around. That is despite the focus on security, privacy, and data breaches.

Another excellent option is to switch provider entirely. Instead of using a webmail client that may well track and monitor your email contents, switch to a secure, encrypted email provider The 3 Most Secure and Encrypted Email Providers Online The 3 Most Secure and Encrypted Email Providers Online Fed up with government and third-party surveillance of your emails? Protect your messages with an encrypted email solution. Read More .

Explore more about: Email Tips, Encryption, Gmail, Microsoft Outlook, Online Privacy, Online Security.

Enjoyed this article? Stay informed by joining our newsletter!

Enter your Email

Leave a Reply

Your email address will not be published. Required fields are marked *

  1. CityguyUSA
    March 6, 2019 at 9:41 am

    What we need to happen is when your give anyone your email address it must encapsulate your encryption key in a way that it's impossible to give anyone your email that wouldn't include that encryption key.

    The recipient shouldn't have to do anything other than they're already doing. Put the email address in and the client encrypts or not based on the availability of a key. If there's no key then either an error has occurred or they inadvertently are using your email address like a spammer. If an unencrypted mail is received by a user with encryption the email is rejected with encryption key returned to the sender alerting them that their message was unable to be received because it wasn't encrypted. They need to just send to an email with the encryption hidden behind the scenes,

    I'm just spitballing a bit here maybe someone has another theory.

  2. Tim O Ozenne
    March 5, 2019 at 9:21 pm

    Maybe I just overlooked it, but I was hoping for a discussion of what happens on the recipient’s side. Once I encrypt and mail a document, will the recipient find it easy to decode and read the item? I quit using any encryption a while back, but only because few recipients would know what to do with the encoded item.

  3. laura
    March 12, 2016 at 5:32 pm

    I've been getting collective cyberstalking stalked by some British creep called gary turk, this online site is participating in this shit!

    • Wanda Star
      May 8, 2016 at 12:47 am

      Many women protect themselves from creeps by using the very technology you're attacking. They also do quite a bit of paypack. Learn the technology and stop being a victim.

  4. D. Jakubowski
    December 22, 2013 at 4:07 am

    I've started using https://startmail.com as a BETA-Tester, and I think it's great! I don't have to do any difficult procedures with my regular mailaccounts, I can just use startmail and can send an encrypted email by just checking a box. It can't get any easier than that, and I love it . You should check it out!

  5. M. Fioretti
    October 22, 2013 at 4:56 pm

    Check mailpile and/or the percloud http://per-cloud.com for ways to make this easier and not so browser specific.

  6. Mahesh C
    October 3, 2013 at 5:39 am

    nice post very informative but you can also send exe files as attachment in how to send exe files via gmail

  7. g
    July 19, 2013 at 4:52 am

    You might take a look at SecureGmail, https://www.streak.com/securegmail. It appears to work only with Chrome, but the the underlying code developed at Stanford University claims to be browser agnostic. This may mean an extension for Firefox could be available some day. SecureGmail APPEARS to take some of the web side risk out of the equation, but I still try to stay with client side apps only.

    Good and timely article.

    -g

  8. Webscience
    July 15, 2013 at 3:28 pm

    What I don't understand is why would somebody concerned about the secrecy of a message, and goes through the effort of encrypting it, does this via a obscure Russian website from Igor Artamonov (whois), who doesn't even say what is done with the messages that are sent over plain http (not even https) post?

    In other words, the message is sent in plain text, so any sniffer interested in you would see it, and second, who is infoencrypt.com and what do they do with your messages that they encrypt.

    So, thanks for the advise but please do your homework if you want to advise people about security and privacy.

  9. guy
    July 14, 2013 at 4:00 pm

    shouldnt gpg4win be on here?

  10. Rule 34
    July 12, 2013 at 4:04 am

    This doesn't matter as the Guardian article said that MS gets the data from the email BEFORE the encryption is applied. If they are doing it, you can bet the others are as well.

  11. Brandon R
    July 12, 2013 at 3:00 am

    Ryan Dube once again you have provided a very interesting article, thanks again. I did try Mailvelope once which is basically the same as Portable PGP & I did try Safe Gmail however I prefer to rely on client apps to encrypt my data instead of web apps as I feel more safe using client apps. Oh by the way there is an extension for Chrome named Quick Encrypt which you can use for symmetric encryption also.

    • Ryan Dube
      July 12, 2013 at 4:26 am

      Thanks Brandon - and I agree 100% on client app vs. web app. I don't like that there's that stream of communication between my PC and the web service that's vulnerable. I'm definitely a 100% supporter of using client encryption apps for better protection.

  12. m
    July 12, 2013 at 12:42 am

    does Burn Note belong on this list ?

    • Ryan Dube
      July 12, 2013 at 4:25 am

      Absolutely.

  13. ReadandShare
    July 11, 2013 at 9:01 pm

    I recall reading somewhere that the laws allow NSA, etc. to track/monitor non-citizens. How can a particular agent tell? He/she only needs to be satisfied of 51% probability that the parties involved "might be" foreign. There is no process for obtaining warrant or a second look by anyone else -- higher up or otherwise.

    I also recall that encrypted email's may preclude said agent from making the above determination -- in which case, the meta data, etc. may be stored indefinitely.

    • ReadandShare
      July 11, 2013 at 9:03 pm

      The sentence in the first paragraph above should read, "There is no need for obtaining warrant...".

    • Ryan Dube
      July 12, 2013 at 4:24 am

      I think that's all the more reason to send the encrypted messages through a proxy service that you log into prior to creating and sending the email, as described in a number of articles here at MUO.

      Given, it's possible for them to trace you through a proxy as well, but it's a heck of a lot more work for them, and requires not only the cooperation of the email provider, but also the proxy provider, who are notorious for not cooperating, particularly if they are located outside of the U.S.

      The only thing you can't control is if someone is tracking what's going directly between your own computer and the proxy server. You can encrypt that, but again, nothing is perfect. Still - some protection is better than no protection.

  14. Henk van Setten
    July 11, 2013 at 8:13 pm

    Gee, all this surely looks like a way to make life terribly complicated. I suppose one must have a very good reason to take all this trouble.
    For myself, I can't think of such a reason. Maybe I'm lucky or (probably) a little naive. But even if I were to mail with some person in China (your example) I still can't think of an obvious reason to encrypt that email exchange.
    Besides, in a situation like that, wouldn't encrypted email attract exactly the kind of attention you were trying to avoid?
    Just suppose (1) I were to email with someone In China or wherever, and (2) we knew that a government was probably monitoring email communications, and (3) we wanted to discuss something secret or illegal, so (4) we took the trouble to exchange encrypted emails.
    Wouldn't that work like a red flag (no pun intended)? If I were a government monitoring email traffic, I surely would separate the few encrypted emails from all other non-encrypted emails. Those few encrypted emails would immediately draw my attention (apparently, here we have people who try to hide something) so I would mark them (and the sender, and the receiver) immediately as "highly suspect", and hand over those emails to some professional code-breakers, and also put the sender/receiver under intensified surveillance in other ways...
    Imho, in such a situation a much better way of "encrypting" would be to simply agree on some code words and expressions in advance (like spies did in WW2) so your correspondence would not look encrypted, but in all respects perfectly ordinary - and it wouldn't draw the attention of monitoring agencies.
    Like, you would mail: "Yesterday I saw Franzli, I gave him your best wishes, and he told me Eva would travel to the mountains tomorrow" and the recipient would know you meant "Yesterday I saw our Reichskanzlei agent, I gave him your bar of dynamite, and he told me Hitler was due to go to Bavaria tomorrow." Wouldn't messages like that both be easier, and attract less suspicion?
    Ah... if only I could be James Bond... with your post you really got me dreaming of a better, much more glitzy and exiting life, Ryan!

    • ReadandShare
      July 11, 2013 at 9:04 pm

      Why do quotations " " show up here as brackets? Is it just me?

    • Ryan Dube
      July 12, 2013 at 4:21 am

      Ha - it's glitzy and exciting on the surface, I'm sure. Probably not so glitzy to end up in some high-security prison for treason! I do see your points btw - it could be possible encrypted transmissions would attract the interests of organizations like the government of China. I suppose it depends on who you're trying to hide the information from I suppose. If it's hackers or malware, it'll do the trick - but you're probably right that with international communications for the purpose of spying, there could be intelligence folks out there specifically targetting encrypted communications. You never know!

      I actually like your idea of the "in plain sight" approach. Sending innocuous messages with embedded "hidden" messages inside that only the recipient knows to look for. Encoded images is an interesting area in that regard, but I think intelligence folks across the world are much wiser to that today - due to the fact that terrorists used that technique for many years.

    • 007
      July 13, 2013 at 9:26 pm

      maybe, governments like ours are watching at a specific person first, followed by tapping his/her mail? instead of sifting first through zillon emails and pick the ones which are encypted?

    • Name
      July 16, 2013 at 7:07 am

      @Henk van Setten, there is a flaw in your idea that an encrypted email will be a red flag to the NSA watching the emails go past: there are millions and millions of emails already encrypted moving all over the planet. So your few encrypted emails will not be any more of a red flag than the millions of others.

      Lots of businesses send encrypted emails to protect against general hackers, corporate espionage, disgruntled employees, competitors, foreign governments (like China), and more.

      Lot of individuals send encrypted emails because they contain personal information, e.g. general medical info, financial records, Rx prescription files, psychiatric - mental health info, award winning BBQ recipes, etc.

      • Wake UP!!!
        December 13, 2016 at 8:17 pm

        Actually, encryption is a red flag for the NSA. I've heard claims that encryption stands out from the other traffic and is saved for later analysis regardless of the content actually is.

        The problem is we need a simple type and click, end to end solution for the less savvy computer user. This will propagate so much encrypted traffic that it wouldn't be cost effective for the NSA, or any other nation state, to attempt to crack it.