|Practical Computer Advice |
from Martin Kadansky
| || |
|How to Send Secure, Encrypted Email for Free|
The problem: Regular email is neither private nor secure
If you and I have a conversation by email, whether the back-and-forth takes place over a day or a week or a month, as long we receive each other's messages, for any number of reasons we can both have the illusion that it's a private conversation that no one else can see. From there it's easy to imagine why someone would send confidential information through regular email, including:
Unfortunately, despite how it may appear in the moment, email isn't really private or secure.
- Passwords and related security questions and answers
- Bank account and credit card numbers
- Bookkeeping files and reports, tax returns, and other financial information
- Social security numbers, birthdates, home addresses
- Confidential customer information, medical records
Postal Service analogy
In other words, when I send an email to you, my email first goes to my local outgoing server (at Comcast or Verizon or some other company), then it passes through one or more intermediate servers on its way to you. Eventually it arrives on your email server and is placed in your "mailbox," where you can read it using your email software or webmail. If a clever thief can quietly break into any of those intermediate computers and install special "snooping" software (programmed to find messages containing information worth stealing, and then send copies of them to the thief), they can steal the information without interfering with the delivery of those messages.
- I write a letter to you (yes, on paper!) containing some important confidential information, seal it in an envelope, stamp it, and drop it into my local blue U.S. Postal Service mailbox.
- My letter (along with many others) goes to a local sorting facility, and ends up on a Postal Service truck.
- The truck driver gets on the highway and heads towards the Postal Service facility in your area.
- That evening, the truck driver pulls into a rest stop to get some dinner.
- While the truck driver is enjoying some pie, some clever thieves carefully and quietly break into that truck, scan the sacks of mail, and find my letter to you. They make a copy of it, put it back, and continue scanning the other sacks. When they're done, they quietly exit the truck and lock it again.
- The driver gets back in the truck and back onto the highway, and later that night arrives at the Postal Service facility in your area.
- Your local Post Office delivers my letter to you, and no one (except the thieves) has any idea that this theft of information from my letter (and many others) has occurred.
- On their own time and on their own schedule, the thieves make use of that confidential information.
This is only one of many possible scenarios, but hopefully this will motivate you to re-examine the type of information you are sending via regular (insecure) email, take steps to protect that information going forward, and educate other people you know about the danger of ignoring this risk.
Example of email theft
Many years ago one of the business groups to which I belong was changing Treasurers. The outgoing Treasurer emailed all the banking and PayPal account information and passwords to the new Treasurer. Within hours they saw fraudulent charges appear in their accounts.
A fairly simple, free solution: Create an encrypted PDF attachment, send that instead
This technique lets you send confidential information using regular email in a secure fashion:
Instead of putting confidential information into the body of the email (or an attachment), create an encrypted PDF file containing that information, and then attach that PDF to your email. In essence, you'll put the information into a "safe," lock it with encryption and a password, then ship the safe. Then you tell the recipient the password over the phone or voicemail so they can open it. Don't send the password via email or text messaging!
There are five main parts to this technique.
Part 1: The software you'll need (one-time setup)
For Microsoft Windows, you'll need:
For Macintosh, you've already got everything you need:
- Adobe Reader, which may already be on your computer, or you can download it for free from the http://www.adobe.com web site.
- A PDF "virtual printer driver" that lets you make encrypted PDF files. See "PDFCreator for Windows" below for more information.
Part 2: Decide on an encryption password
- You can either use the "Preview" program that is already part of Mac OS X, or the free Adobe Reader if you've already installed it.
- The PDF "virtual printer driver" built into Mac OS X already has the ability to make encrypted PDF files.
Your encrypted PDF file will need a strong, unique password. Who will choose it?
Part 3: "Print" your confidential message into an encrypted PDF
- If you choose it, you should tell your recipient by phone or voicemail. Do not email it or send it via text message!
- If your recipient chooses it, they should tell you by phone or voice voicemail, not email or text message!
Let's say you want to send your Social Security number to your new accountant. Instead of typing "My SSN is 123-45-6789" into the body of an email, you would:
Part 4: Send that encrypted PDF file via regular email
- Open a blank Microsoft Word or Notepad or TextEdit window
- Type your entire message ("My SSN is 123-45-6789," etc.) into that window
- Pull down the File menu and choose Print
- Choose your PDF "virtual printer driver" instead of your real-life printer. (On Macintosh, click PDF->Save as PDF...)
- Click the appropriate options to add an encryption password; look for "Security" or "Options" or "Password" or "Encrypt"; be sure to use a strong and unique password.
- Give the resulting PDF file a name (perhaps "Info for accountant encrypted.pdf") and save it to an appropriate folder (like your Desktop).
- Try opening that encrypted PDF file yourself to make sure the password works.
Compose an email to your recipient, attach the encrypted PDF file you just made, and send it. Don't include the password!
Part 5: The software your recipient will need
If your recipient uses Microsoft Windows, they will need:
If your recipient uses Macintosh, they already have everything they need:
- Adobe Reader, which you're likely to already have, or you can download it for free from the http://www.adobe.com web site.
Tips on creating encrypted PDF files
- Both the "Preview" program (that comes with Mac OS X) and Adobe Reader (extra software they may have already installed) can open PDF files.
Here are some additional things to know:
PDFCreator for Windows
- You can also use this method with an existing confidential regular document (Word, Excel, etc.). Simply open the document, print it to an encrypted PDF file, and then attach the PDF to an email. Make sure the recipient knows the password via a separate conversation, not via email or text messaging!
- If your original document has a name like "Smith 2013 report.doc," I suggest calling the encrypted PDF file "Smith 2013 report encrypted.pdf" to make it clear that it's encrypted.
- If you're on Windows, and you have an unencrypted PDF from which you want to generate an encrypted PDF, this method will work. However, if you're on Macintosh, you cannot do this using Adobe Reader (which blocks the "Save as PDF" function in the Print dialog), but you can do this using the "Preview" program in two ways: either via Print->Save as PDF, or via File->Save As (or File->Export).
- If you have more than a few documents to send, or a mix of documents, photos, audio, video, etc., this method won't help. Instead, I suggest creating an encrypted "container" using encryption software like TrueCrypt (free) or WinZip ($29.95) and sending that instead, or using a secure email service like Voltage SecureMail Cloud from Voltage.com/vsn ($99/year).
One free PDF "virtual printer driver" for Windows I've used is PDFCreator (http://www.pdfforge.org). After installing it, the first time you choose Print you should activate the encryption option:
Other solutions: Don't send confidential information using email at all
- Turn off "After saving, open output file"
- Click Options, then PDF (on the left), then Security (on the right)
- Turn on these options: "Use Security," "Password required to open document," and "Very High"
- Under "Disallow," turn off the "Copy text and images" option
- Click Save
As an alternative, you don't have to use email. Instead, you could send the confidential information using:
Where to go from here
- Phone or voicemail - confirm that no one else has access to their voicemail
- Fax - confirm that their machine is private and out of sight, not out in an open room
- U.S. Mail: Send a paper printout, a CD, DVD, flash drive, or hard drive
- Hand-deliver it, meet in person
- The next time you write an email containing confidential information, STOP and think about a better, more secure way to send it, and consider using this method.
- If you already have software on your computer that lets you make a PDF, find out whether it lets you add encryption. Look for look "Security" or "Options" or "Password" or "Encrypt."
- The next time someone sends you an email containing confidential information, ask them to stop doing that and find a more secure way. (Tip: If you click Reply to tell them, remove the confidential information from your reply before you hit Send so you're not contributing to the problem!)
- http://www.kadansky.com/files/newsletters/2010/2010_08_31.html - "Data Security: What's the best way to protect my electronic files? Use encryption"
- http://www.kadansky.com/files/newsletters/2013/2013_04_25.html - "Going Paperless, Carefully: Print to a PDF!"
How to contact me:
phone: (617) 484-6657
On a regular basis I write about real issues faced by typical computer users. To subscribe to this newsletter, please send an email to firstname.lastname@example.org
and I'll add you to the list, or visit http://www.kadansky.com/newsletter
Did you miss a previous issue? You can find it in my newsletter archive: http://www.kadansky.com/newsletter
Your privacy is important to me. I do not share my newsletter mailing list with anyone else, nor do I rent it out.
Copyright (C) 2014 Kadansky Consulting, Inc. All rights reserved.
I love helping people learn how to use their computers better! Like a "computer driving instructor," I work 1-on-1 with small business owners and individuals to help them find a more productive and successful relationship with their computers and other high-tech gadgets.