How to Send Secure, Encrypted Email for Free The problem: Regular email is neither private nor secure If you and I have a conversation by email, whether the back-and-forth takes place over a day or a week or a month, as long we receive each other's messages, for any number of reasons we can both have the illusion that it's a private conversation that no one else can see. From there it's easy to imagine why someone would send confidential information through regular email, including:
- Passwords and related security questions and answers
- Bank account and credit card numbers
- Bookkeeping files and reports, tax returns, and other financial information
- Social security numbers, birthdates, home addresses
- Confidential customer information, medical records
Unfortunately, despite how it may appear in the moment, email isn't really private or secure. Postal Service analogy Imagine this:
- I write a letter to you (yes, on paper!) containing some important confidential information, seal it in an envelope, stamp it, and drop it into my local blue U.S. Postal Service mailbox.
- My letter (along with many others) goes to a local sorting facility, and ends up on a Postal Service truck.
- The truck driver gets on the highway and heads towards the Postal Service facility in your area.
- That evening, the truck driver pulls into a rest stop to get some dinner.
- While the truck driver is enjoying some pie, some clever thieves carefully and quietly break into that truck, scan the sacks of mail, and find my letter to you. They make a copy of it, put it back, and continue scanning the other sacks. When they're done, they quietly exit the truck and lock it again.
- The driver gets back in the truck and back onto the highway, and later that night arrives at the Postal Service facility in your area.
- Your local Post Office delivers my letter to you, and no one (except the thieves) has any idea that this theft of information from my letter (and many others) has occurred.
- On their own time and on their own schedule, the thieves make use of that confidential information.
In other words, when I send an email to you, my email first goes to my local outgoing server (at Comcast or Verizon or some other company), then it passes through one or more intermediate servers on its way to you. Eventually it arrives on your email server and is placed in your "mailbox," where you can read it using your email software or webmail. If a clever thief can quietly break into any of those intermediate computers and install special "snooping" software (programmed to find messages containing information worth stealing, and then send copies of them to the thief), they can steal the information without interfering with the delivery of those messages. This is only one of many possible scenarios, but hopefully this will motivate you to re-examine the type of information you are sending via regular (insecure) email, take steps to protect that information going forward, and educate other people you know about the danger of ignoring this risk. Example of email theft Many years ago one of the business groups to which I belong was changing Treasurers. The outgoing Treasurer emailed all the banking and PayPal account information and passwords to the new Treasurer. Within hours they saw fraudulent charges appear in their accounts. A fairly simple, free solution: Create an encrypted PDF attachment, send that instead This technique lets you send confidential information using regular email in a secure fashion: Instead of putting confidential information into the body of the email (or an attachment), create an encrypted PDF file containing that information, and then attach that PDF to your email. In essence, you'll put the information into a "safe," lock it with encryption and a password, then ship the safe. Then you tell the recipient the password over the phone or voicemail so they can open it. Don't send the password via email or text messaging! There are five main parts to this technique. Part 1: The software you'll need (one-time setup) For Microsoft Windows, you'll need:
- Adobe Reader, which may already be on your computer, or you can download it for free from the http://www.adobe.com web site.
- A PDF "virtual printer driver" that lets you make encrypted PDF files. See "PDFCreator for Windows" below for more information.
For Macintosh, you've already got everything you need:
- You can either use the "Preview" program that is already part of Mac OS X, or the free Adobe Reader if you've already installed it.
- The PDF "virtual printer driver" built into Mac OS X already has the ability to make encrypted PDF files.
Part 2: Decide on an encryption password Your encrypted PDF file will need a strong, unique password. Who will choose it?
- If you choose it, you should tell your recipient by phone or voicemail. Do not email it or send it via text message!
- If your recipient chooses it, they should tell you by phone or voice voicemail, not email or text message!
Part 3: "Print" your confidential message into an encrypted PDF Let's say you want to send your Social Security number to your new accountant. Instead of typing "My SSN is 123-45-6789" into the body of an email, you would:
- Open a blank Microsoft Word or Notepad or TextEdit window
- Type your entire message ("My SSN is 123-45-6789," etc.) into that window
- Pull down the File menu and choose Print
- Choose your PDF "virtual printer driver" instead of your real-life printer. (On Macintosh, click PDF->Save as PDF...)
- Click the appropriate options to add an encryption password; look for "Security" or "Options" or "Password" or "Encrypt"; be sure to use a strong and unique password.
- Give the resulting PDF file a name (perhaps "Info for accountant encrypted.pdf") and save it to an appropriate folder (like your Desktop).
- Try opening that encrypted PDF file yourself to make sure the password works.
Part 4: Send that encrypted PDF file via regular email Compose an email to your recipient, attach the encrypted PDF file you just made, and send it. Don't include the password! Part 5: The software your recipient will need If your recipient uses Microsoft Windows, they will need:
- Adobe Reader, which you're likely to already have, or you can download it for free from the http://www.adobe.com web site.
If your recipient uses Macintosh, they already have everything they need:
- Both the "Preview" program (that comes with Mac OS X) and Adobe Reader (extra software they may have already installed) can open PDF files.
Tips on creating encrypted PDF files Here are some additional things to know:
- You can also use this method with an existing confidential regular document (Word, Excel, etc.). Simply open the document, print it to an encrypted PDF file, and then attach the PDF to an email. Make sure the recipient knows the password via a separate conversation, not via email or text messaging!
- If your original document has a name like "Smith 2013 report.doc," I suggest calling the encrypted PDF file "Smith 2013 report encrypted.pdf" to make it clear that it's encrypted.
- If you're on Windows, and you have an unencrypted PDF from which you want to generate an encrypted PDF, this method will work. However, if you're on Macintosh, you cannot do this using Adobe Reader (which blocks the "Save as PDF" function in the Print dialog), but you can do this using the "Preview" program in two ways: either via Print->Save as PDF, or via File->Save As (or File->Export).
- If you have more than a few documents to send, or a mix of documents, photos, audio, video, etc., this method won't help. Instead, I suggest creating an encrypted "container" using encryption software like TrueCrypt (free) or WinZip ($29.95) and sending that instead, or using a secure email service like Voltage SecureMail Cloud from Voltage.com/vsn ($99/year).
PDFCreator for Windows One free PDF "virtual printer driver" for Windows I've used is PDFCreator (http://www.pdfforge.org). After installing it, the first time you choose Print you should activate the encryption option:
- Turn off "After saving, open output file"
- Click Options, then PDF (on the left), then Security (on the right)
- Turn on these options: "Use Security," "Password required to open document," and "Very High"
- Under "Disallow," turn off the "Copy text and images" option
- Click Save
Other solutions: Don't send confidential information using email at all As an alternative, you don't have to use email. Instead, you could send the confidential information using:
- Phone or voicemail - confirm that no one else has access to their voicemail
- Fax - confirm that their machine is private and out of sight, not out in an open room
- U.S. Mail: Send a paper printout, a CD, DVD, flash drive, or hard drive
- Hand-deliver it, meet in person
Where to go from here
- The next time you write an email containing confidential information, STOP and think about a better, more secure way to send it, and consider using this method.
- If you already have software on your computer that lets you make a PDF, find out whether it lets you add encryption. Look for look "Security" or "Options" or "Password" or "Encrypt."
- The next time someone sends you an email containing confidential information, ask them to stop doing that and find a more secure way. (Tip: If you click Reply to tell them, remove the confidential information from your reply before you hit Send so you're not contributing to the problem!)
- http://www.kadansky.com/files/newsletters/2010/2010_08_31.html - "Data Security: What's the best way to protect my electronic files? Use encryption"
- http://www.kadansky.com/files/newsletters/2013/2013_04_25.html - "Going Paperless, Carefully: Print to a PDF!"
| How to contact me: email: martin@kadansky.com phone: (617) 484-6657 web: http://www.kadansky.com On a regular basis I write about real issues faced by typical computer users. To subscribe to this newsletter, please send an email to martin@kadansky.com and I'll add you to the list, or visit http://www.kadansky.com/newsletter Did you miss a previous issue? You can find it in my newsletter archive: http://www.kadansky.com/newsletter Your privacy is important to me. I do not share my newsletter mailing list with anyone else, nor do I rent it out. Copyright (C) 2014 Kadansky Consulting, Inc. All rights reserved. I love helping people learn how to use their computers better! Like a "computer driving instructor," I work 1-on-1 with small business owners and individuals to help them find a more productive and successful relationship with their computers and other high-tech gadgets. |
|