Data privacy has become absolutely crucial for businesses. And some businesses go to great lengths to protect their data, files, and communications.
However, many consumers and smaller businesses continue to believe that adding extra security isn’t worth the extra work required. Wrong! Anyone who refuses or neglects to take the extra steps could find themselves on the wrong end of a data breach.
Also: The best email hosting services of 2025: Expert tested
Say, for example, you include sensitive information in an innocent email, only to discover that a bad actor intercepted the message, read the content of that email, and extracted the information for some nefarious purpose.
You don’t want that. Even if it does require an extra bit of work on your part, being safe is so much better than being sorry.
What do you do? You encrypt your email (or the email containing sensitive information).
What is email encryption?
Email encryption is a way to restrict an email such that only the recipient can read it. This works by way of encryption key pairs like so:
- The recipient creates a GPG key pair (consisting of a public and a private key) and sends the public key to you.
- You import the public key into your keyring.
- You then send a message to the recipient’s email address (associated with the newly imported key).
- The recipient receives the email and can read it because they have the private key that matches the public key you imported.
If the email is intercepted on the way, it cannot be read without the matching private key. That, of course, brings up one crucial issue that cannot be stressed enough — never share your private key with anyone.
Yes, adding encryption to email does add extra steps to your process, but when dealing with sensitive information, those extra steps will be well worth the effort.
Because every email client does this differently, I’m going to demonstrate using the open-source Thunderbird application. I’m also going to demonstrate how to create your GPG key (using GnuPG), so you can help your recipients generate the necessary key pairs and send you their private keys.
Here’s how it works.
How to encrypt your email
You’ll be asked the following questions (answer with the defaults):
- Please select what kind of key you want:
- What key size do you want?
- The key is valid for?
Also: This simple Gmail trick gave me another 15GB of storage for free – and I didn’t lose any files
When prompted, type y to verify the creation of the key. You’ll then be required to add a real name, an email address associated with the key, and an optional comment. Finally, you’ll be required to type and verify a password for the new key pair. After that, your key is created and ready for export.
Next, we need to export the public key so it can then be sent to the person who will need to send you an encrypted email. To export the key, issue the command:
gpg --export -a "EMAIL" > public_key
Where EMAIL is the email associated with the key you just generated. Once you’ve generated the file (named public_key), send it to the person who will be encrypting the email to you.
Next, we need to import the public key that was sent to you. Open Thunderbird, click the Menu button and click Account Settings.
Also: Five reasons why email will never die
In the left sidebar, click End-To-End Encryption and then click OpenPGP Key Manager.
Gaining access to the OpenPGP manager from within Thunderbird.
Screenshot by Jack Wallen/ZDNET
Click File > Import Public Key From File, and then make sure to select All Files from the drop-down at the bottom right corner of the window.
Importing the public key from within the OpenPGP Key Manager.
Screenshot by Jack Wallen/ZDNET
Locate the file you saved (the public key from the recipient that will receive your email) and click Open. In the resulting window, select Accepted (unverified) and click OK. The key will be imported and ready to use.
Importing Henry Jekyll’s key might not be the best idea, but I’m going for it.
Screenshot by Jack Wallen/ZDNET
Close the Key Manager and go back to the Thunderbird main window. Compose a new message to the email address associated with the encryption key, and then (in the email compose window) click the Security drop-down and click the checkboxes for Require Encryption and Digitally Sign This Message.
Also: The Thunderbird email client finally landed on Android, and it was worth the wait
Send the message as normal, and it will be encrypted such that the only person who can decrypt it is the owner of the private key that matches the public key you imported.
Encrypting and signing your new email.
Screenshot by Jack Wallen/ZDNET
And that is how email encryption works. I hope you find this to be much easier than you expected, and that it will inspire you to start using this extra security layer in your email communications.
Is there a difference between secure and encrypted email?
Yes. Secure email refers to the security of the connection used to send and receive email (with every step along the way being secure), whereas encrypted email is when the content of the email is encrypted, so only the intended recipient can read the content.
Can you encrypt email for free?
Yes. With tools like OpenPGP and Gpg4win, you can encrypt email for free on your local email client (such as Thunderbird and Outlook).