Skip to content 
Set up email encryption: Step-by-step instructions for Data protection and Security - without any technical jargon. Here I'll show you how to use S/MIME and OpenPGP to secure the sending of sensitive information and protect your mailbox from potential attacks.
Key points
- Asymmetric encryption with private and public keys effectively protects content.
- OpenPGP and S/MIME are the two leading standards for e-mail encryption.
- The digital signature guarantees the authenticity of the sender and the integrity of the message.
- Key management and exchange are crucial for secure communication.
- The right E-mail client and a reliable hosting partner make implementation easier.
What does e-mail encryption actually mean?
With the E-mail encryption content is encoded in such a way that only the intended recipient can read it. This is usually done using asymmetric methods with a public and a private key. The public key encrypts the message and only the private key can make it readable again. This technology effectively prevents third parties from intercepting or modifying messages in transit.
At the same time, every e-mail can also be digitally signed. This way, the sender confirms its authenticity and the recipient recognizes whether someone has manipulated the message. I regularly use this method myself to exchange confidential information in teams or with customers.
Transport encryption vs. end-to-end encryption
Email encryption is often confused with pure transport encryption (TLS/SSL). Although mail server connections via TLS ensure that emails are not sent over the Internet in plain text, strictly speaking this is more about protection during transmission between mail servers. The message can still be available in plain text on the servers themselves. With genuine end-to-end encryption - i.e. with OpenPGP or S/MIME - the sender encodes the message on their end device so that it cannot be viewed in plain text either on the move or on the server. This concept offers a higher security standard because only the legitimate recipient can decrypt the content with their private key. This makes spying virtually impossible.
End-to-end encryption is therefore the method of choice for complete security and discretion. However, transport encryption remains important in addition to this in order to be protected against simple eavesdropping attempts in transit. Ideally, both concepts should be used in combination.
What email encryption methods are available?
Two standards have proven themselves in practice: S/MIME and OpenPGP.
- S/MIME uses digital certificates issued by official providers such as trust centers. Many email programs such as Outlook or Apple Mail already support this procedure out of the box.
- OpenPGP is an open standard that works without central certification authorities. The user generates a key pair themselves and distributes the public key via so-called keyservers or directly as a file.
If you would like more details on the technical process, I recommend this advanced guide to secure communication.
Differences in certificates and keys
Whether you prefer to use OpenPGP or S/MIME often depends on your requirements and personal IT infrastructure. With S/MIME, you need to obtain an official certificate that confirms your identity and email address. This certificate is obtained from an identity or trust center and has a specific validity period. The certification authority (CA) checks whether you are really the owner of this e-mail address. This procedure increases the credibility of the signature. OpenPGP, on the other hand, relies on a decentralized trust structure: you can generate your key pair yourself and do not have to contact an authority. Instead, the so-called "Web of Trust" plays a greater role, in which participants authenticate each other's keys.
In practice, however, both methods work very similarly: a public key is passed on and a private key remains in the secure custody of the owner. Combined with reliable software, both standards can provide real data protection.
How to set up email encryption step by step
This procedure will enable you to send your e-mails securely from now on.
1. choose an encryption-capable e-mail client
Mozilla Thunderbird, Microsoft Outlook or Apple Mail are common programs that support S/MIME and OpenPGP. Some providers such as webhoster.de also offer convenient key and certificate management via user-friendly interfaces.
2. generate your key pair or apply for a certificate
With OpenPGP, you generate the key pair yourself using tools such as GnuPG. You pass the public key on to your email contacts. With S/MIME, on the other hand, you apply for an official certificate that is uniquely assigned to your name and email address.
3. integrate the keys into your mail program
Import or create your private key directly in the settings of your email program. Most programs have an integrated interface for this or automatically guide you through the setup, including backup options for the private key.
4. exchange public keys with your contacts
The secure exchange of public keys is absolutely essential. This is possible via a file attachment (e.g. .asc file), via a keyserver or automatically after receiving a signed e-mail. Afterwards the End-to-end encryption start without any problems.
5. send encrypted messages
When writing new emails, activate the "Encrypt" option. Your mail client will then automatically use the recipient's public key. This means that only the recipient can open the message with their private key - even on the mail server, the content remains unreadable.
Use on mobile devices
If you want to read and write your encrypted emails on the go, you should select the right app or configuration for your smartphone. On iOS devices, there is already integrated support for S/MIME. For OpenPGP, apps such as OpenKeychain (Android) or Canary Mail (iOS) offer a convenient solution. It is important that you also transfer your keys to the mobile device, which sometimes requires some preparation. Make sure you use secure methods, such as encrypted file transfer or password-protected containers. Misconfigurations on mobile clients are one of the most common causes of security vulnerabilities.
Multi-factor authentication for key access
Consider how you can additionally secure access to the private key. Some applications or special tools also allow a type of multi-factor authentication (MFA) for decryption. For example, you can require a passphrase for the private key and also integrate an authentication app or hardware token. This generates a random confirmation code that you have to enter when decrypting. Although this means a little more effort, it increases security enormously. For business communication in particular, this additional level of security can be crucial to prevent misuse through lost or stolen devices.
Protection through digital signature
In addition to encryption, you also sign your email. This gives the recipient the assurance that it really comes from you. They will also immediately recognize if someone has changed the message afterwards. This signature can be checked using the sender's public key - further protection against phishing and identity theft.
I recommend always activating this function - even for rather harmless emails. It doesn't require any additional work, but it will boost your credibility enormously.
Encryption vs. signature: what's the difference?
While encryption primarily aims to ensure the confidentiality of a message, the signature ensures integrity and authenticity. This means that nobody but you as the sender can generate the signature, while at the same time you confirm that the content of the email has remained unchanged. It is perfectly possible - and common - to combine both methods: First you sign the email and then encrypt it. Recipients can thus be sure that both the sender is genuine and the message text is unaltered.
Email encryption in everyday business life
Manually exchanging keys with hundreds of employees is a challenge for companies. This is where so-called Secure e-mail gateways. These systems encrypt incoming and outgoing emails centrally per domain - automatically, without each user needing any technical knowledge.
The integration of such gateways via hosting providers such as webhoster.de is particularly efficient. They offer interfaces for automatic certificate management and are fully GDPR-compliant. You can find further operational security measures in this practical guide to e-mail server security.
Automatic key management
In the corporate environment, it can also make sense to rely on solutions that automate key management and certificate renewals. With S/MIME certificates in particular, these usually expire after one or two years and must be renewed in good time. An automated process minimizes the risk of certificates inadvertently becoming invalid and suddenly no longer being able to receive or send encrypted emails. Company-owned address and key servers can also be used, which employees can use to verify each other and securely exchange the necessary public keys.
The integration of such automated systems relieves the IT department, reduces the error rate and ensures that new employees can also communicate in encrypted form without much additional effort. However, you should always carefully consider which data is stored internally and whether the chosen solution complies with the current legal data protection regulations.
Avoid typical mistakes
A common mistake with OpenPGP is not creating backups of the private key. If this is lost, all emails remain permanently blocked - and any recovery is impossible.
An expired or invalid certificate for S/MIME also blocks secure e-mail traffic. That's why I regularly check the validity - and update expired keys in good time.
Furthermore, systems must not be outdated. Security updates and stable connections via TLS 1.2+ are mandatory. You can find more tips via this comprehensive protection guide for e-mail communication.
Regular audits and safety checks
Anyone who takes their email encryption seriously should carry out a security audit at least once a year. In addition to checking software updates, this also means testing the actual key structures and certificates. This includes, for example, checking whether the keys used are still valid, whether employees have left the company in the meantime and whether old certificates are still in circulation. If a private key is no longer needed or is classified as compromised, it is important to revoke it immediately.
Another point is the enforcement of strong passwords for the encryption and signature keys. For example, if your private PGP key password is too short or too simple, an attacker can crack the key using brute force methods. With regular audits, you can always keep an overview and close small gaps before they become a major risk.
Comparison of hosting providers with email encryption
| Place | Provider | Encryption | Special features |
|---|---|---|---|
| 1 | webhoster.de | S/MIME, OpenPGP | Maximum security, simple administration, GDPR compliance |
| 2 | Provider B | S/MIME, PGP | Good integration, solid performance |
| 3 | Provider C | S/MIME | Simple certificate integration |
FAQ - Frequently asked questions about e-mail encryption
- Do I always have to activate encryption manually?
No, many clients encrypt automatically if the public keys are already available. - Can I use free solutions?
Yes, OpenPGP is a free and widely used method. - What happens without a private key?
Without backups, you will permanently lose access to old encrypted messages. - How do I distribute my public key?
Either as an attachment, via key servers or through signed e-mails.
Conclusion: Communicating securely - it's easy
With the right instructions, you can get started with E-mail encryption even without any prior technical knowledge. Whether OpenPGP with your own key pair or S/MIME with an official certificate - you can ensure confidentiality, integrity and identity when sending emails.
Sensitive content in particular, such as contracts, customer data or access, deserves effective protection. If you also use digital signatures and regularly check your key management, you are on the safe side. Modern tools and hosting offers such as those from webhoster.de provide you with real support.
