Skip to main content

How encrypted email works?

From holiday photos to our purchasing history to personal correspondences, our emails contain a great deal of sensitive information.

It is therefore vital to keep your inbox and messages secure. This is more difficult than it first appears, as email was invented and widely adopted in the early days of the internet before many of today’s security best practises were developed.

As with all digital content, the best way to keep emails secure is by using encryption — complex algorithms that prevent anyone from reading the content unless they have the correct encryption keys. 

In this article, we explain the different types of encryption that most email services use to protect your messages and what ProtonMail does to add an extra layer of security and privacy.

How email is encrypted

Most modern email services encrypt emails in two ways:

  • They use TLS/SSL encryption in transit. This is the same encryption used to secure HTTPS websites, and it is the backbone of all security on the internet.
  • They use symmetric-key encryption algorithms such as AES to store emails. Most email services apply this encryption when an email is stored on its servers. This means the provider holds the encryption keys, which it can use to access your emails for advertising purposes or in response to third-party demands.

ProtonMail also encrypts emails in transit using TLS and stores them on our servers using OpenPGP (described below), both using trusted open-source implementations of AES and RSA. 

However, we improve on the usual email encryption model in several key ways:

  • All messages sent between ProtonMail users are end-to-end encrypted (E2EE) so that no one except you and your intended recipient(s) can access their contents.
  • Support for OpenPGP encryption is built into ProtonMail, making it easy to have E2EE conversations with non-ProtonMail users who use PGP.
  • We also offer an Encrypt for non-ProtonMail users feature that allows you to send E2EE emails to anyone.
  • All emails — including non-E2EE emails you choose to send unencrypted to people who don’t use ProtonMail — are stored on our servers using zero-access encryption. This means we have no way to read your messages, scan them for advertising purposes, or hand them over to a third party.

End-to-end encrypted email

End-to-end encryption means the contents of your emails are encrypted on your device before being uploaded to our servers and can only be decrypted and read by the intended recipient. 

This is achieved using the OpenPGP email encryption standard, which uses public-key cryptography to securely transmit messages between individuals. Messages are encrypted with the recipient’s public key and can only be decrypted using their private key (which only they have access to). No one else (including ProtonMail) can access the contents of E2EE messages. 

OpenPGP encrypts the contents of messages and all attachments. The subject line and other metadata are not encrypted. To allow for advanced features (such as searching emails by subject line), ProtonMail’s end-to-end encryption works the same way.

End-to-end encryption for messages sent between ProtonMail users is automatic, and our integrated OpenPGP support makes it easy to send and receive PGP-encrypted E2EE messages to people that use PGP with other email providers. Proton also informs you when your messages are protected by E2EE with a small blue padlock (for other ProtonMail users) or green padlock (for OpenPGP users).

Learn more about how to check encryption status using lock icons

Additionally, we offer an Encrypt for non-ProtonMail users feature that allows you to have end-to-end encrypted conversations with someone no matter what email provider they use. The recipient is sent an email telling them that an encrypted message is waiting for them on our servers. 

To read the message, they must log in using a password you have previously shared with them. Once they have read your message, they can reply with a message that is also end-to-end encrypted. 

Learn more about encrypting messages for non-ProtonMail recipients

Zero-access encrypted email

It is also possible to send and receive unencrypted emails to and from non-ProtonMail users. These are secured in transit to our servers using TLS encryption and are usually also secured in transit to the recipient’s email service’s servers using TLS (all major email services support TLS connections these days). 

Learn more about TLS encryption

How messages are stored on the recipient’s email servers, however, is up to their service.

All messages (incoming or outgoing) stored on ProtonMail servers, whether E2EE or not, are secured using zero-access encryption.

They are encrypted using your public key and can only be decrypted locally on your device(s) using your private key (which, for additional security, is itself encrypted using AES-256 and secured using a password that is hashed with bcrypt).

This means we cannot access the contents of any messages stored on our server.

Learn more about zero-access encryption

Open-source encryption

Making our apps open source provides transparency by allowing anyone to examine software code for issues. All ProtonMail apps are fully open source and have been independently audited by security professionals. 

We also only use trusted open-source cryptographic libraries to implement AES, RSA, and OpenPGP to secure your emails. 

In addition to this, ProtonMail is the official maintainer of OpenPGP.js, the world’s most widely used JavaScript email encryption library, and GopenPGP, a high-level OpenPGP wrapper library developed by ProtonMail.

Your email is secure with ProtonMail

Unlike most email services, ProtonMail views your data as something to protect, not exploit. That is why we apply zero-access encryption to all emails on our servers and make it easy to send end-to-end encrypted emails to both ProtonMail and non-ProtonMail users. 

At Proton, we want to make privacy on the internet the default for everyone, and we knew the most important place to start was fixing email. That’s why we developed ProtonMail. Developing zero-access encryption for stored emails and providing an easy way to send truly secure end-to-encrypted emails to anyone were the first steps toward giving everyone the tools they need to control their online data.

FAQ

What is end-to-end encryption?

End-to-end encryption (E2EE) means that you encrypt your own data on your own device, and only you and the intended recipient can access it. Thanks to this encryption, no one else can read your E2EE messages, including ProtonMail and the recipient’s email service.

What is zero-access encryption?

ProtonMail stores all emails — incoming and outgoing — on its servers using zero-access encryption. The message is encrypted using your public key and can only be decrypted using your private key, which only you possess. This means that while a message is stored on our servers, only you can access it.

Zero-access encryption only applies to messages stored on ProtonMail. If the person you wrote an email to does not use ProtonMail, their email service can likely read it. 

To send emails that are truly secure, even on other email services’ servers, you should use one of our end-to-end encrypted email options. 

What is OpenPGP?

OpenPGP is a popular and secure encryption standard used to secure emails. OpenPGP encrypts the body of emails and attachments. It does not encrypt the subject line and other metadata, such as when an email was sent or who the sender is.

What is TLS?

Transport Layer Security (TLS), the modern successor to SSL, is an encryption standard that allows asymmetric key exchanges using public-key cryptography (see main text above) to securely transmit data. TLS is most well-known for being the security layer for HTTPS, which secures connections to websites, but it is also used to secure emails in transit.

Learn more about HTTPS

What is AES?

The Advanced Encryption Standard (AES) is a symmetric-key cipher, which means that the same key used to encrypt the data is used to decrypt it. It does not provide any way to securely transmit the key, so AES is mainly used to secure data at rest. AES is often considered the de facto standard of symmetric-key ciphers, in large part because the United States government uses it to protect classified data.

What is ECDH?

Elliptic curve Diffie-Hellman (ECDH) is an asymmetric key agreement protocol used to secure encryption keys during a TLS key exchange. It uses the properties of a particular type of algebraic curve numbers to encrypt connections. ProtonMail also uses ECDH (over Curve25519) to secure OpenPGP key exchanges. 

Comments

Popular posts from this blog

How to hack wifi in Windows 7/8/8.1/10 without any software | using with cmd

How to Hack Wifi password using cmd Hello Friends, In this article we will share some tricks that can help you to hack wifi password using cmd. Youcan experiment these trick with your neighbors or friends. It’s not necessarily that this trick will work with every wifi because of upgraded hardware. But you can still try this crack with wifi having old modems or routers. 1: WEP: Wired Equivalent Privacy (WEP) is one of the widely used security key in wifi devices. It is also the oldest and most popular key and was added in 1999. WEP uses 128 bit and 256-bit encryption. With the help of this tutorial, you can easily get into 128-bit encryption and Hack WiFi password using CMD. 2: WAP and WAP2: Wi-Fi Protected Access is an another version of WiFi encryption and was first used in 2003. It uses the 256-bit encryption model and is tough to hack. WAP2 is an updated version of WAP and was introduced in 2006. Since then it has replaced WAP and is now been used mostly in offices and colle...

A Beginner’s Guide to Getting Started with Bitcoin

A man looks for Bitcoin Oasis If you have heard about blockchain or cryptocurrency, then the term that initially comes to mind is Bitcoin . Launched 12 years ago, it was the late 2017 bull run that created a media frenzy that propelled Bitcoin into the mainstream and our modern day lexicon. Often labeled as the “original” cryptocurrency, Bitcoin has been the catalyst (directly and/or indirectly) behind many new innovations in the blockchain and digital asset space, most notably Ethereum and Monero . Shortly after the late 2017 bull run lost its steam, interest in these new technologies started to fade ― but here we are in 2021 with Bitcoin having risen like a phoenix from the ashes. As you would assume, an appetite for the blockchain and digital asset space has returned and now it is more important than ever that we understand what exactly is behind this unique asset, Bitcoin. This article is meant to be a guide for individuals who are new to cryptocurren...

Copilot - Microsoft is gearing up to introduce its AI companion

 Microsoft is gearing up to introduce its AI companion, Copilot, this upcoming fall season. The highly-anticipated rollout is scheduled for September 26, with Copilot poised to seamlessly integrate with various Microsoft services, including Windows 11 and Microsoft 365. Additionally, enterprise customers can look forward to the availability of a new AI assistant, Microsoft 365 Chat, starting in November. Copilot, described by Yusuf Mehdi, Corporate Vice President and Consumer Chief Marketing Officer at Microsoft, as an "everyday AI companion," aims to make your daily workflow smoother and more efficient. Its primary goal is to embed an AI-powered "copilot" within Microsoft's most popular products, ensuring widespread accessibility. What distinguishes Copilot from other AI assistants is its focus on integration. Rather than operating in isolation within specific applications, Copilot promises a seamless user experience across multiple Microsoft products. This com...