Standard email is not a private communication channel. Messages travel between servers in a format that the email providers, network operators, and anyone who compromises a server along the route can potentially read. HTTPS protects traffic in transit between your browser and the email provider, but the provider itself stores messages in a form it can access — and must provide under a legal order. For most everyday email this is an acceptable trade-off, but for sensitive communications — legal correspondence, medical information, confidential business discussions, or personal matters you would not share publicly — you need to encrypt your email so that only the intended recipient can read it, regardless of what happens to the email in transit or storage. We go deeper on the whole subject in our Complete Guide to Security and Privacy.
To encrypt your email, you have two main paths: end-to-end encrypted email services (where the provider architecture ensures they cannot read your mail) and cryptographic email encryption using OpenPGP standards applied to a standard email account. Each path has different trade-offs in usability, compatibility, and the level of encryption guarantee provided. This guide covers both, so you can choose the right approach when you need to encrypt your email based on your specific requirements.
Encrypt Your Email Using a Privacy-First Email Service
The simplest way to encrypt your email end-to-end without managing cryptographic keys manually is to use an email service designed for privacy. ProtonMail (now Proton Mail) and Tutanota are the two most established options. Both encrypt email messages at rest using keys that the provider does not hold — they cannot read your email even if they wanted to, and they cannot produce readable email content in response to a subpoena.
Proton Mail uses OpenPGP-compatible encryption and allows you to send end-to-end encrypted email to other Proton Mail users automatically. When you encrypt your email to a recipient outside Proton Mail, you can either set a password that the recipient uses to decrypt the message (through a secure web link), or if they have an OpenPGP public key, send a fully encrypted message to their standard email address. Proton Mail is accessible via its web interface, mobile apps, and through Proton Mail Bridge — a desktop application that connects Proton Mail to standard email clients (Outlook, Apple Mail, Thunderbird) using an encrypted local IMAP proxy. The free Proton Mail tier provides 1 GB of storage with basic features; paid plans start at $3.99/month and include custom domains, more storage, and the Bridge application.
Tutanota uses its own encryption scheme rather than OpenPGP (which creates compatibility differences with external OpenPGP users), and is particularly strong on metadata protection — encrypting subject lines, sender names, and recipient names within the mailbox in addition to message content. To encrypt your email to non-Tutanota recipients, Tutanota uses a password-based approach similar to Proton Mail’s external encryption. Tutanota’s free tier is more generous than Proton Mail’s and is sufficient for personal use; paid plans add custom domains and additional storage. According to Proton’s privacy documentation, the zero-access encryption architecture means the company cannot read user emails regardless of the legal jurisdiction in which it operates — a key advantage for users in countries where legal orders might otherwise compel access.
The Step-by-Step Process to Encrypt Your Email With OpenPGP
OpenPGP encryption allows you to encrypt your email using any email account — Gmail, Outlook, or any other provider — by applying cryptographic encryption at the message level before it is sent through the provider’s servers. The provider handles the delivery but cannot read the encrypted content. This approach requires both you and your recipient to have OpenPGP set up, which makes it best suited for regular correspondents with shared motivation to encrypt email.
- Install Thunderbird. Mozilla Thunderbird is the most user-friendly desktop email client for OpenPGP email encryption. It has native OpenPGP support built in since version 78, requiring no separate plugin. Download from thunderbird.net and connect your email account through IMAP or the account setup wizard.
- Generate your OpenPGP key pair. In Thunderbird: Account Settings → End-to-End Encryption → Add key → Generate a new OpenPGP Key → set a key passphrase (stored in the password manager). This creates a public key (shareable with anyone) and a private key (never leaves your device). The key passphrase protects the private key — without it, the encrypted email cannot be decrypted even if someone obtains the key file.
- Share your public key with correspondents. Your public key is what your correspondents use to encrypt email to you — only your private key can decrypt it. Share your public key via: email (Thunderbird can attach it automatically), upload to a public key server (keys.openpgp.org), or include in your email signature. When you encrypt your email to a correspondent, you use their public key — which they must share with you through one of these methods.
- Obtain your correspondent’s public key. Ask them to send their public key, or search key servers (keys.openpgp.org, keyserver.ubuntu.com) for their email address. Import the key into Thunderbird: Account Settings → End-to-End Encryption → import public key for recipient → import their key file.
- Compose and encrypt your email. Create a new email to the correspondent. In the compose window, click the lock icon (Encrypt) and the signature icon (Sign). When both are active, sending the email encrypts it using the recipient’s public key — only they can decrypt it — and signs it with your private key, allowing them to verify it genuinely came from you. The subject line is not encrypted in standard OpenPGP email — keep subject lines generic for sensitive correspondence.
- Verify the correspondent’s key fingerprint. Before trusting encrypted email, verify the recipient’s key fingerprint through a separate channel — a phone call, an in-person confirmation, or a comparison on a public key server. This prevents a man-in-the-middle attack where a fake key is substituted. Thunderbird marks keys as “Verified” only after you confirm the fingerprint match.
Step six — key verification — is the step that most guides on how to encrypt your email underemphasise. OpenPGP encryption is only as trustworthy as the verification that the public key actually belongs to the intended recipient. A key that claims to belong to a colleague but was actually created by an attacker intercepts all messages that are encrypted to it while appearing properly encrypted to the sender. Verification through an out-of-band channel is the mechanism that closes this gap.
Encrypt Your Email: Comparison of Methods
The right method to encrypt your email depends on who you correspond with, how technically comfortable you are, and how sensitive the correspondence is. A healthcare provider who needs to share medical records with patients has different requirements from a journalist communicating with a source, and both differ from a business professional who wants general confidentiality for client communications.
For users who primarily correspond with people on the same privacy email service (Proton Mail to Proton Mail, or Tutanota to Tutanota), the service handles everything automatically — encryption is transparent and the user experience is identical to standard email within the same provider. For users who need to encrypt your email to recipients on standard email providers, the password-based external encryption offered by Proton and Tutanota is the most accessible option — the recipient receives a link, enters the agreed password, and reads the message without any software setup. For users who regularly correspond with technically-capable recipients who have already set up OpenPGP, Thunderbird with native OpenPGP provides full standard-compliant encryption to any email address where the public key is available.
The metadata limitation of all email encryption methods is worth stating clearly when deciding how to encrypt your email: even with end-to-end content encryption, the email headers — from address, to address, timestamp, subject line in most implementations, and routing data — remain visible to the email providers handling delivery. A privacy-first email service like Proton Mail minimises what it logs about this metadata, but the structural limitation of the email protocol means some metadata exposure is unavoidable. For correspondence that requires hiding the relationship between correspondents — not just the content — the Signal messaging app’s sealed sender feature or the Tor network’s hidden service email (as used by some journalist platforms) address this metadata layer in ways that standard email encryption cannot. Our companion guide on secure messaging apps covers Signal and similar tools for the cases where the communications channel itself needs to be as private as the content, and our guide on securing your email account covers the account security practices that protect access to the encrypted mailbox. Reviews from outlets like major technology publications consistently recommend Proton Mail as the most accessible starting point for users who want to encrypt your email without managing cryptographic keys manually — it provides genuine end-to-end encryption with a user experience comparable to Gmail for the majority of use cases.
Encrypt Your Email on Mobile Devices
To encrypt your email on mobile devices, the same service-based and key-based paths are available with slightly different interfaces. Proton Mail’s iOS and Android apps provide end-to-end encrypted email with the same capabilities as the web interface — automatic encryption for Proton-to-Proton messages and password-based encryption for external recipients. For OpenPGP on mobile, the dedicated app FairEmail (Android, open-source) and Canary Mail (iOS) both support OpenPGP key import and message encryption, allowing you to encrypt your email to known correspondents from a mobile device using keys you have already generated.
The practical challenge with mobile email encryption is the key management — the private key used to decrypt your encrypted email must be securely stored on each device where you want to decrypt messages, without being transmitted through channels that could expose it. Proton Mail and Tutanota handle this entirely within their app ecosystems, making mobile encryption transparent. OpenPGP on mobile requires importing the private key to the mobile app, which should be done through a direct local transfer (USB, QR code within the app) rather than through cloud sync or email — exposing the private key in transit or in cloud storage defeats the purpose. Once set up, mobile OpenPGP encryption functions identically to the desktop experience — compose, tap encrypt, send — with the same protection guarantees. The initial setup investment is the friction that limits adoption, which is why hosted services like Proton Mail represent the practical path for most users who want to encrypt your email on mobile without managing key infrastructure manually.
Encrypt Your Email: Common Questions and Misconceptions
A common question when first learning to encrypt your email: does encryption make email slower? The encryption and decryption operations involved are computationally trivial on modern hardware — they add milliseconds to send and open times that are imperceptible in normal use. The practical friction is not the encryption itself but the key management and the requirement for both parties to participate in the setup. Once both correspondents have the infrastructure in place, the experience of encrypted email is indistinguishable from unencrypted email in terms of speed and interface.
Another common misconception: encrypting your email with PGP means no one can ever read it. The encryption protects the message in transit and in storage on servers, but the message exists in decrypted form on the sender’s and recipient’s devices after decryption. Malware on either device, physical access to an unlocked device, or a screenshot shared by the recipient all expose the content of even perfectly encrypted email. To encrypt your email is to protect it from network and server-level adversaries — it is not a complete protection against an adversary with device access or a recipient who chooses to share. This is why device security, as covered in our guide on securing your laptop, is a complementary protection rather than a substitute when encrypted communications are involved.
The question of whether to encrypt your email only for sensitive messages or to encrypt all email is worth considering. Selective encryption — encrypting only “important” messages — creates a metadata signal: the encrypted messages are the ones that are sensitive, which gives an observer information even without being able to read the content. Encrypting all email eliminates this signal, but requires either using a privacy-first email service where encryption is automatic for all messages, or having all regular correspondents set up OpenPGP — a significant coordination barrier. The practical resolution for most users is to use a privacy-first email service like Proton Mail for the email account associated with sensitive correspondence, while using a standard email account for the general communication where encryption is either not feasible or not needed. This account separation allows you to encrypt your email comprehensively on the account where it matters, without requiring the coordination overhead of getting all general correspondents to adopt encryption.







