How to Send Sensitive Information via Email


From time to time, you will need to send some sensitive information online. The good news is that there are plenty of ways to do this. The bad is that there is always a risk that someone might intercept it and steal your information.

When it comes to communicating online, few ways are faster or more convenient than email. But does the same hold true when you need to send sensitive documents and information?

Email in general is not the most secure way to send sensitive information through.  At least when we’re talking about popular email services like Gmail.

Here’s why.

Why You Should Avoid Emailing Sensitive Information?

Data on email can be compromised in a few ways.

First, data can be compromised as it travels through the network. Let’s say that you’re hosting your email externally from an organization and need to send an attachment to someone outside. 

That email and attachment will go through at least three connections. This means there are at least three points at which someone could intercept your communication. Plus, if you are using different email hosts, then the connection between your host and the recipient’s server is another weak point to consider.

Another point where your sensitive information on email is vulnerable is on the servers where it is stored. 

You’ve probably deleted an email or two in your time. It’s pretty easy to do. Just check the box next to the email and click the bin icon. But, just like real trash, it doesn’t disappear right away. Instead, it gets stored in the Trash folder, so now you will need to delete it permanently from there as well, which you can do with a simple Empty Trash now (to empty the entire folder) or checking the box next to the email and clicking Delete Forever.

But is it deleted forever?

Well, when it comes to Google, nothing is as it says on the package.

Here’s what a Google spokesperson said when about deleting emails forever:

“Google keeps multiple backup copies of users’ emails so that we can recover messages and restore accounts in case of errors or system failure, for some limited periods of time. Residual copies of deleted messages and accounts may take up to 60 days to be deleted from our servers. Deleted messages may also remain on offline backup systems for some limited period of time.”

Let’s go through that quote for a bit:

  1. Google keeps multiple backup copies of your email. 
  2. It keeps them for “some limited periods of time”.
  3. Copies of messages take up to 60 days to get deleted from Google servers.
  4. Deleted messages remain on Google’s offline backup systems.

Of course, it’s not just Google’s fault. In many countries, such as Germany, Switzerland and Netherlands, the law requires that emails be kept for at least 6 months before they can be permanently deleted. 

That’s something that you need to consider when choosing an email service. Look for an email encryption service that has servers in a country that allows messages to be deleted permanently. 

CTemplar, for instance, uses Icelandic servers, which allows you to instantly and forever delete your emails and files.

Here’s how to delete emails instantly after sending them on CTemplar.

If You Must Use Email to Send Sensitive Information

If you really “must” send sensitive data over email, be sure to protect it. 

There are two ways to do this:

  1. Send a password-protected zip file

If you need to send secure email attachments to someone, it’s best to send it to them as a zip file. 

The .zip format itself supports two different encryptions, ZipCrypto and AES-256. So which one should you use?

Well, it depends on what you’d sooner sacrifice, your security or compatibility?

ZipCrypto is pretty weak and relatively easy to crack, but it’s supported by the majority of zip archivers. 

On the other hand, AES-256 is a much stronger encryption, but only a few archivers support it. I would recommend going with this one since it’s supported by major 3rd party zip archivers like 7-Zip and WinZip and most people use these anyway.

Of course, that’s not the end of the story. If you need to send an encrypted zip file over email, the other person needs a way to open that file or it’s useless to them.

In other words, they would need a password to open the file.

But if you just send a password together with the file you might as well announce “Hey, here’s a secret document, feel free to open it”. Sending passwords in an email is often not the best idea.

That’s why you should send the password either in a separate email ,or better , send the password through some other channel, like a text message.

  1. Use PGP encryption

Another solution is to use PGP encryption. The problem here is that not all email services use it and both you and the recipient must have it. If only you’re using PGP and not the recipient, then the file is not secure.

When you encrypt a plaintext using PGP, it compresses it. This serves two purposes:

  • First, it saves on disk space and transmission time, but more importantly,
  • It enhances cryptographic security, making the file harder to crack.

The whole point of PGP (or Pretty Good Privacy) is that when you send something using this encryption, the risk of intercepted emails is much lower.

When the message is sent with PGP, it’s first converted into a ciphertext, which only someone with the right key can translate back into readable text. To anyone who intercepts the message without that key, the message will be unreadable.

But wait, doesn’t PGP require special software? 

That used to be the case and it opened another problem. 

How secure is the 3rd-party PGP software? 

That’s not the case with CTemplar. We’re using OpenPGP.js library which is constantly audited by IT and security professionals and is trusted far and wide by individuals, organizations and governments. 

OpenPGP.js library is maintained by our friends at Proton Technologies.

Need to send sensitive information to someone? Be sure to use the safest email accounts at CTemplar.

Leave A Reply

Please enter your comment!
Please enter your name here