Encrypting vs. Signing with OpenPGP. What’s the Difference?

Many businesses are responsible for maintaining large amounts of confidential data, including customer records, medical records, financial reports, legal documents, and much more. It’s very common for these types of information to be transmitted via email. So how can you ensure confidential data transmitted via email is kept private? How can you ensure the integrity of transmitted data and that a message actually came from its purported sender?

Businesses need to ensure confidentiality, data integrity, message authentication (proof of origin), and non-repudiation (proof of content and its origin). These goals can be accomplished using MDaemon’s OpenPGP message encryption and signing services. Read on to learn more about the differences between encrypting and signing, and when each is used.

The Need for Encryption

 Businesses need to protect sensitive data and preserve confidentiality and privacy. Whether you work in healthcare, finance, legal, HR or education, chances are you’re familiar with the terms HIPAA or FERPA (among others). Businesses that fail to meet these regulations risk data breaches that can lead to lost revenue or legal action. To address these issues, businesses can use encryption to make their sensitive data unreadable to unauthorized parties.

The Need for Signing

In addition to data privacy, businesses may need to ensure that a message was not altered during transit, and that it actually came from the purported sender. These tasks are accomplished with message signing (adding a digital signature) using OpenPGP. Much like your handwritten signature, a digital signature can be used for authentication purposes, but also cannot be forged.

Signing a message helps ensure the following:

  • Data Integrity – That the message was not altered from its original form.
  • Message Authentication (Proof of Origin) – That the message actually came from the purported sender.
  • Non-repudiation – That the sender cannot deny the authenticity of the message they sent and signed with OpenPGP.

Encrypting vs. Signing – What’s the Difference?

So what are the differences between encrypting & signing? Let’s discuss each.

What is Encryption?

Encryption is the act of converting plain text to cipher text. Cipher text is basically text that has been scrambled into non-readable format using an algorithm – called a cipher. MDaemon’s implementation of OpenPGP encryption uses public key encryption (also known as asymmetric key encryption) to encrypt email messages and attachments.

So How Does Public Key Encryption Work?

Public key encryption uses public/private key pairs. If you want me to send you an encrypted message, you send me your public key, which I import into my encryption software (using the OpenPGP configuration screen in MDaemon, in this case). I encrypt the message with your public key. When you receive the message, you decrypt it with your private key. Even though your public key can be freely distributed and used to encrypt messages addressed to you, these encrypted messages can only be decrypted with your own private key. This private key must always be kept secret. Data encrypted with the public key can only be decrypted with its corresponding private key; conversely, data encrypted with the private key can only be decrypted with its corresponding public key. We’ll talk about why you would encrypt a message with your own private key in the next section when we discuss message signing.

Encrypting email with OpenPGP

Encrypting email with OpenPGP

Encrypting a message helps ensure that the message is kept confidential. The message remains in its encrypted format until it is decrypted with the recipient’s private key.

What is Message Signing with OpenPGP?

As I mentioned above, messages are encrypted with the message recipient’s public key and decrypted with the corresponding private key. Message signing, on the other hand, uses the sender’s private key to sign (encrypt) the message, and his public key is used to read the signature (decrypt). Message signing binds the identity of the message source to the message. This helps ensure data integrity, message authentication, and non-repudiation.

For example, if John wants to digitally sign a message to Michelle, he uses his private key to encrypt the message, and sends it (along with his public key if it hasn’t already been sent) to Michelle. Since John’s public key is the only key that can decrypt the message, the digital signature is verified by simply decrypting the message with John’s public key.

Signing with OpenPGP

Signing an Email Message with OpenPGP

Signing a message with OpenPGP ensures that the message was not altered in transit, that it did in fact come from the purported sender, and that the sender cannot deny the authenticity of the message they sent and signed with OpenPGP.

Message encryption & key management are explained in this tutorial video:
https://youtu.be/2fjyAAcHpMs?list=PLt-aAHf-ocsb0xDLb930tnPZZ9A1J19VG

More information on using MDaemon’s PGP encryption & signing features can be found in the following knowledge base article:

How to enable MDaemon PGP, configure who can use MDPGP, and create keys for specific users

http://www.altn.com/Support/KnowledgeBase/KnowledgeBaseResults/?Number=1087

Do you have questions? Let us know in the Comments section below!

Keeping Email Private with Virtru Client-Side Encryption

Have you ever created an account on a website that you wouldn’t want others to know about, or made travel arrangements, purchased personal items, or set a doctor’s appointment online? If so, then it’s possible that sensitive information about you has been transmitted via email. If any of these situations apply to you, or if you just don’t want anyone to see the cat photos you sent as an email attachment to your neighbor, then you should be encrypting your email. If you send personal or financial information, it’s best to assume that at any given time, someone out there is trying to gain access to that information.

Many small businesses think data breaches only happen to large companies, however, no company is too small to protect itself from outside threats. In fact, many hackers know that smaller companies might be a bit more lax in their security practices, and thus target them more aggressively. This is why email security and encryption are so important.

Virtru recently wrote a blog titled “Four Enterprise Security Statistics that Might Scare You Straight.” Here are some interesting statistics cited in the article:

  • 87% of Senior Managers Upload Business Files to a Personal Email or Cloud Account
  • Email Malware Creation is up 26% Year Over Year, with 317 Million New Pieces of Malware Created in 2014
  • Hackers Targeted 5 out of 6 Large Companies Using Email Attacks Last Year — an Annual Increase of 40%
  • Cybercrime has a 1,425% ROI

So with the above statistics in mind, do we even need to ask why we need encryption? If these reasons aren’t convincing enough, consider these:

  • Firewalls, antivirus, and anti-spyware may provide good protection, but they may not be enough. If one of the above is breached, encryption helps keep data safe.
  • Encryption can help shield businesses and users from government surveillance or other unauthorized access.
  • When you need to send sensitive data, encryption helps keep this data away from unauthorized viewers.
  • Encryption helps companies stay in compliance with HIPAA, CJIS, FERPA, and other government regulations.
  • Encryption helps keep sensitive data out of the hands of criminals and competitors.
  • Encryption helps companies preserve data integrity and privacy policies.

Client-side vs. Server-Side Encryption

Now that we’ve discussed why encryption is important, let’s discuss Virtru and its benefits.

First, we need to make a distinction between client-side and server-side encryption. With client-side encryption, email messages and attachments are encrypted by the sending mail client, and remain encrypted until an authorized recipient opens the message. With server-side encryption, messages and attachments are encrypted on the mail server with no user interaction. MDaemon users can use Virtru to encrypt messages on the client, and MDaemon administrators can use PGP to encrypt messages as they pass through the mail server. In this blog post, we’re going to focus on the client-side Virtru encryption features. If you’d like to learn more about MDaemon’s server-side encryption options using OpenPGP, then check out this blog post & video.

What is Virtru?

Virtru is an easy to use email encryption service that lets you protect private information while using your existing email service.  Encryption converts plain text into gibberish (cipher text) that is unreadable to all except the intended recipient. Virtru offers end-to-end encryption, ensuring that only authorized parties can decrypt your content.

When you send messages with Virtru, your emails and files are locked using strong encryption. Only you and your recipients can decrypt your messages. Separation of content and encryption gives you an extra level of privacy.

Why use Virtru?

Virtru was designed for user privacy and ease of use. Virtru never has access to your passwords and does not store any of your email content on their servers; only the encryption keys. Virtru helps users avoid headaches by managing their encryption keys for them.

Users have two versions of Virtru to choose from. The free version provides encryption and decryption of email and attachments. The Pro version provides the same encryption and decryption features, plus the ability to set message expiration dates, revoke emails, and disable forwarding.

Want to learn more about Virtru? Then  check out the video below for a demonstration, or visit the Virtru page on our website. You can also try out Virtru’s features by downloading your free trial of MDaemon.