Information Security


Guidance on Encryption of Email and Email Attachments

1 Scope 

This document is intended to provide advice to UCL users who wish to send sensitive data by email.

2 What is sensitive data? 

(i) Personal data: The Data Protection Act 1998 (DPA) defines this as "data which relates to a living individual who can be identified by that data".(1) All such data must be kept secure. Personal data includes, but is not limited to, student records, employee records, some research data, medical records, financial records and password information. The Information Commissioner provides technical guidance on what is considered to be personal data for the purposes of the DPA.(2) 

(ii) Corporate data and intellectual property: This includes, but is not limited to, strategic planning and financial information. If you are unsure what information falls within these categories you are advised to consult your Head of Department or Division. 

3 Guidelines 

There are several options available for encrypting email, not all of which are covered by this document. Below are two methods which may be suitable for UCL users, depending on their requirements.

3.1 Sending encrypted archives as email attachments 

Users wishing to send a sensitive attachment with an email that does not otherwise contain sensitive information may find that the simplest method is to create an encrypted archive containing the file and attach the encrypted archive to the email. The main advantages of this method are that it is simple, and the software required for decryption is freely available.

The main consideration with this method is that the password to the archive must be passed to the recipient. This should be done by a medium other than email.

Also, a sufficiently strong encryption algorithm should be used. Most up to date archive software supports AES encryption and are compatible with each other (eg a .zip archive created with 7-Zip can be opened with WinZip, WinRar etc). Older products using the ZipCrypto algorithm should not be used as the encryption is weak. If a product does not specifically mention AES, it is probably using ZipCrypto and should not be used. The free archiver 7-Zip is recommended. 

The document Using encrypted archives with 7-Zipdescribes the process on creating and opening encrypted archives using 7-Zip.

3.2 Public key encryption 

Users wishing to encrypt email on a regular basis are advised to use public key encryption, especially products using the OpenPGP standard. Public key encryption requires both the sender and recipient to set up a pair of cryptographic keys. A plugin for the email client and/or a separate program is also required. Once this is set up, encrypted emails can be sent and received without the need to exchange passwords as in 3.1. Public key encryption also allows the use of digital signatures, which provide the ability to determine whether an email was actually sent by the person claimed to be the sender. 

Most email clients on most platforms have support for the OpenPGP standard. A number of options are listed below: 

Enigmail, a plugin for the Thunderbird email client is used and recommended by UCL CST. An excellent quick start guide simplifies the fairly involved process of setting up public key encryption. It uses GnuPG and will work on Windows, Mac OS X and Unix/Linux. 

Gpg4win is an installer package for GnuPG on Windows and includes a plugin for Microsoft Outlook. However, the integration with Outlook is limited and not as user friendly as Enigmail on Thunderbird. 

Mac GPG is the Mac OS X port of GnuPG and support is available for several email clients. 

PGP Corporation provide a range of commercial encryption products for Windows and Mac OS X products including PGP Desktop Email, which works transparently with most email clients.