Skip to content

lang: en

Summary

The practice of protecting email content and credentials from interception, account compromise, and metadata exposure. The 2026 choice is between provider-side encryption (Proton Mail, Tuta) and self-managed PGP/GPG, with the operational rule that the right answer depends on the user’s threat model and on the cost of key management they can absorb.

Body

Encrypted email is the asynchronous companion to secure-messaging and the channel activists most often misuse. The canonical framing distinguishes two paths: a hosted encrypted-email service (Proton Mail, Tuta) that handles key management on the user’s behalf, and self-managed PGP/GPG where the user generates, publishes, and signs their own keys [source: digitale-gesellschaft-email-krypto]. The Digitale Gesellschaft primer — published by an independent Swiss civil-society association — argues that for most activists a reputable provider-side encrypted service gives 80% of the security benefit at 5% of the operational cost, and reserves PGP/GPG for the threat model that genuinely needs it (a high-risk defender targeted by state-level adversaries who can absorb the key-management cost) [source: digitale-gesellschaft-email-krypto]. This trade-off framing is unusual in the encrypted-email literature, which tends either to insist on PGP or to ignore it; the Digitale Gesellschaft primer names the trade-off explicitly.

For users who do proceed to PGP, the standard sequence is key generation with a reputable client (Thunderbird’s built-in OpenPGP, or the older Enigmail pathway), key publication to a keyserver, signing and verification of incoming messages, and the recovery question — what happens to my encrypted email if I lose my device [source: digitale-gesellschaft-email-krypto][source: digitalcourage-digitale-selbstverteidigung]. Each step is paired with a short rationale — why OpenPGP, why a long key, why publish a public key at all — so a reader can adapt the recipe rather than copying it [source: digitale-gesellschaft-email-krypto].

The non-English-language canon supplies set-up guides that account for the local service-provider ecosystem. Digitalcourage’s Digitale Selbstverteidigung covers PGP/GPG and increasingly simpler protocols, with set-up instructions that explicitly call out German mail providers and legal context (Telekommunikationsgesetz, Datenschutz-Grundverordnung) [source: digitalcourage-digitale-selbstverteidigung]. Nothing2Hide’s French-language guide covers email provider choice, jurisdiction, two-factor authentication, and the PGP-versus-provider-side trade-off [source: nothing2hide-guide-numerique]. The guide.boum.org Guide d’autodéfense numérique (Tome 2) goes deeper on encrypted email and metadata than the shorter zines, with worked examples and command-line recipes for the defender willing to learn about cipher suites [source: guide-survie-securite-numerique-activistes]. EFF’s Surveillance Self-Defense covers the operational habits that keep email protection intact — lock-screen passcodes, account-recovery hygiene, the choice between “at-rest” and “in-transit” encryption [source: ssd-eff].

The Holistic Security Manual adds the meta-discipline: encrypted email is one of three interlocking security dimensions (digital, psychosocial, organisational) that must be planned together, and a defender who adopts encrypted email without first agreeing on what may be written down at all creates new vulnerabilities in the act of fixing old ones [source: holistic-security-tactical-tech].

Encrypted email is closely related to secure-messaging (the synchronous channel), digital-security (the broader discipline), and digital-first-aid (the incident-response discipline when an email account is compromised).

Use it for

Choosing between provider-side encrypted email and self-managed PGP/GPG for a campaign; running an email-security training as part of a digital-security onboarding; setting up encrypted email for a board, coalition, or volunteer cohort; recovering from an email-account compromise.

Open Questions

None yet.

Sources & verification

Verified 2026-07-01 by terminal-T4.