E-mail encryption with S/MIME

S/MIME (Secure / Multipurpose Internet Mail Extensions) is a standard for email encryption.

As with PGP, there is a private key and a public key. If you want to send an encrypted message to someone, you need their public key. If you want to receive an encrypted e-mail from someone, they need your public key to encrypt the e-mail with it. With your private key, ONLY you can decrypt the received encrypted message.

Since PGP and S/MIME use different key formats, the two methods are unfortunately not compatible.

In order to ensure that you as the sender of an e-mail are also the person you claim to be, S/MIME, just like PGP, also offers the option of signing your e-mails in addition to encryption.

S/MIME has the great advantage over PGP that it is already available in many mail programs and smartphones. On the other hand, the creation of the required key pair is somewhat more complicated than with PGP. For this you need an "X.509 certificate", which you can obtain free of charge from an official certification authority.

Certificates

There are four classes of these certificates. They differ in the thoroughness of the applicant's verification:

1. A class 0 certificate is for testing purposes only and has a limited validity period.
2. A class 1 certificate only checks whether the email address exists. If you decide to apply for this certificate as a private person, you will be sent the activation code to your e-mail address, which you then enter on the website of the certification authority and receive your certificate. It is therefore only ensured that the applicant has access to the e-mail box for which the certificate is to be valid. In case of doubt, this could also be an unauthorised person who has access to your e-mail box.
3. A class 2 certificate contains not only the email address but also other information such as the name and the organisation or company. It is aimed at companies and the identity check is carried out via a written application or by sending an excerpt from the commercial register.
4. A class 3 certificate includes a personal identity check. You would therefore have to appear at the certification office yourself and would be verified on the basis of your identification documents.

The class 1 certificates, which are usually sufficient for private use, are given to you as a file.

Free S/MIME certificates were available in the past from Comodo and StartCom, but both have discontinued their free service. Maybe LetsEncrypt will soon offer free S/MIME certificates?

The following list at Mozilla lists some providers that offer free S/MIME certificates. BUT: Most of them have a catch, either the certificates are only valid for 30 days, the root certificate of the provider is not pre-installed in all operating systems, or the private key is generated by the respective provider. You should not do the latter, you should be the only one in the world who has access to the private key (and can thus decrypt and sign e-mails).

• https://kb.mozillazine.org/Getting_an_SMIME_certificate

S/MIME certificates that are subject to a fee are available from Digicert, Sectigo (formerly Comodo) or InstantSSL, for example:

• https://www.digicert.com/client-certificates/
• https://sectigo.com/signing-certificates/email-smime-certificate
• https://www.instantssl.com/secure-email-certificates-s-mime