Email Security

How Does Email Encryption Work And Which Is Best for Your Organization?

How do the different types of email encryption work, and which is the best to secure your organization’s email communications?

Email Encryption: How Does It Work, And Which Method Is Best For Your Organization?

Emails remain an essential business process which companies rely on to communicate efficiently and effectively. Organizations expect emails to be delivered on time, without tampering and to be delivered only to the intended recipient. However, email is an inherently insecure platform. Without a comprehensive email security solution in place, email data and attachments can be accessed with relative ease by experienced cyber-threat actors.

For this reason, email encryption is an essential tool to secure email communications and ensure compliance with data protection regulations. Encrypted emails can only be accessed by the intended recipient, helping to protect sensitive email messages and attachments. There are many methods of email encryption, and a number of solutions currently on the market. Some services will encrypt your email in transition and ensure that the recipient is correct, such as Secure/Multipurpose Internet Mail Extension(S/MIME) or Pretty Good Privacy (PGP). Other services, such as AxeCrypt uses AES encryption to encrypt the email before it is sent.

In this article, we’ll breakdown the differences between these methods of encryption. We’ll cover how each method of encryption works, the strengths and weaknesses, and outline representative vendors, to help you find the right encryption solution for your organization. 

TLS Encryption

Transport Layer Security (TLS), often referred to as Secure Socket Layer (SSL) due to development of the underlying technology, is one of the most widely used encryption protocols. It protects a significant proportion of the information that gets transmitted online. It is mainly used to encrypt data sent from users’  browsers to websites, but it is also used to secure emails.

TLS comprises a stack of different element and subprotocols. There is one primary record protocol responsible for the structure of the protocol and comprises further subprotocols. There are four main subprotocols: Handshake, Cipher Change, Alert and Record.

Handshake is used to set up the parameters for a secure connection. The Handshake goes through different phases where the server and client send messages back and forth to confirm the client’s authenticity. These messages include the latest version of TLS supported by both, whether compression is supported, and some other details.

After the parameters are set, the server usually sends an authentication certificate request. The Authentication certificate request contains a public key, which is used to verify the server’s identity. If the server is using a Diffie-Hellman key exchange algorithm, this takes place now. The client then sends a Client Key Exchange message which includes a public key encrypted with the server’s public key. Details from the first messages, such as random numbers are then used to create a master key for all parties.

The keys needed to encrypt messages and authenticate are extracted from the master key. The client then uses the Cipher change sub-protocol to send a message to the server to inform the server that encrypts and authenticates it. In that message, a Message Authentication Code (MAC) is included. The server decrypts the message and checks the MAC if that fails the connection is rejected. If the message passes all the above, the connection is made, and the message is successfully decrypted.

Many of the most popular email services providers use TLS by default. For example, Gmail always uses TLS as default and Google workspace supports TLS versions 1.0, 1.1, 1.2, and 1.3. Other services such as Office 365 can use connectors to force TLS for inbound and outbound emails.

TLS Email Encryption is suitable for anyone who uses the internet.

TLS Strengths and Weaknesses


  • TLS encryption eliminates the possibility of Man in the Middle (MiTM) between the web browser and server-client
  • Enforcing TLS ensures that the data integrity cannot be compromised over that connection
  • Having your website, TLS-secured instils confidence and trust in your clients.


  • TLS encryption eliminates the possibility of Man in the Middle (MiTM) between the web browser and server-client
  • Enforcing TLS ensures that the data integrity cannot be compromised over that connectionHaving your website, TLS-secured instils confidence and trust in your clients.

Representative Vendors

  • LetsEncrypt
  • cPanel
  • Cloudflare

Encryption At Rest

Encryption at rest is encrypting stored data to provide data protection against data breach and attacks. Data at rest is stored data, referring to data stored on persistent storage; this could be physical hard drives or cloud storage.  

Attacks on data at rest could include theft of physical drives, possibly due to maintenance mishandling or repairs via a third party. If the malicious actor had physical access to the drive, they place it into a system under their control and attempt to access it. Encryption At Rest is designed to prevent the attackers from accessing the data by ensuring that all data on the disk is encrypted.

Encryption at Rest is aimed more towards SMB and larger organizations that could be bigger potential targets for data breaches. However, with a growing trend of employees working remotely from machines in their own homes, products that offer a distributed node-based encryption system will see a rise in popularity.

Encryption at Rest Strengths and Weaknesses


  • Encryption ensures privacy: Encryption ensures that Personal Identify Information (PPI) remains confidential
  • Encrypted data maintains integrity: Man in the middle attacks do not only look at recording data that is transferred through them. Many MiTM attacks attempt to modify the data as it passes through, possibly changing the address of delivery or the bank account information. Encrypting data can reduce this risk. Even if skilled hackers break the encryption and modify the data, the recipient will detect the modification.


  • Data recovery: Overprotective data access mechanisms can cause data recovery or access to be slow. If you have multiple databases or data pools with different encryption keys, it can be slow/cumbersome to decrypted parses through each one.
  • Data transfer cost
  • Data transfer can be costly as advanced systems are needed to maintain the encrypted data; the system needs to be scalable, which is another cost

Representative Vendors

  • IBM Guardian Data Encryption
  • Bitdefender GravityZone
  • Sophos Safeguard
  • Trend Micro Endpoint Encryption

AES Encryption

Advanced Encryption Standard (AES) is a symmetric block cipher chosen by the U.S. government, with several countries and the cryptography community, to secure sensitive information.

To encrypt and decrypt a message block, AES-128 uses a 128-bit key length, while AES-192 uses a 192-bit key length and AES-256 a 256-bit key length to encrypt and decrypt messages. Using cryptographic keys of 128, 192 and 256 bits respectively, each cipher encrypts and decrypts data in blocks of 128 bits.

Symmetric ciphers use the same key for encryption and decryption. In the case of symmetric ciphers, the sender and recipient must have the same key.  Block ciphers use rounds. Rounds are the number of transformation that the plaintext message must go through in its encryption. 128-bit keys use 10 rounds, 192-bit keys use 12 rounds, and 256-nit keys use 14 rounds.

The AES encryption algorithm defines numerous transformations that are to be performed on data stored in an array. The first step in the cipher is to place the data in an array, after which the transformations of the cipher are replicated over several rounds of encryption.

Implementing AES Encryption without software can be difficult, but many solutions will handle the encryption for you.

AES Encryption Strengths and Weaknesses


  • Implemented in both hardware and software
  • The large key sizes make the AES algorithms more challenging to hack
  • It is one of the largest and most common open-source products in the world 
  • Due to the massive implementation of the protocol and approval of the cryptography community, it is the most common security protocol


  • Every round is encrypted the same way
  • It can be hard to implement within software; there are also performance and security consideration when implemented incorrectly 
  • It uses a too simple algebraic structure 

Representative Vendors

  • Microsoft Bitlocker
    • Best suited for Windows users who need encryption on their devices
    • Microsoft’s BitLocker is a set of encryption tools providing either AES 128-bit or AES 256-bit device encryption.
  • IBM Guardium
    • Best suited for enterprise users who need flexible encryption across multiple environments
    • IBM Guardium ensures the integrity of information and automates compliance controls across heterogeneous environments.
  • AxeCrypt
    • Best suited for protecting information on machines used by multiple individuals, collaboration
    • AxeCrypt has been widely adopted, and if more than one user is using a machine regularly, AxeCrypt would be a great solution.


Pretty Good Privacy (PGP) and S/MIME are two traditional standards used to send secure end-to-end encrypted emails. Both protocols use the public key of a recipient to encrypt a message and decrypt their message using their private key. However, how public keys are distributed is the most significant difference between the two approaches. To distribute keys, S/MIME relies on a Certificate Authority (CA) where PGP relies on a Web of Confidence/Trust to distribute keys.

A Certificate Authority is an entity that issues out digital certificates. Digital certificates certify that the public key is owned by the names covered by the certificate. This enables the receiver of the email to trust in the signature on the email as it has been certified by a trusted third party.

Compared to certification authority, the Web of Confidence is a decentralized trust model. It works by setting up a direct trust with individuals that you know and then they entail set up a direct trust with individuals they know, then you will have indirect trust with the third individual. If person A trusts person B, and Person B trust person C, then Person A will have an indirect trust with Person C.

PGP and S/MIME encryption are suitable for everyone – whether it is an add-on, or an Email service provider, individuals or organization can utilize PGP or S/MIME.

PGP and S/MIME Strengths and Weaknesses


  • PGP encryption is almost impossible to crack when properly implemented 
  • Digital Signatures act as proof of email origin 
  • Protects against email spoofing


  • It’s not user friendly; Complexities when setting it up add substantial resource drain in both work and time
  • If not set up correctly and operated correctly, it will lead to more security holes 

Representative Vendors

  • Outlook with PGG4O
  • ProtonMail
  • Sophos Safeguard
  • Thunderbird with Enigmail (an add-on)


Securing email communications is essential to stay secure against cyber-threats, become compliant and ensure that sensitive data stays protected. The easiest way to implement email encryption across your email is with an all-in-one email encryption solution that makes encryption is to manage, and easy to use for your end-users.

You can read our guide to the Top Email Encryption Solutions For Businesses here.