End-to-End Email Encryption on macOS and iOS

While many email providers secure connections with SSL, they rarely encrypt emails end-to-end from sender to receiver. Without this, your emails could be read by your provider—or someone else more malicious. Fortunately, Apple Mail on both macOS and iOS support end-to-end encryption using S/MIME certificates, and this post demonstrates how to use this feature effectively to better secure your communications.

When we started Archaedis Mend we had a small team, but were supporting a substantial client with sensitive data needs. Further, we knew we would be traveling internationally and wanted to keep our internal communications safe from prying eyes. While we were comfortable using iMessage for chat (https://www.apple.com/business/site/docs/iOS_Security_Guide.pdf, see page 60), email on Apple devices was not afforded the same end-to-end encryption out-of-the-box.

We could have used PGP keys, but the Apple Mail client doesn’t support PGP. We could have encrypted our sensitive messages manually, but that’s an extra step for each email and is prone to human error, for example how do you classify what is sensitive?

Fortunately, the Apple Mail client supports S/MIME certificates. We tried using self-signed certificates, but Apple Mail doesn’t play nicely with these. Double fortunately, some companies offer free, signed, trusted S/MIME certificates! We could get S/MIME certificates without standing up our own key infrastructure. Triple fortunately, this works for the Apple Mail app on iOS, too!

This article shows you how to use a certificate from Actalis to encrypt your team emails end-to-end. This strategy works well for a small team that does not have their own certificate infrastructure.

macOS Instructions

(tested on Mojave, v10.14.2)

Step 1: Create a Certificate Signed by Actalis, a Trusted Authority

Navigate to https://extrassl.actalis.it/portal/uapub/freemail?lang=en.

Fill in the appropriate sections using your email address—the email address that will send and receive the encrypted emails. Click Send Verification Email. You will receive an email with a Verification Code. Paste that code into the Verification code field, fill in the Captcha, check all the checkboxes, and click Submit Request.

Step 2: Installing the Certificate to Your Keychain

You will be taken to a page that indicates the “Procedure terminated with SUCCESS.” On this page is a password for your certificate—save this password! Take a screenshot, or better yet, save it in your password manager. You will need it to use your certificate.

You will receive an email from Actalis with a zip file containing your certificate. Unzip the certificate, which will be in .pfx format. To import the certificate, double-click the .pfx file which will open Keychain Access. Enter the password given to you by Actalis.

At this point, you can send an unencrypted email to your teammates. This will automatically send your public key and register it in your teammate’s Keychain. Now anytime they want to send you an encrypted email they just click the blue lock in the subject line!

We aren’t finished yet—an annoying “feature” will automatically save drafts of your emails unencrypted on the servers of your email provider, defeating the whole purpose of encryption.

Step 3: Disable Server Email Drafts

When in Apple Mail, go the Mail menu and open Preferences.

Click on the Accounts tab. Click on the Drafts Mailbox. Select Drafts under On My Mac. Now your drafts will only be saved locally! No need to worry about your email provider—or someone else with access to your provider—reading your unencrypted email drafts.

Step 4: Export Your Certificate for Use on Other Devices

Click My Certificates in the bottom-left pane. Find and right-click your new certificate. Click Export.

You will be prompted to create a password for this certificate. You will use this password when importing your certificate onto other devices. Again, we recommend using a password manager. Save the certificate as a .p12. You’re done! Now, on to your mobile devices.

iOS Instructions

(tested on iPhone 7, model MN8L2LL/A, iOS 12.1.4)

Step 1: Install Your Own Certificate

Send yourself your exported certificate in an unencrypted email. Open the certificate attachment. A screen will appear titled Install Profile. Click Install and enter your phone’s passcode.

You may see a warning screen that the profile is not signed. You can safely install the profile. Click Install. You will be asked for the password you used when exporting your certificate in Step 4 of the Mac OS X section. If successful, you will see a screen titled Profile Installed. Click Done.

Step 2: Install Another Person’s Certificate

Have another person who has their certificate installed on their laptop send you a test email. Click on the sender’s address, which will bring up a screen titled Certificate. Click Install at the bottom of this screen. You can now read encrypted emails from this sender.

You should also go through this process with your teammates on their devices so that everyone can read the encrypted communications on their mobile devices.

Step 3: Update Your Mail App Settings

Open the Settings app. Navigate to Passwords & Accounts -> Your Email Provider -> Your Account -> Advanced. In the Advanced menu, you will see a slider button for S/MIME. Enable this.

Enabling S/MIME will reveal two more options: Sign and Encrypt by Default. Enable both of these.

Now you can send encrypted emails from your iOS device! But, before you do, the last thing we have to do is disable the draft-saving feature.

Step 4: Disable Server Drafts

In the Settings app, click on Passwords & Accounts -> Your Email Provider -> Your Account -> Advanced. Under the section Mailbox Behaviors are options for Drafts Mailbox, Deleted Mailbox, and Archive Mailbox. Open both settings and select the option in the section for On My iPhone. This will save your drafts and trash on your device instead of on a server unencrypted.

Voila! Now you and your team can send encrypted emails to each other!

Do more than just react.