As of yesterday, it got a little less convenient to encrypt email end-to-end, as both Lavabit and Silent Circle shuttered their secure email services. Lavabit, which was used by Edward Snowden, shut their doors rather than hand over their customers’ data after a request from the federal government. Silent Circle had not yet received such a request, but knew that the time was rapidly approaching when they would.
Hushmail still provides a similar service, but has come under fire for complying with warrants for unencrypted emails a number of times since 2007. There are a ton of other options that are still out there, and those not based in the US are more likely to survive this current political climate.
But the truth is, any time you hand the keys over to a service, you’re introducing risk into the equation. This is simply an inherent flaw in the nature of managed encryption services: If there is any way at all for the manager to unencrypt the email, they may be forced to do so.
The desire to have a company take care of the keys is certainly understandable, but if you want or require a means of communication that is more secure, you’ll need to hang on to them yourself. (Keep in mind, encrypted email is still not 100% secure: metadata is still there to be collected, your recipient might store data insecurely, and unencrypted data may be in memory as you’re viewing it.)
There are free tools that allow you to do this, based on Gnu Privacy Guard (GPG). There are now “frontends” (a.k.a. GUIs or “not having to go spelunking around in Terminal to use it”) for it that make the process more approachable for the average user. Here’s a list of GPG frontends for OS X.
Have you ever used either managed encryption or on your own machine to secure your communications? What are your thoughts on the news of the end of these two email encryption services?