Your emails pass through numerous servers before reaching their recipient. Even with a trusted host like Infomaniak, particularly sensitive communications may warrant an additional layer of protection. End-to-end encryption ensures that only you and your correspondent can read the message content.
Understanding Email Encryption
Encryption transforms a readable message into a string of incomprehensible characters. Only the person holding the decryption key can recover the original message. Applied to email, encryption guarantees the confidentiality of your exchanges.
In-Transit vs At-Rest vs End-to-End Encryption
There are several levels of encryption for email. Understanding their differences is essential for choosing the right protection for your needs.
In-transit encryption (TLS) protects your emails during transfer between servers. It\'s like sending a letter in a sealed envelope: the postman can\'t read it, but the content is readable at the point of sending and receiving. Nearly all modern email servers, including Infomaniak\'s, use TLS by default.
At-rest encryption protects your emails stored on servers. Even if someone physically accesses the server, they cannot read your messages. Infomaniak encrypts data at rest in its data centers.
End-to-end encryption (E2EE) is the ultimate level. The message is encrypted on your device and can only be decrypted by your correspondent. No one in between — not Infomaniak, not your internet provider, not any authority — can read the content.
Why End-to-End Encryption Isn\'t Standard
If end-to-end encryption is so secure, why isn\'t it used by default? Several reasons explain this.
First, it requires both sender and recipient to use compatible systems. If you encrypt an email but your correspondent doesn\'t have the tools to decrypt it, they simply won\'t be able to read it.
Second, certain features become impossible: searching through emails, content-based spam filtering, access from any device without prior configuration.
Finally, managing encryption keys adds complexity. Losing your private key means losing access to all your encrypted emails.
Infomaniak\'s Built-in Protections
Even without enabling end-to-end encryption, Infomaniak email provides a solid level of security.
Systematic TLS
All connections to Infomaniak servers (webmail, IMAP, SMTP) are TLS-encrypted. Your credentials and email content never travel in plain text over the network.
SPF, DKIM, DMARC
These authentication protocols protect against identity spoofing. They don\'t encrypt content, but they ensure emails genuinely come from the stated sender.
Swiss Hosting
Your emails are stored in Swiss data centers, beyond the reach of the U.S. Cloud Act. This is more of a legal protection than a technical one, but it\'s very real.
For most use cases, this is sufficient
End-to-end encryption is primarily necessary for highly sensitive communications: trade secrets, critical medical data, attorney-client communications on sensitive matters. For regular business correspondence, Infomaniak\'s standard protections provide an appropriate level of security.
End-to-End Encryption Options
If you need end-to-end encryption, several options are available with Infomaniak.
PGP (Pretty Good Privacy)
PGP is the historic standard for email encryption. It relies on an asymmetric key system: a public key that you share, and a private key that you keep secret.
To use PGP with your Infomaniak account:
- Install a compatible email client (Thunderbird with Enigmail, or Thunderbird 78+ with native PGP support)
- Generate your key pair
- Publish your public key (key server, email signature, website)
- Obtain your correspondents\' public keys
- Encrypt and sign your outgoing emails
The main drawback of PGP is its complexity. Key management deters many users, and an encrypted email sent to someone who doesn\'t use PGP is unreadable.
S/MIME
S/MIME is an alternative to PGP, more tightly integrated with traditional email clients (Outlook, Apple Mail). It uses certificates issued by recognized certificate authorities.
To use S/MIME:
- Obtain an S/MIME certificate (free from some providers, paid for professional certificates)
- Import the certificate into your email client
- Configure your client to sign and/or encrypt emails
S/MIME integrates better with the existing ecosystem than PGP, but encryption is only possible if your correspondent also has a certificate.
Integrated Third-Party Solutions
Some services offer transparent encryption without requiring the recipient to configure anything. The encrypted message is sent with a link to a secure portal where the recipient can read it after authentication.
These solutions are convenient but depend on a third party. They\'re suitable for occasional sends to recipients who aren\'t equipped.
Setting Up PGP with Thunderbird
Thunderbird is the email client that integrates best with PGP. Since version 78, support is built-in, with no extension needed.
Configure your Infomaniak account
Make sure your Infomaniak account is properly configured in Thunderbird (IMAP for receiving, SMTP for sending).
Access encryption settings
Account Settings → End-to-End Encryption. This is where you manage your PGP keys.
Generate or import a key
If you don\'t have an existing key, click "Generate a new key." Choose a strong passphrase. Otherwise, import your existing key.
Publish your public key
Export your public key and publish it: key server (keys.openpgp.org), email footer, website.
Import your correspondents\' keys
To send an encrypted email, you must first have the recipient\'s public key. Thunderbird searches for it automatically, or you can import it manually.
Sending an Encrypted Email
Once configured, sending an encrypted email is straightforward:
- Compose your email as usual
- In the security options, enable "Encrypt"
- Thunderbird checks that it has the recipient\'s public key
- Send
The recipient, if they have their private key, will automatically decrypt the message upon receiving it.
Limitations and Precautions
End-to-end encryption is not a silver bullet. Here are some limitations to be aware of.
Metadata Is Not Encrypted
PGP and S/MIME encrypt the message content, but not the metadata: sender, recipient, date, subject. This information remains visible. If the mere existence of an exchange is sensitive, email encryption is not enough.
The Private Key Is Critical
Losing your private key means losing access to all your past encrypted emails. Keep a backup of your key in a secure location (safe, disconnected storage).
The Weakest Link Is Still Human
An encrypted email doesn\'t protect against the recipient themselves. If they copy the message in plain text elsewhere, forward the content, or leave their computer unlocked, encryption is rendered useless.
Search Becomes Difficult
Encrypted emails cannot be indexed by search engines. Finding an old message can become tedious.
Alternative: Use kDrive for Sensitive Content
To share a confidential document, an alternative to email encryption is using kDrive with a password-protected link. The document stays on Infomaniak\'s Swiss servers, you maintain control over access, and you avoid the complexity of key management.
Conclusion
Email encryption is a complex topic, with solutions more or less suited to different needs. For the vast majority of professional use cases, Infomaniak\'s standard protections (TLS, Swiss hosting, SPF/DKIM/DMARC authentication) provide a satisfactory level of security.
End-to-end encryption becomes relevant for highly sensitive communications. PGP with Thunderbird is the most accessible solution, but it requires your correspondents to be equipped as well.
Assess your actual needs before getting started. Poorly configured or poorly used encryption can create a false sense of security, or even cause operational issues (unreadable emails, lost keys).
Ready to migrate to Infomaniak?
Contact us for a free 15-minute audit. We will analyze your situation and provide you with a personalized quote.
Request a free audit