March 13, 2017
One question that the InfoSec team gets quite frequently is, how do I encrypt a file to send via email? Well I'm glad you asked!
First, it is important to note that email should not be considered a secure method of communication. By default the contents of email messages are not encrypted and it is possible for messages to be intercepted, forwarded, or read without the knowledge of the sender or intended recipient. As a result, confidential information, such as passwords or research data, should never be sent unencrypted via email. If you are unsure what type of data is safe to send via email, what needs to be encrypted, and which pieces of data should never be sent via email, consult the InfoSec Data Storage Guidelines [1].
One potential solution to this problem is to encrypt your data before you send it. That may sound difficult, but it is actually quite simple once you know how. This guide will show you two methods of encrypting data before sending via email. The first option is for Microsoft Office files only, and the second can be used for all file types.
Encrypting Microsoft Office Files
The latest versions of Microsoft Office (2013 and 2016) include the ability to strongly encrypt Word, PowerPoint, and Excel documents right out of the box. Previous versions of Office (2010 and below) allowed you to password protect documents, however, the encryption used was very weak and we do not recommend that you use those versions to encrypt your data.
Here is a step-by-step guide to encrypting a Microsoft Office document. This example uses Microsoft Word, however, the steps in PowerPoint and Excel are the same.
Step 1: When you are ready to save your document, choose 'File'.
Step 2: Choose 'Info'.
Step 3: Choose 'Protect Document' and then select 'Encrypt with Password' from the dropdown menu.
Step 4: You will be prompted to choose a password for this file. Enter the password and click 'OK'. You will be asked to enter the same password again, then click 'OK' again to complete the process. Make sure that you use a strong password [2] that you will easily remember, as this password will need to be shared with the intended recipients of this document.
Step 5: Save the document.
Additional help information on encrypting Microsoft Office documents can be found here - Password protect and encrypt Office documents [3]
7-ZIP Example
7-Zip [4] is a popular open-source compression and archiving utility. It offers solid compression rates, robust encryption, and is available at no cost. With 7-Zip you can encrypt individual files, or groups of files, into archives in either .zip or .7z format. The resulting encrypted file can then be sent via email with a high degree of assurance and little risk of inadvertent disclosure. It is important to note that if you use 7-Zip to encrypt files, the recipient of those files must also use 7-Zip to open the files.
Here is a step-by-step guide to encrypting a file using 7-Zip.
Step 1: If you do not already have 7-Zip installed on your computer, download and install the software which can be found on the 7-Zip website [4].
Step 2: Select the file(s) that you would like to encrypt, right-click and choose '7-Zip' and then select 'Add to archive...' from the dropdown list.
Step 3: Select where you would like to save the encrypted archive file in the 'Archive' box. Then in the "Encryption" section, enter in a strong password to protect the archive. Re-enter the password and then choose 'OK'. Make sure that you use a strong password [2] that you will easily remember, as this password will need to be shared with the intended recipients of this document.
The Final Step
In either example, at this stage you will now have an encrypted document that requires a password to open. That file can now be sent via email and it will be protected should it be intercepted along the way. However, there is one more step - you need to share the password with the intended recipient of the files. It is essential that the password and encrypted files are sent separately by different mechanisms. The password should not be sent via email, especially in the email containing the document, but instead should be provided in person or over the phone to ensure it is received by the intended party.
I Still Have Questions!!
The InfoSec team (part of Computing and Communications Services [5]) is here to help you stay safe! Check out the InfoSec website [6] and contact 58888help@uoguelph.ca [7] or x 58888 with any security concerns.
Thank you for helping to keep our campus safe!
Written by: Stephen Willem (Manager, CCS Information Security)
Image Source: Freepik [8]