How to Send Sensitive Information by Email—Encryption for Real People

Opinions differ on how safe it is to send confidential information by email.  But let's take it as given that, every now and then, you want to send something by email and be reasonably sure that no one but the intended recipient can read it.  Let's also assume that you don't want to spend any money, and that it has to be as easy as possible for the recipient to read your message. 

Many discussions of secure email get bogged down in the details of "s/mime," which is a technologically elegant solution, and is supported by many common email programs (for more details, see this Wikipedia article).  However, (1) s/mime is a pain to set up and (2) it has to be set up at both ends.

There's a simpler approach to sending the occasional confidential email that goes like this: 

1. You put the confidential information into a document (or spreadsheet, or what have you).
2. You encrypt the document so that it cannot be viewed without a password.
3. You email the encrypted document to the recipient as an attachment.
4. You communicate the password to the recipient by some other means, preferably not by email, and certainly not by the email to which you attached the encrypted document.
5. The recipient uses the password to decrypt the document. 

These steps may sound hard, but they're really not. 

These instructions assume that you are using a Windows computer, and that your recipient has either a Windows computer or an Apple computer.  If you use an Apple computer, you'll have to do a bit more research, or be prepared to shell out for the commercial version of Stuffit.  

Method I - If you know that your recipient uses a Windows computer.

What you do:  Download and install a free copy of AxCrypt.  To encrypt your file, right-click the file and choose AxCrypt | encrypt to .EXE.  You will be prompted for a password.  (If you're going to the trouble of encrypting, there must be a reason: do make sure that the password is hard to guess, ok?)  Remember that password.  AxCrypt creates a new file that ends in ".exe," i.e. an executable file.  Now a slightly awkward bit: you need to rename the file by changing the end of the filename from ".exe" to something non-meaningful.  Try ".temp" -- it will work just fine.  Now, just email this file as an attachment to your recipient.

What the recipient does:  The recipient saves the attachment to a folder on his or her computer.  He renames the file so that it once again ends in ".exe" (perhaps seeing some warnings along the way, which can be safely ignored).  The recipient double-clicks the file, and enters the password.  Out pops the decrypted file.

Note:  The awkward bit about renaming the file is due to a safety feature present in much email sofware.  Because so much malware used to be sent around the Internet in the form of executable files, many types of email software automatically block any email that has an attachment that ends in ".exe,"  regardless of its content.

Method II - If your recipient may be using an Apple computer.

What you do: Download and install a free copy of 7-zip.  To encrypt your file, right-click the file and choose 7-zip | Add to archive....  7-zip will then present you with a dialog box.  You can generally leave all of the default values alone, but you must enter a password (again, use a good password, and remember it).  Press "OK."  7-zip will create a new file that ends in ".7z".  Email this file as an attachment to your recipient.

What the recipient does:  If your recipient has an Apple computer, she can download and install a free copy of Stuffit Expander.  This can be obtained from the official site here, which requires some annoying registration, or from download.com without the annoying registration.  Use Stuffit Expander to open the file, provide the password, and Bob's your uncle.  If your recipient turns out to be using a Windows computer, she too can download and install 7-zip.  Having done so, she can right-click on the file and choose 7-zip | Open archive.  Once the archive is open, 7-zip will require a password as soon as anyone wants to read or extract the file (note that the filename is NOT encrypted by default). 

Disclaimer

This method does not provide perfect security.   The encryption itself is pretty good (AES-128 for AxCrypt, AES-256 for 7-zip), and has no publicly known flaws.  But there's nothing to stop someone who gets a copy of the file from doing a brute-force attack--i.e. trying out different passwords again and again until the right password is found.  In other words, the encryption is only as good as the password you choose.   In lieu of a more detailed discussion, we simply note that the most secure passwords contain a random mix of upper case letters, lower case letters, numbers and punctuation marks, preferably at least 8-10 characters long.

Good luck!