メール暗号化の基礎知識 - 盗聴から通信を守る方法

About 14 min read

Email remains central to business communication, but its architecture was designed in the 1970s with security as an afterthought. Standard email is sent in plaintext, readable by anyone along the route. Contracts, invoices, personal information, password reset links - encryption is essential to protect sensitive information sent via email. This article systematically explains email encryption fundamentals, from TLS transport encryption to end-to-end encryption with S/MIME and PGP.

Transport Encryption with TLS

How TLS Works and Its Limitations

TLS (Transport Layer Security) is a technology that encrypts communication between mail servers. The communication path is encrypted from your email client to the mail server, and during transfers between mail servers. Currently, major email services like Gmail, Outlook, and Yahoo Mail support TLS, and most emails are encrypted during transit.

However, TLS has important limitations. TLS only encrypts the "communication path" - emails are stored in decrypted form on mail servers. This means email provider employees or attackers who gain unauthorized access to servers can read email contents. Additionally, if the recipient's mail server does not support TLS, the email may be sent without encryption.

S/MIME and PGP - End-to-End Encryption

Differences Between the Two Methods

End-to-end encryption encrypts on the sender's device and decrypts only on the recipient's device. Since emails remain encrypted on mail servers, even providers cannot read the contents. There are two major methods for email end-to-end encryption: S/MIME and PGP (GPG).

S/MIME uses digital certificates issued by Certificate Authorities (CAs) to verify identity. It is widely used in corporate environments and natively supported by Outlook and Apple Mail. PGP, on the other hand, uses a "Web of Trust" model where users verify each other's public keys. Since it does not depend on a central CA, it is preferred by individuals, journalists, and activists. Understanding PKI mechanisms makes the differences between the two clearer.

Encrypted Email Services for General Users

Easy-to-Use Encrypted Email

Since setting up S/MIME or PGP has a high technical barrier, encrypted email services are recommended for general users. Services like ProtonMail and Tutanota automatically apply end-to-end encryption between users of the same service. When sending to external email addresses, messages can be sent as password-protected encrypted messages.

These services also store emails encrypted on the server side (zero-access encryption), meaning even the service providers themselves cannot read email contents. Basic encryption features are available even on free plans, making them a practical choice for privacy-conscious users. However, note that full end-to-end encryption is not achieved unless the recipient also uses the same service.

Encrypting Email Attachments

How to Send Attachments Securely

Beyond encrypting email body text, protecting attachments is also important. The simplest method is compressing files into a password-protected ZIP before attaching. However, never send the password in the same email. Communicate the password through a different channel (phone, SMS, chat app, etc.). Note that "PPAP" (sending a password-protected ZIP by email and the password in a separate email), which became widespread in Japan, has almost no security benefit since both travel the same route, and is now deprecated.

A more secure method is uploading files to cloud storage (Google Drive, OneDrive, Dropbox, etc.) and sending a sharing link with access permissions set via email. This method also allows you to revoke file access later. When handling highly confidential documents, combining with authentication using <AmazonLink keyword="セキュリティキー" locale={locale} className="amazon-inline-link">hardware security keys (Amazon)</AmazonLink> provides even stronger protection. For foundational encryption concepts, also see encryption basics.