Setting up encryption on a native email application is a bit convoluted and, frankly, beyond the perseverance of the average user. And is it actually possible to do this in a web application?
Email encryption and decryption is not included in MyKolab’s webmail service. MyKolab specifically states that it does not offer encryption at the moment because it does not want users placing their private keys on its servers. This is wholly understandable as any server holding a large number of private keys is likely to become a highly desirable target for those with nefarious intent. If you want encryption and value your privacy then you’re unlikely to want to upload your private and public PGP key pair to a web service, no matter where it’s hosted and pretty much regardless of the level of trust you have in the host.
There are ways to encrypt email locally using an email client add-on, such as Enigmail, but nothing that supports a webmail service. FireGPG, a Firefox extension that added GnuPG encryption, decryption, signing, and signature verification to Firefox and Gmail, is long dead. Since its untimely demise, I’ve not really seen decent webmail support for encryption and decryption.
Yet StartMail offers email encryption within its webmail using either a question and answer challenge, or using a PGP key. Taking the latter option means that the private PGP key must be stored on StartMail’s servers, which really is a no-no in security terms. However it does at least offer some sort of privacy option if you decide that you trust StartMail more than the various anonymous servers through which your email must pass before it reaches its intended recipient.
There’s obviously no way that you or I would be prepared to upload our private keys to any cloud service. By creating a PGP key pair within StartMail all you can say is that an email is secure once it leaves StartMail, and as long as StartMail is never hacked or compromised. To be honest, that’s an impossible ask.
Even if an email has been encrypted, its metadata may reveal rather a lot about it, such as where it came from and who its being sent to. Clearly StartMail cannot do much about this, it’s a weakness inherent in the email protocol.
However an email sent via StartMail’s web client or its IMAP service does have some of its headers stripped. This removes some information that could be useful to eavesdroppers such as data about the email client, and both the IP address and host name of the server that the email goes through before sending.
Allowing a native email client or a mobile email client to connect to StartMail is not as straightforward as, say, GMail. Each client needs to be assigned its own unique password by StartMail, effectively registering each device.
The process of allocating a different password for each device is similar to the way in which passwords must be created in a GMail account that has been setup to require two-factor authentication. Which brings us on to two-factor authentication.
It’s obviously early days but it would be nice to see two-factor authentication implemented in StartMail at some point. Accessing a site using a combination of user name and password now feels a little bit dated and somewhat insecure.