Each day over 200 billion emails are sent – more than 2 million per second. By the time it has taken you to read this blog post so far, 15 million emails have been sent. That is a staggering number of emails, some of which contain highly sensitive information, and the vast majority is unencrypted with just a little more protection than a postcard in the mail.
In the modern age, privacy is a concern for all of us. And at SilverStripe, privacy is of particular concern for many of our clients. It is an important consideration for us when designing and building websites, especially components that gather personal information.
When handling personal information, we need to be certain that the data has not been tampered with or viewed by other parties. This duty of care often extends to email systems when requirements call for user submitted data to be sent via email to the business for further processing.
GPG Email Encryption
GPG (GNU Privacy Guard) is an open source suite of encryption tools based on the OpenPGP standards. GPG provides a variety of encryption methods (including public key cryptography) which can be used to secure data such as files and emails.
Using public key cryptography to sign and encrypt email data is an excellent method to secure those communications. Once the necessary keys are generated and swapped between sender and recipient, the process is very straightforward and reliable.
The real strength of this approach is that both parties can consistently rely on the integrity of the email contents and attachments, regardless of how and where the email was transmitted.
We found this method and the GPG toolset so useful that we put together a solution for encrypting emails in SilverStripe. With the help and support of the Office of the Privacy Commissioner of New Zealand, we open sourced this solution so that it is freely available for the community.
Encrypting email with GPG Mailer
The GPG mailer module is essentially just a single class that we can use to replace the Mailer class when sending emails from SilverStripe. It is very straightforward to use once all the necessary pieces are in place.
The first part of the puzzle is installing GPG and GPG Agent – this software provides the set of tools. Following this, you can start with a vanilla SilverStripe install and simply pull in the GPG mailer module with composer:
composer require opcnz/silverstripe-gpgmailer ~0.1
Next we need some keys for encrypting, decrypting and signing messages. Generating these keys is actually very easy with GUI tools like GPG Keychain. You generally want two pairs of keys for testing: one for the email sender and the other for the recipient – that way you can both encrypt and decrypt your test messages.
Once you have keys generated and SilverStripe configured to know the paths to your keyrings, you can make use of the new mailer:
// Create email with plain content
$email = new Email(
// Set up encryption mailer
$mailer = new GPGMailer(
$result = $email->sendPlain();
That's all there is to it. For decrypting messages I found the Thunderbird Enigmail Add-On very handy.
Embrace email privacy
There are many efforts to improve the privacy of email communications currently underway, including increased awareness of using Transport Layer Security to encrypt email in transit.
Encrypting email contents is another important piece of the puzzle and retains security regardless of where the email may end up on its journey across the web.
Ensuring privacy is a collaborative effort and it's important that we all embrace it, especially in an industry where we are so often handling personal and sensitive information. Please consider email encryption for your next project and let us know how you get on in the comments below!