Encrypting email attachments: How to do it securely

Whether contracts, quotations or internal documents – email attachments often contain confidential information. What many people underestimate is that standard emails are not inherently secure. If you take data protection seriously – or are legally obliged to do so (for example, under the GDPR) – you should never send attachments unencrypted.

In this article, we explain why encrypted attachments are important, outline the available methods along with their advantages and disadvantages, and show you how to encrypt an email attachment securely and easily using FTAPI.

Why you should encrypt an email attachment

Sending an unprotected email is like sending a postcard – anyone with access along the way or at the destination can read it. Sensitive content in attachments – such as contracts, quotations or personal data – will therefore arrive unencrypted in inboxes, assuming it even reaches the correct recipient and is not intercepted en route.

What’s more, email remains the preferred attack vector for cybercriminals. According to Bitkom, numerous cyberattacks on companies are initiated via email – and in 63 percent of data theft cases, general communication data such as emails is affected.

This makes unencrypted attachments particularly risky – whether due to mistyped addresses, unsecured Wi-Fi networks or compromised accounts. Even password-protected ZIP or PDF files offer genuine protection only if the password is sent separately and securely via another channel (for example, by phone, not just in a separate email) – something that rarely happens in practice.

Encryption is also a legal requirement: the GDPR stipulates that personal data must be protected through appropriate technical measures – and this includes attachments containing such data. Companies that neglect this risk fines, reputational damage and losing control over their data.

The good news: Secure communication no longer has to be complicated. There are now several solutions that allow you to send attachments in an encrypted, traceable way – without technical hurdles.

Let’s take a closer look at what that can look like.

How can email attachments be encrypted?

The main purpose of email encryption is to prevent unauthorised access to the data contained in an email. This data may include email addresses, the message body itself (see our dedicated article on email data protection for more details) or attachments. Attachments often contain particularly sensitive information and are frequently overlooked when it comes to protection.

To secure attachments in emails, there are various encryption methods and essentially two types of protection: transport encryption (e.g. TLS) and end-to-end encryption (e.g. PGP and S/MIME).

The following sections will explain when each method is appropriate and outline their respective advantages and disadvantages.

Transport encryption (TLS)

Transport encryption, also known as point-to-point encryption, uses TLS (Transport Layer Security) and is the standard with most email providers. It protects only the transmission path – that is, the connection from one email server to another. The contents of the email – including both the message text and attachments – remain unencrypted.

Example: An email with an attachment is sent from Server A to Server B. TLS ensures that no one can intercept the message while it is in transit. However, once the email is stored on the sender’s server, temporarily cached at network nodes, or sitting in the recipient’s inbox, it exists in plain text and is therefore vulnerable – for example, in the case of a compromised mailbox or man-in-the-middle attack.

TLS is therefore a basic level of protection – useful, but not sufficient for confidential conten

Protecting email attachments with a password (symmetric encryption)

Another option is to encrypt only the attachment – for example as a ZIP archive or a password-protected PDF. Both parties must know the same password, which therefore also has to be transmitted securely.

The problem: if you send both the file and the password by email, your data is not truly protected. Password-protected attachments offer only limited security, much like TLS. They are only effective if the password is transmitted securely (e.g. by phone or via a messaging app) and is not reused. In practice, this is rarely the case.

End-to-end encryption

With end-to-end encryption, the email content, including attachments, is encrypted directly in the sender’s email client and only decrypted on the recipient’s device. The data remains encrypted throughout transmission and while stored on servers – third parties have no access.

This principle can be implemented in different ways:

• Symmetric encryption uses the same password for encryption and decryption – for example with password-protected PDFs. The sender and recipient must exchange the password securely in advance.

• Asymmetric encryption uses a key pair: a public key for encryption and a private key for decryption, which is not shared.

The best-known methods are:

S/MIME (Secure/Multipurpose Internet Mail Extensions)

S/MIME is based on digital certificates issued by a recognised certification authority and then used as keys. Both sender and recipient each have a key pair:

• The public key is shared and used for encryption.

• The private key remains with the recipient and is used for decryption.

Advantages:

• Can be integrated into common email clients

• Also supports digital signatures

• Suitable for long-term, secured communication relationships

Disadvantages:

• Set-up and certificate management are time-consuming

• Both parties need valid certificates

• Not very flexible when communicating with external recipients

OpenPGP / PGP (Pretty Good Privacy)

PGP (also OpenPGP) is an open standard without central certification authorities. Users generate their own key pairs and exchange public keys manually or publish them on key servers.

Advantages:

• Strong cryptographic security

• No dependency on certification authorities

• Open, well-established standard

Disadvantages:

• Technically complex to use

• Not integrated by default in email clients

• Limited suitability in corporate environments

Platform-based end-to-end encryption (e.g. with FTAPI)

Platform solutions such as FTAPI provide automated end-to-end encryption – without certificate management or manual key exchange. The file is uploaded in encrypted form and made available via a secure link that only authorised recipients can access. Sending can be done directly in the browser or from Outlook. We’ll look at exactly how this works in the next section.

Advantages:

• No certificates or key management required

• Easy for both internal and external recipients to use

• Supports very large files

• GDPR-compliant and aligned with BSI guidance

Disadvantages:

• Attachments are not stored directly in the email

• Link-based delivery may feel unfamiliar to some recipients

Summary: email encryption in simple terms

• TLS protects only the route an email takes – not its contents.

• Password-protected attachments are secure only if the password is sent separately via another channel (not just in a separate email).

• S/MIME and PGP protect both the route and the content, but are technically demanding.

• Tools such as FTAPI offer a pragmatic, secure approach: the attachment is sent via a protected link – encrypted and accessible only to authorised recipients.

The next section provides a step-by-step guide to encrypting email attachments with FTAPI.

How to encrypt an email attachment with FTAPI

With FTAPI SecuMails, you can send attachments securely and in compliance with the GDPR, directly from your email inbox. The solution can be used via the web or Outlook and allows you to transfer attachments of any size in encrypted form – to both internal and external recipients, without requiring them to have their own infrastructure.

How sending with SecuMails works:

1. Write your email as usual: Enter the recipient’s address, subject and your message. In Outlook, use the standard email window. In the web application, click on “New delivery” and fill in the relevant fields.

2. Add attachments: Attach the files you wish to send securely. In Outlook, you add files as usual. In the browser, you can upload them via drag and drop or by clicking the “Attach files” button.

3. Choose security level and expiry date (optional): Decide on the security level for your files and how long they should be available for download. These settings can also be centrally managed within the organisation.

4. Insert a download button (optional, Outlook only): When sending via Outlook, you can insert a “Download button” for your attachments into your email. This can be placed manually or automatically added at the end of your delivery (above the signature).

5. Send your file securely: Click “Send with FTAPI” in the menu bar to securely transmit your email and attachments.

The recipient will then receive an email with a download link in their regular inbox and can safely retrieve your files. Depending on the selected security level, authentication may be required before the download.

Coming soon: FTAPI will expand its secure email solution to include certificate-based encryption. Organisations will then be able to secure their email communication with FTAPI using the established S/MIME standard – automated, certificate-based, and directly integrated into SecuMails. For companies and public authorities with high security and compliance requirements, this creates comprehensive protection: emails can be automatically encrypted and decrypted, and digitally signed.

This will make FTAPI a central solution for a wide range of use cases – from one-off secure sending to structured, protected communication with partners and public institutions

Conclusion: Encrypted attachments should become standard practice

Email attachments often contain particularly sensitive information. Without adequate protection, they can easily end up in the wrong hands – whether through a mistyped recipient address, an unsecured Wi-Fi network or a compromised mailbox. Anyone wishing to comply with the GDPR and avoid data breaches should always encrypt attachments.

The most suitable method depends on the use case: while certificate-based solutions such as S/MIME are ideal for fixed communication relationships between companies and organisations with particularly high security requirements, platform-based solutions like FTAPI offer greater flexibility – especially when exchanging information with external recipients.

The key point is that encryption should not be complicated – it should be an integral part of secure corporate communication.