update (may 28th, 2016): this article is slightly outdated. please read these instructions instead
s/mime (with sha2 encryption) is currently the best way to send signed and end-to-end encrypted mails. it is well supported in all major (and minor) mail clients on various platforms and operating systems. you can read more about s/mime in wikipedia.
the process is not trivial, but straight forward:
update 2015-12-27: startssl updated their site with a new layout. all instructions on this page still work, but the screenshots showing their previous layout.
- create an account at startssl
- get certificate from startssl
- export certificate, import on iphone
- enable s/mime in ios's settings app
create an account at startssl
head over to startssl, click ”sign up for free“ in the top left corner and enter your personal enrollment details. once you are done filling out that form, make sure you entered all information correctly and hit continue. you'll get an email from startcom certmaster (firstname.lastname@example.org), just follow the instructions inside.
the regular process is, that your account will be reviewed before it is fully activated. this takes from minutes to max. 6 hours. in most cases the quoted wait time is way bigger, than you actually have to wait. grab your next cup of coffee and i'm pretty sure, an email is waiting for you, when coming back to your desk.
Your request for an account at StartSSL™ (www.startssl.com) has been approved …
this is the last step in account setup. copy the verification code from this email, follow the link and paste the code into the text field. a certificate to log in to startssl is now being installed (don't worry if keychain access is opening up, that's expected). then, you should see this page:
awesome. now we are ready to get our s/mime certificate.
get certificate from startssl
open the validation wizard, choose ”email address validation“ and enter your email address. again, copy and paste the verification code to validate. now choose the certificates wizard and ”s/mime and authentication certificate“ as certificate target.
a key pair will be generated inside your browser (and not on the server (external link, german)). just leave option ”2048 (high grade)“ selected and continue. this will take a few moments.
on the next page select your email address and hash algorithm sha2 (read more on sha2 in wikipedia). after clicking continue, your key pair (private and public key) will be saved inside your browser. if you are using safari on os x, it will be automatically saved to your login keychain. in the same moment, a file download is being started:
double click the certificate to import it to your keychain:
now, you are ready to send your first mail, using s/mime.
export certificate, import on iphone
export on mac
open keychain access.app (found inside utilities folder), choose my certificates from the sidebar and find your certificate. right click / context click on your certificate and then export to a folder of your choice (.p12 file):
you will have to enter a password to protect the item you want to export. this will be used only one more time (when importing the certificate on iphone). then you have to allow keychain access to export the items by entering your mac user's password.
import on iphone
drag and drop the certificates.p12 file via airdrop to your iphone (or use apple configurator, do not send it via email to your phone):
on your iphone import the certificate (here you'll need your password from above again):
as you can see, the profile is not signed. changing this is very easy: go to startssl on your mac, from the tool box choose startcom ca certificate and download the class 1 intermediate client ca. then drag and drop it to your iphone using airdrop again.
once you imported the ca certificate, your own profile is shown as verified:
enable s/mime in ios's settings app
grab your iphone, open settings.app, and navigate to: mail, contacts, calendars and delete your mail account. after adding your mail account again, please navigate to mail, contacts, calendars / (your account) / account / advanced and activate s/mime. then check sign and encrypt by default sections, and that your email certificate is ticked. the next time you write a new mail, you'll notice the lock symbol, stating that you are ready to send s/mime enabled mails.
if you received a signed mail from one of your contacts, you can import their certificate (public key). tap on their email address, then view certificate and install. from now on, you can send encrypted mails to that person. (this belongs to your mac as well, just import the other person's profile to encrypt your next mail.)
update 2015-12-07: added workaround for ios, not encrypting messages (thanks to marc, @_catstate)