What's the difference between signing and encrypting with OpenPGP?

What's the difference between signing and encrypting with OpenPGP?

OpenPGP offers two main functions: Signing and Encrypting. Both serve email security but have different purposes. You can also combine both functions for maximum security.


Both signing and encrypting are available in all eclipso plans - even for freemail users. Use both functions for optimal security!
 

• Signing Emails - The Digital Fingerprint

  • What is a digital signature?
    • A signature is a cryptographic "fingerprint" of your email
    • It proves that the email really came from you (authenticity)
    • It guarantees that the email has not been altered (integrity)
    • The recipient can verify the signature with your public key
  • What is NOT protected?
    • The email content is still readable by anyone (e.g., your email provider, network operator)
    • Signing does NOT protect against eavesdropping - only against forgery
  • When should you sign?
    • For business emails (proves your identity)
    • For important messages (prevents manipulation)
    • For first contact with new people (enables automatic key exchange)
    • Best practice: Sign ALL outgoing emails - costs nothing, does no harm!
  • How does it look for the recipient?
    • At eclipso: Green checkmark ✅ next to sender
    • In Thunderbird: Green seal icon bottom right
    • For invalid signature: Red warning symbol ⚠️
    • Tooltip shows details: "Signed by: name@eclipso.eu, Trust level: Automatic"

• Encrypting Emails - Protecting Privacy

  • What is encryption?
    • The email is converted into unreadable gibberish
    • Only the recipient with the matching private key can decrypt it
    • Nobody else can read the content - not even eclipso, your provider, the NSA, etc.
    • This is called end-to-end encryption
  • What is protected?
    • Email text (content)
    • All attachments (images, PDFs, documents)
    • Optional: Even the subject line (if "Protected Headers" is enabled)
  • What is NOT encrypted?
    • Sender and recipient (metadata)
    • Date and time
    • Technical mail header (server information)
    • Why? This information is needed by the mail server for delivery
  • When should you encrypt?
    • For confidential information (passwords, health data, contracts)
    • For sensitive business data
    • For private conversations that are nobody's business
    • Whenever you don't want third parties to read along
  • Prerequisite for encryption:
    • You need the recipient's public key
    • At eclipso: Automatically imported when the contact sends you a signed email
    • Without public key: Encryption not possible (eclipso shows a warning)

• Combination: Signing AND Encrypting (Recommended!)

  • Why combine both?
    • Encryption protects content from eavesdropping
    • Signature proves the email came from you
    • Together = maximum security
  • How to activate?
    • When composing email: Click BOTH icons above the subject
    • ???? "Encrypt" (icon turns blue)
    • ???? "Sign" (icon turns blue)
    • Send the email - done!
  • For the recipient:
    • Green lock icon ???? = Encrypted
    • Green checkmark ✅ = Signed
    • Both icons = Perfect security!
  • Default settings:
    • In eclipso settings you can set:
    • "Encrypt by default" - Encryption always enabled (if possible)
    • "Sign by default" - Signature always enabled
    • Recommendation: Enable both for automatic security!

• Comparison Table: Signing vs. Encrypting

  Property	Signing ????	Encrypting ????	Both ????????
  Content readable for third parties?	✅ Yes (email is NOT encrypted)	❌ No (only recipient can read)	❌ No (only recipient can read)
  Sender verified?	✅ Yes (signature proves sender)	❌ No (no sender verification)	✅ Yes (signature proves sender)
  Manipulation detectable?	✅ Yes (signature becomes invalid)	⚠️ Partially (encrypted but not signed)	✅ Yes (signature becomes invalid)
  Public key needed?	❌ No (only own private key)	✅ Yes (recipient key required)	✅ Yes (recipient key required)
  Use case	Prove identity, prevent manipulation	Protect content from eavesdropping	Maximum security (identity + privacy)
  Recommendation	Always use (costs nothing!)	For confidential content	✅ Best practice!

• Practical Scenarios: When to use what?

  • Scenario 1: Sending newsletters
    • Recommendation: Only Sign ????
    • Reason: Content is public, but recipients should see the newsletter is genuine
  • Scenario 2: Sending password to colleague
    • Recommendation: Encrypt AND Sign ????????
    • Reason: Password must not be readable + recipient must be sure you are the sender
  • Scenario 3: Confidential contract
    • Recommendation: Encrypt AND Sign ????????
    • Reason: Legally secure communication (authenticity + confidentiality)
  • Scenario 4: First email to new contact
    • Recommendation: Only Sign ????
    • Reason: Recipient doesn't have your public key yet - signature enables auto-import
    • After that: Recipient can reply encrypted!
  • Scenario 5: Everyday private email
    • Recommendation: Sign ???? (or both ???????? if recipient uses PGP)
    • Reason: Privacy should be standard, not luxury

• Technical Details

  • Signature algorithm: RSA-SHA256 (standard for 2048-bit keys) or RSA-SHA512 (for 4096-bit)
  • Encryption: RSA for key exchange, AES-256 for email content (hybrid method)
  • Signature size: Approx. 500 bytes (invisible to recipient, embedded in MIME)
  • Trust levels: Automatic (blue) / Marginal / Full / Ultimate (green)
  • Protected Headers: Subject encryption per RFC 8551 (supported by Thunderbird + eclipso)

• Frequently Asked Questions

  • Q: Do I have to pay for signing?
    A: No! Signing is free - even for freemail users.
  • Q: Can I only sign WITHOUT encrypting?
    A: Yes, that's even recommended for public messages (newsletters, first contact).
  • Q: Can I only encrypt WITHOUT signing?
    A: Yes, but not recommended - then the recipient doesn't know for sure who the email is from.
  • Q: What happens if I send an encrypted email to someone WITHOUT PGP?
    A: eclipso shows a warning: "No public key found". You can still send the email unencrypted.
  • Q: Does the recipient see my signature if they don't use PGP?
    A: Yes, but they cannot verify it. Most mail programs simply ignore the signature.
  • Q: Do signatures work with S/MIME users too?
    A: No, OpenPGP and S/MIME are incompatible standards. The recipient must also use OpenPGP.

• Important Notes

  • Signing never hurts - always use it!
  • Encrypt confidential content - even if it seems a bit cumbersome
  • Enable in settings: "Sign by default" for all emails
  • Ask your contacts to send you a signed email - then auto-import works!
  • When in doubt: Better too much security than too little → Always enable both ????????

• What is OpenPGP and how does it work with eclipso? ↗
• How do I set up OpenPGP encryption in 60 seconds? ↗
• OpenPGP vs. S/MIME - What's the difference? ↗