Friday, June 26, 2026 Independent journalism
MediaChannel

Email encryption for journalists: a beginner's tutorial

Email encryption for journalists is one of the most important digital safety skills you can build, yet many reporters have never set it up. This beginner's tutorial explains why it matters and exactly how to get started.

Cassian VossBy Cassian Voss ·

person using MacBook Pro

Photo by Glenn Carstens-Peters on Unsplash

Email encryption for journalists is not a luxury reserved for war correspondents or investigative veterans. It is a foundational skill that every reporter, from a first-year cadet to a seasoned editor, should know. When sources send tips, when editors exchange drafts, and when sensitive documents travel from a whistleblower to a newsroom, unencrypted email is the equivalent of sending a postcard: anyone with access to the network can read it. This tutorial is designed for beginners with no technical background, and it will walk you through what encryption is, which tools to use, and how to set them up step by step.

Why journalists specifically need to encrypt their email

Most people think of email as private. It is not. When you send an unencrypted message, it passes through several servers before it reaches its destination. Internet service providers, government agencies, corporate IT departments, and malicious hackers can all intercept that traffic. For the average person, this is a nuisance. For a journalist, it can mean a source is identified, a story is killed before publication, or a person's life is put at risk.

The concern is not hypothetical. In a widely reported incident, China hacked the New York Times for four months straight, gaining access to reporters' emails and files. That breach demonstrated precisely how email systems can become surveillance tools aimed directly at the press. Closer to home, Australian journalists working on sensitive investigations involving organised crime or national security face similar risks. Encryption does not make you invisible, but it raises the cost of surveillance dramatically.

What encryption actually does

Encryption scrambles the content of your message so that only the intended recipient can unscramble it. The method most commonly used for email is called end-to-end encryption (E2EE). With E2EE, your message is encrypted on your device before it is sent, and it can only be decrypted by the recipient's device. Even the company running the email server cannot read it. The two most practical ways to achieve this are PGP (Pretty Good Privacy) and a secure email provider that handles encryption automatically.

Option one: use a secure email provider

The easiest entry point for beginners is to switch to an email provider that builds end-to-end encryption into the service. Proton Mail is the most widely recommended option in journalism and security circles. Messages sent between two Proton Mail users are automatically encrypted. When you send to someone on a standard provider like Gmail or Outlook, you can set a password that the recipient must enter to read the message.

Setting up Proton Mail takes about five minutes. Go to proton.me, create a free account using a username that does not identify you, and start using it for sensitive communications. The free tier is sufficient for most journalists. The key habit to build is directing sources toward that address, not your work or personal Gmail account.

Option two: PGP encryption on your existing email

If switching providers is not practical, PGP lets you add encryption on top of almost any existing email client. Here is a simplified beginner's walkthrough.

  • Install GPG. On Windows, download Gpg4win. On macOS, use GPG Suite. Both are free and well-documented.
  • Generate a key pair. This creates two mathematically linked keys: a public key (which you share with anyone who wants to send you encrypted email) and a private key (which stays on your device and is never shared).
  • Share your public key. Publish it on a keyserver like keys.openpgp.org, or paste it in your email signature. Anyone can use it to encrypt a message that only you can read.
  • Get your source's public key. When you want to send an encrypted reply, you encrypt with their public key. They decrypt with their private key.
  • Use a compatible email client. Thunderbird, the free desktop client from Mozilla, has built-in OpenPGP support and is the most beginner-friendly way to manage PGP without extra plugins.

The main friction point with PGP is that both parties need to have it set up. This is why Proton Mail is often a better starting point: you can ask a source to create a free account and communicate there, without either of you needing to manage keys manually.

Protecting your device and password, too

Encryption protects email in transit, but it does nothing if your device is compromised or your password is weak. A few additional habits are essential alongside email encryption.

  • Use a strong, unique password for every email account. A password manager like Bitwarden or 1Password makes this manageable.
  • Enable two-factor authentication (2FA) on every account. An authenticator app (such as Aegis on Android or Raivo on iOS) is more secure than SMS codes.
  • Keep your device updated. Security patches close the vulnerabilities that allow attackers to access your files directly, bypassing encryption entirely.
  • Be careful about metadata. Encryption hides the content of your messages but not the fact that you emailed someone. The "to", "from", and timestamp fields are still visible to an observer. For communications where even contact is sensitive, consider using Signal instead of email.

Building a culture of security in your newsroom

Individual habits matter, but newsroom-wide practices matter more. A single encrypted email address is only as strong as the weakest link in your editorial chain. If you are working on a sensitive story, it is worth checking whether your colleagues have encryption set up too. Many journalism schools and media organisations now include digital security in their training programmes, and there is growing awareness that security is not just a tech problem, it is an editorial responsibility.

Understanding digital threats is increasingly part of the job. The same way journalists have learned to understand what artificial intelligence actually does and how it shapes their industry, digital security literacy is becoming a core competency. The tools described in this tutorial are free, well-supported, and designed for non-technical users. Setting up email encryption for the first time takes less than an afternoon. The protection it provides can last a career.

A quick-start checklist

  • Create a Proton Mail account and share the address with trusted sources.
  • Install Thunderbird and enable its built-in OpenPGP support if you need PGP on an existing account.
  • Generate a PGP key pair and publish your public key.
  • Set strong, unique passwords and use a password manager.
  • Enable two-factor authentication on all accounts.
  • Encourage colleagues and sources to use the same tools.

Email encryption is not about paranoia. It is about professional responsibility. Sources take real risks to give journalists information that serves the public interest. The least a journalist can do is make sure that information travels safely.