Gmail Encryption with Virtru

I’ve been looking at legitimate email encryption over the course of several months. My whole purpose was to try and find a legitimate encryption tool for small firms. Even though I’m not wildly concerned about encrypted email messages (most people don’t send that many message which demand encryption), I still think that all attorneys should have a viable encryption option if necessary.

I thought I found a solution for Google Apps with a product called Google Apps Message Encryption. Unfortunately, GAME isn’t a viable solution for firms with less than 150 users. Of course, I’ve already discussed Viivo, which I’m quite pleased with, but really only encrypts files, not messages.

As I explored further, I saw several mentions of a product called Virtru.

Virtru

How Virtru works

Virtru works across platforms, including offering Gmail, Chrome, and Outlook extensions. More importantly, Virtru includes an Android app (there’s an iOS app).

Virtru offers business email encryption for Google Apps (currently in beta).

Virtru for Business

Virtru is very likeable because it’s very easy to set up and seems to work well at protecting the important information.

Once you’ve activated Virtru with your Google Apps account, you’ll see an encryption switch with every new email you compose.

Virtru active

Simply flick the switch to turn on Virtru encryption.

Virtru separates your email composition screen into non-encrypted and encrypted sections. The non-encrypted section allows you to give a customized introductory message to the recipient.

Virtru sections

I’d recommend using the customized intro, especially for less tech savvy users. I sent an encrypted email to Mrs. The Droid Lawyer without telling her, and she freaked out with fear that the message was hazardous.

Virtru also blocks unauthorized users. If you’re not supposed to receive the message, you won’t be able to open the email message.

Virtru not authorized

Android app review: Virtru

The Virtru Android app is just as easy to use. Virtru sets up a link to your Google Apps account and functions similar to Google’s own Gmail app.

Virtru Android App

Open a new email (or send a reply), then turn on the encryption settings to send the message.

Virtru Android protection

Virtru offers message expiration and forwarding restrictions for both Android and Google Apps encryption.

Depending on the case type, forwarding restriction could be handy to protect against improper prying relatives, friends, or employees.

Caveats

If you weren’t aware, Google encrypts all information transferred across its servers. This means data is encrypted in transit, but not at rest. A lot of people complain that Google’s not doing enough — data should be protected at rest and in transit so governments don’t have access — but I’m not going to debate that issue.

Similarly, Virtru’s encryption only works in transit, but remains encrypted until the other side uses Virtru’s secure server to view the message. This is obviously the preferred method, but certainly doesn’t fully guarantee that someone can’t read the end data.

Update: Virtru contacted me after the post and gave me the following new insight:

You mention in your article that Virtru encrypts in transit. This is true, but we also encrypt at rest. Emails and drafts are encrypted right on your machine as soon as you start typing.

The email and attachments are fully encrypted while sitting on the SMTP servers of any hop in the chain and are only decrypted in memory to show the user. As soon as they close the app, the key is gone and the email/attachment remains encrypted on the device at rest.

The bigger issue is the holder of the key to unlock the encryption. Virtru’s privacy policy states that the company will “use and disclose Personal Information as required to comply with applicable law. We will handle any government requests for encryption keys in accordance with our Frequently Asked Questions on Government Surveillance.” This seems typical for most companies, and Virtru’s FAQ on government surveillance is pretty informative. Here are some key points:

Virtru doesn’t have any of your messages or files — your content will be on your device or in the hands of another provider — so if the government wants to read your files, it can’t get them from us.

The government would need those keys if it wanted to read any encrypted files it does obtain. Without them, the files are useless.

We won’t provide your keys to anyone without your consent — unless we are ordered to divulge them by a judge with jurisdiction over us. If we are ordered to divulge them, we will fight for you to have notice and an opportunity to object.

Virtru doesn’t have access to the content of your emails, files, or other data — it only has the keys. Virtru won’t be able to read your content because it doesn’t have content — and others (including the government) will be unable to read your content because they won’t have the keys.

If we receive a request from the United States government, we will respond by saying that we will not comply with any request other than a court order from a court with jurisdiction over us. We will then notify you that we have received such a request unless we are prohibited by law from doing so, so that you may have an opportunity to defend your rights to keep your data confidential.

Some statutes permit the government to obtain content (such as stored emails) on a lesser showing than probable cause. Virtru believes the Fourth Amendment should and does provide greater protection than these statutes for the content of email, files, and other data — particularly when such data is encrypted — and would argue this position in court in an appropriate case if necessary.

If Virtru received an order for encryption keys under either of these provisions of FISA or under any other legal theory that was not based on individualized court orders, it would vigorously contest it.

Virtru seems concerned about security, and more importantly, notifying its users of government requests for information.

Perhaps an option

If you’re looking for a viable option for encrypting email messages, Virtru is a good option. Best of all, Virtru is free to use, or you can upgrade to the pro (starting at $4/month) package. Overall, Virtru’s getting 4.5 of 5 stars.

01/29/15 Updated to add information about pricing.

6 Responses to Gmail Encryption with Virtru

  1. I greatly appreciate their honesty and apparent effort to protect your data. This is probably a great compromise between ease of use and security. I would think this level of security would pass muster with any bar in the union.

    • Okay, I’ve tested it out, and I really like how easy it is to use. I can actually see a client or attorney being able to use this to send and receive encrypted e-mail.

      Two complaints:
      1) The Android App requires an App Specific Password, and only supports one Google Account.
      2) The “intro text” is not saved from one e-mail to the next. I would like to stick a “signature” in that portion of the e-mail.

      • I do like the idea of a signature or standard phrase in the intro text, that would be nice.

        I don’t mind the one email option, since I’m really only concerned about encryption for my one Google for Work account. I could see a number of people wanting 2 or more accounts, especially if you manage different practice areas.

    • One more complaint:

      3) The Outlook plugin prevented me from opening Outlook.

      However, the web interface and the mobile web interface work great, so I don’t think they need the app and plugin to make this work for most people.

  2. Good review. I’ve been using Virtru off and on for the last several months. I was wondering if you are aware of anyone who has actually audited or done a deep inspection and review of the workings of Virtru. I thought I read that Virtru would make available their code for inspection. Its not that I am disparaging the folks at Virtru, but before I recommend it to others, I would like to have a sense that it really does what it says it does, the encryption is effective and that there aren’t any holes or backdoors. After all if we are talking about and using encryption, then we must be a little bit suspicious and paranoid.

    Also, have you looked at Minilock for browser based file encryption?

    • The Virtru folks tell me that the designers are “ex-NSA guys” who wrote the encryption algorithms. I’m always worried about backdoors, but I don’t think we should have any greater worries than the current situation.

      I’ve looked at Minilock, it looks like a good option. I’m pretty happy with Viivo, but Minilock give an alternative for my Chromebook.

Let's discuss this (you can use Markdown in your comment)

Jeff Taylor

I’m just an ordinary guy living an extraordinary life. I’m also an attorney and I blog about Android for lawyers. You can follow me on Twitter, LinkedIn, YouTube, or Google+.