Posteo Help Help categories Article

How do I use end-to-end encryption with S/MIME on my iPhone or iPad?

An S/MIME certificate is required for using S/MIME on the iPhone and iPad.

You can create an S/MIME certificate in your Posteo account.

Contents

Install certificate

  1. Transfer your certificate onto your device, for example by saving it in the Files app on iOS.
  2. Open the certificate on your device.
    You may be asked what device you'd like to install the certificate on. Select your iPhone / iPad.
  3. You'll now receive an alert saying Profile Downloaded. Confirm by tapping Close and open the Settings app.
  1. In Settings, tap on Profile Downloaded and then on Install.
  2. Enter the passcode for your device - this is the code that you enter to unlock your iPhone / iPad.
  3. Confirm again by tapping Install - and again by tapping Install.
  1. Now enter the password that you received when you generated the certificate and tap Continue.
    Tip: The password was saved as a separate .txt file in your Downloads folder when you downloaded your certificate.
  2. Finish installing the certificate by tapping Done.

Select certificate for use

After you have installed the certificate, you can select it in Settings and begin signing emails:

  1. Open the Settings app on your iPhone or iPad and tap Mail.
  2. Now open Accounts and select your Posteo account.
  3. Tap on Account Settings, then select Advanced.
  1. Scroll to the very bottom. You'll find a section labeled S/MIME. Tap on Sign and tap again so that the toggle is switched on and turns green.
  2. Below, select the certificate that corresponds to your Posteo email address. When selected, you'll see a check mark next to it.
  3. Now go back to the Advanced screen.
  1. Tap now on Encrypt by Default.

Here you have two options:

  • Option 1: Select Encrypt by Default.
    If you choose this option, you will receive an error message whenever iOS Mail cannot encrypt an email. You can send the email anyway by tapping Send Anyway.
  • Option 2: Do not select Encrypt by Default.
    If you choose not to activate the Encrypt by Default setting, then when sending emails you can tap on the padlock next to the recipient's email address to activate encryption.

Select Option 1 if you already use encryption with most of your contacts; otherwise select Option 2.

  1. Tap on the Arrow in the top left of the screen to go back to the previous screen.
  2. Tap Back to go back to Account Settings.
  3. Confirm the changes you made by tapping Done.
    This last step is important - it ensures that your changes are saved.

Done. From now on, emails that you send from your Posteo email address will be signed with your S/MIME certificate.

Sign emails

If you followed the installation instructions above, each new email will automatically be signed. You can tell by looking at the top of the screen when composing a new email. The word "Signed" will appear.

When you send a signed email, you are also sending your public key, which allows the recipient to reply using encryption, provided they also use S/MIME.

Add senders' public keys

In iOS Mail, public keys from signed emails sent to you are not automatically saved on your device. Follow these instructions to add them - then you can send encrypted emails to these correspondents:

  1. In an email signed with S/MIME, tap on the name of the sender. You can tell an S/MIME-signed email by the seal symbol with a white check mark next to the sender's name. You may need to tap twice on the sender's name.
  1. Tap on View Certificate.
  2. Select Install.
  3. Confirm by tapping Done.

Encrypt

The following is required before you can encrypt emails:

If you meet these requirements and chose Option 1 (Encrypt by Default) when going through the setup above, your emails will automatically be encrypted:

  • When composing an email, the word encrypted will appear at the top of the screen.
  • A closed padlock will be displayed when you type in the To: field.

If you meet these requirements and chose Option 2 when going through the setup above, you can choose to encrypt emails when you send them:

  1. Tap on the padlock next to the recipient's email address.

Note: If an email is only encrypted but not signed - likely because the setting for signing automatically wasn't activated - the notice "Encrypted, Unsigned" will appear at the top of the screen.

Decrypt

When you open an encrypted email it will be decrypted automatically using your saved certificate. You can tell an email was sent with encryption by the closed padlock that appears next to the sender's name.

Frequently asked questions

Why do I get an error message when I try to send an email?

You may have selected the option Encrypt by Default when going through the setup described above and don't have the recipient's public key because you haven't saved the recipient's certificate to your device.

By selecting Send Anyway you can send the email without end-to-end encryption. Alternatively, you can deactivate the Encrypt by Default option and manually activate encryption whenever you know that you have the recipient's public key.