Encrypt emails


we want to have the ability to encrypt outgoing emails on an ad-hoc basis, this is for when we want to send sensitive info between our work sites via email like passwords, currently we may call someone instead.

I understand you have to purchase a digital ID and certificate to "sign and encrypt" emails through outlook 2010? (we don’t use exchange server though - we use SmarterMail server). Can you encrypt without buying a cert? or are there any good plugins for email encryption anyone has experience of? we mostly use Windows 7 64bit and MS Outlook 2010.
Who is Participating?
Dave HoweSoftware and Hardware EngineerCommented:
s/mime in general, or using it with outlook2010 without having a central MS infrastucture?

there are lots of documents on how s/mime works and more on how to have your own CA, but the latter (assuming XCA) is simple in practice:

using XCA, create a new keystore
create a CA certificate, of size 2048 bits, 20 year expiry
create one or more user (client) certificates, with the email address of their intended owners, five year expiry
export each of the latter as a PFX (pkcs#12 file) with certificate chain.
export ALL the client certs as a single archive (PKCS#7)
send each user his own pfx, the password set for it, and the #7
user double-clicks each and imports it. he now has his own private key, and everyone's certs.
use http://support.microsoft.com/kb/2482059 to enable the key and certs on each user's machine

each user can now receive and decode mail addressed to him on his machine, and protect/encode mail to the other recipients (all those in the #7 file) on that machine. he can also sign mails (this is the same key as decrypts mail) and verify signatures (these are the same certs as the ones used to send encrypted mail)

I would suggest just trying "suck it and see" at this point - create the CA and client PFXen for two users, yourself and one other, install, and test :)
OpenPGP should be able to do what you are looking for.  There are several different email plugins available: http://www.pgpi.org/cgi/tools.cgi?category=Email+plugin&platform=&pgpversion=&license=&text=

There is also a web based option (HushMail): http://www.openpgp.org/members/hush.shtml
Dave HoweSoftware and Hardware EngineerCommented:
ok, from the top then.

Outlook 2010 (and all earlier releases) support X509 (s/mime, ssl certificate) based encryption. this works based on recipient, not sender - so in order to be available, the recipient must have a full certificate and secret key, and the sender the certificate (not secret key) for the recipient.

if you are only using these in-house, there is no requirement to pay for them! in fact, enterprise windows servers can create and manage these for you, with outlook automatically obtaining the certificates as needed (this process is called "autoenrollment") - take a look here - http://msexchange.org/tutorials/Email_Security_with_Exchange_2003.html

if you aren't on exchange, or aren't all on the *same* exchange then things get a bit more complex. you can issue certificates either using the same MS CA, or a standlone CA such as http://sourceforge.net/projects/xca - in the day, I used to use novell edirectory's built in CA for such things. http://support.microsoft.com/kb/2482059 shows how you can tell outlook 2007 or 2010 to use a locally stored certificate and present the encrypt/sign buttons by group policy.

  But bottom line - while certificates are required for s/mime, if your own users are the only relying party, an expensive set of purchases aren't required - you can roll your own, using your own CA, and issue at need.
Ultimate Tool Kit for Technology Solution Provider

Broken down into practical pointers and step-by-step instructions, the IT Service Excellence Tool Kit delivers expert advice for technology solution providers. Get your free copy now.

You can use GPG (GNU Privacy Guard) http://en.wikipedia.org/wiki/GNU_Privacy_Guard

Here you will find a plugin for Outlook  : http://code.google.com/p/outlook-privacy-plugin/
exact1Author Commented:
ok thats great guys, I will have a look at whats been suggested, we dont use Exchange server and we would want to encrypt emails to some trusted 3rd parties (clients) only a handful though.
Dave HoweSoftware and Hardware EngineerCommented:
@exact1: IF you are encrypting to a client, they have to obtain a key and send you the public certificate for it - so best to ask them what they support.  You can also offer to send them your (self generated) certificates and CA certificate (for verification) if you want to save the cash, the commercial ones look better, but the overhead (around $200/person/year) may make that an expensive way to look better :)

@Bxoz: openpgp is a much better solution, yes, but requires much installing, configuring and education, plus most external contacts won't support it. the built-in x509 is pretty much universally acceptable/used in practice.
exact1Author Commented:
@DaveHowe: so we can still self cert without using Exachange? we all use the same head office "email server" but are at 3 different sites, the two remote sites are stanmdalone PCs in a workgroup. The main site has most users and active directory domain, mixture of win 2003 and 2008 servers for various roles.
Dave HoweSoftware and Hardware EngineerCommented:
@exact1: yes, sure; you don't even need a MS product, its just the logistics of doing deployment of pfx files and cer files if you don't have a microsoft monoculture to do it for you.
exact1Author Commented:
Hi, ok, is there some documentation anywhere on this?
exact1Author Commented:
Ok, this is how I completed this task on two Win7 PCs with Office 2010 to test, this way may not be right for everyone but worked for me (Also see Daves notes above - accepted solution);

1. Installed Windows 2003 Certificate services on a domain server. Create Enterprise 2048bit root cert (Google how to do that, may be different for some companies)

2. run the cert application on that server from a Window 7 client pc http://servername/certsrv

At this point I run into some site compatibility issues with Win7 Pro 64bit, IE9 and active X, so due to this reasearched and installed two updates on the W2003 Cert Server, they were in this order;
A) update1 KB922706-v7
B) update2 MS11-051

The Servers certificate site still not showing "submit" button on the cert request wizard page so to get round this if you are using Windows 7 or Vista, to get rid of any Active X warnings and nags within IE turn security to "low" in tools> Internet Options > 
you will not be able to complete the certificate request from the client PC via the servers cert site without doing this. You can always put it back after the certificate has been installed on your PC.

3. install the "USER" certificate from the site into your browser via the wizard on the cert site on the W2003 cert server. So on home page....Request a certificate > user certificate > install certificate into browser....please bear in mind there are some active X "Nags" along the way in IE9, just click ok to all..

4. You now need to export the certificate from IE to a PFX file for import into Outlook……
Go to > Tools > Internet Options > Content > Certificates > Personal > Export (give it a password)

5. Now you will be able to import the PFX file into Outlook as a Digital ID (I am using Outlook 2010). File > options > trust centre > trust centre settings > Email Security > Digital IDs > Import / Export......  

6. Browse to the PFX file you crated earlier and put the password in plus "your full name" as the Digital ID name.

Thats it, you will now need to share your ID with people who can share encrypted and signed messages, you may want to Google that as there are lots of different scenarios.
Two buttons appear on new emails under the options tab, they are sign and encrypt, you can use them ad-hoc on back in trust centre set them to allways be on, although not sure why you would want that.

Hope this helps some one and thanks to all here, Dave Howe gets the points as his method was the easiest and cost me zero!

Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

All Courses

From novice to tech pro — start learning today.