Encrypt emails

Posted on 2012-08-20
Last Modified: 2012-08-24

we want to have the ability to encrypt outgoing emails on an ad-hoc basis, this is for when we want to send sensitive info between our work sites via email like passwords, currently we may call someone instead.

I understand you have to purchase a digital ID and certificate to "sign and encrypt" emails through outlook 2010? (we don’t use exchange server though - we use SmarterMail server). Can you encrypt without buying a cert? or are there any good plugins for email encryption anyone has experience of? we mostly use Windows 7 64bit and MS Outlook 2010.
Question by:exact1
    LVL 12

    Expert Comment

    OpenPGP should be able to do what you are looking for.  There are several different email plugins available:

    There is also a web based option (HushMail):
    LVL 33

    Expert Comment

    by:Dave Howe
    ok, from the top then.

    Outlook 2010 (and all earlier releases) support X509 (s/mime, ssl certificate) based encryption. this works based on recipient, not sender - so in order to be available, the recipient must have a full certificate and secret key, and the sender the certificate (not secret key) for the recipient.

    if you are only using these in-house, there is no requirement to pay for them! in fact, enterprise windows servers can create and manage these for you, with outlook automatically obtaining the certificates as needed (this process is called "autoenrollment") - take a look here -

    if you aren't on exchange, or aren't all on the *same* exchange then things get a bit more complex. you can issue certificates either using the same MS CA, or a standlone CA such as - in the day, I used to use novell edirectory's built in CA for such things. shows how you can tell outlook 2007 or 2010 to use a locally stored certificate and present the encrypt/sign buttons by group policy.

      But bottom line - while certificates are required for s/mime, if your own users are the only relying party, an expensive set of purchases aren't required - you can roll your own, using your own CA, and issue at need.
    LVL 6

    Expert Comment

    You can use GPG (GNU Privacy Guard)

    Here you will find a plugin for Outlook  :

    Author Comment

    ok thats great guys, I will have a look at whats been suggested, we dont use Exchange server and we would want to encrypt emails to some trusted 3rd parties (clients) only a handful though.
    LVL 33

    Expert Comment

    by:Dave Howe
    @exact1: IF you are encrypting to a client, they have to obtain a key and send you the public certificate for it - so best to ask them what they support.  You can also offer to send them your (self generated) certificates and CA certificate (for verification) if you want to save the cash, the commercial ones look better, but the overhead (around $200/person/year) may make that an expensive way to look better :)

    @Bxoz: openpgp is a much better solution, yes, but requires much installing, configuring and education, plus most external contacts won't support it. the built-in x509 is pretty much universally acceptable/used in practice.

    Author Comment

    @DaveHowe: so we can still self cert without using Exachange? we all use the same head office "email server" but are at 3 different sites, the two remote sites are stanmdalone PCs in a workgroup. The main site has most users and active directory domain, mixture of win 2003 and 2008 servers for various roles.
    LVL 33

    Expert Comment

    by:Dave Howe
    @exact1: yes, sure; you don't even need a MS product, its just the logistics of doing deployment of pfx files and cer files if you don't have a microsoft monoculture to do it for you.

    Author Comment

    Hi, ok, is there some documentation anywhere on this?
    LVL 33

    Accepted Solution

    s/mime in general, or using it with outlook2010 without having a central MS infrastucture?

    there are lots of documents on how s/mime works and more on how to have your own CA, but the latter (assuming XCA) is simple in practice:

    using XCA, create a new keystore
    create a CA certificate, of size 2048 bits, 20 year expiry
    create one or more user (client) certificates, with the email address of their intended owners, five year expiry
    export each of the latter as a PFX (pkcs#12 file) with certificate chain.
    export ALL the client certs as a single archive (PKCS#7)
    send each user his own pfx, the password set for it, and the #7
    user double-clicks each and imports it. he now has his own private key, and everyone's certs.
    use to enable the key and certs on each user's machine

    each user can now receive and decode mail addressed to him on his machine, and protect/encode mail to the other recipients (all those in the #7 file) on that machine. he can also sign mails (this is the same key as decrypts mail) and verify signatures (these are the same certs as the ones used to send encrypted mail)

    I would suggest just trying "suck it and see" at this point - create the CA and client PFXen for two users, yourself and one other, install, and test :)

    Author Comment

    Ok, this is how I completed this task on two Win7 PCs with Office 2010 to test, this way may not be right for everyone but worked for me (Also see Daves notes above - accepted solution);

    1. Installed Windows 2003 Certificate services on a domain server. Create Enterprise 2048bit root cert (Google how to do that, may be different for some companies)

    2. run the cert application on that server from a Window 7 client pc http://servername/certsrv

    At this point I run into some site compatibility issues with Win7 Pro 64bit, IE9 and active X, so due to this reasearched and installed two updates on the W2003 Cert Server, they were in this order;
    A) update1 KB922706-v7
    B) update2 MS11-051

    The Servers certificate site still not showing "submit" button on the cert request wizard page so to get round this if you are using Windows 7 or Vista, to get rid of any Active X warnings and nags within IE turn security to "low" in tools> Internet Options >
    you will not be able to complete the certificate request from the client PC via the servers cert site without doing this. You can always put it back after the certificate has been installed on your PC.

    3. install the "USER" certificate from the site into your browser via the wizard on the cert site on the W2003 cert server. So on home page....Request a certificate > user certificate > install certificate into browser....please bear in mind there are some active X "Nags" along the way in IE9, just click ok to all..

    4. You now need to export the certificate from IE to a PFX file for import into Outlook……
    Go to > Tools > Internet Options > Content > Certificates > Personal > Export (give it a password)

    5. Now you will be able to import the PFX file into Outlook as a Digital ID (I am using Outlook 2010). File > options > trust centre > trust centre settings > Email Security > Digital IDs > Import / Export......  

    6. Browse to the PFX file you crated earlier and put the password in plus "your full name" as the Digital ID name.

    Thats it, you will now need to share your ID with people who can share encrypted and signed messages, you may want to Google that as there are lots of different scenarios.
    Two buttons appear on new emails under the options tab, they are sign and encrypt, you can use them ad-hoc on back in trust centre set them to allways be on, although not sure why you would want that.

    Hope this helps some one and thanks to all here, Dave Howe gets the points as his method was the easiest and cost me zero!


    Featured Post

    Highfive Gives IT Their Time Back

    Highfive is so simple that setting up every meeting room takes just minutes and every employee will be able to start or join a call from any room with ease. Never be called into a meeting just to get it started again. This is how video conferencing should work!

    Join & Write a Comment

    Learn more about how the humble email signature can be used as more than just an electronic business card. When used correctly, a signature can easily be tailored for different purposes by different departments within an organization.
    Not sure what the best email signature size is? Are you worried about email signature image size? Follow this best practice guide.
    Viewers will learn the different options available in the Backstage view in Excel 2013.
    The viewer will learn how to use a discrete random variable to simulate the return on an investment over a period of years, create a Monte Carlo simulation using the discrete random variable, and create a graph to represent the possible returns over…

    746 members asked questions and received personalized solutions in the past 7 days.

    Join the community of 500,000 technology professionals and ask your questions.

    Join & Ask a Question

    Need Help in Real-Time?

    Connect with top rated Experts

    15 Experts available now in Live!

    Get 1:1 Help Now