Email Encryption Questions

Posted on 2012-08-22
Last Modified: 2012-08-23
Our company is a sub to other companies...we have employees on location at various other companies...we host our own Exchnge Server, it is a 2003 Exchange Server.

The companies we do business with are now requiring encrypted email sent between us and them.

I am trying to get a better understanding of SSL Certificates...we currently only have a handful of employees that have Verisign certificate with which they can encrypt their email using Outlook 2007, 2010...but those employees are at corporate and the certificate resides on their desktop.

What I need to accomplish now is that we have about 70 employees who need to be able to send encrypted and Read encrypted on there desktop, PDA, laptops, home computers and smartphones....many of these employees use desktops at the location they are at and that company provides the computer.

This morning I did a test with my own Verisign certificate...I received an email to my work desktop Outlook 2010 and it was encrypted.  I can read it on that computer.
Here is what didn't work:
1.  I tried from my home computer where I had the message forwarded
2.  I tried to read it by logging into OWA
3.  I tried to read it logging in through Exchange over HTTP
4.  I tried logging into the VPN and opening out in Exchange over http
5.  I tried logging onto OWA while on the VPN

How can I be able to read encrypted email on all my devices?
Question by:rand1964
    LVL 60

    Expert Comment

    First thing, SSL is for securing channel not secure email content. SMIME is the typical email encryption that you may be already using from exchange. All devices that need to decrypt the encrypted email need to have the private key from your Digital ID (Verisign cert) installed. Typically the Digital ID it is exported as .p12 and imported into the device for use in SMIME by the email client supported.

    I am suspecting that the private key is only  available in the desktop mentioned. To send to your recipient(s), you need their public key (cert) which can be exchanged when you enabled include cert in sending the email. For your digital signature, you still need your ID's  private key.

    Can check this out for OWA


    SMIME -
    Verisign -
    iOS related -
    LVL 19

    Expert Comment

    Do you need to encrypt all communications with these companies or just be able to send documents/files in encrypted form?

    The easiest way out is to just use file level encryption, such as 7-zip ( or WinZip to encrypt the file, email it and send the password to the recipient by SMS.

    If on the other hand you need full communications protected, you have a few options. One of them, S/MIME, is described by breadtan above. S/MIME is supported by most email applications and servers, but needs configuration on both ends. You do NOT need official (VeriSign) cerificates for it, you can just as well create your own, the "officiality" of the cert issuer adds virtually nothing extra in this case and is not worth it. Either way, a cert is comprised of 2 cryptographic keys, private key and public key. Public key encrypts, private decrypts. Therefore, you need to have the public key of everyone you're sending the mail to, and they can decrypt it with their private keys.

    Other option would be PGP/GPG. PGP is commercial, GPG open source:

    And here's an easy compiled freeware package of GPG for windows, recommended:
    LVL 37

    Expert Comment

    by:Jamie McKillop

    What exactly are the encryption requirements? Is the requirement that the email be encrypted at the source and remain encrypted on the recipient's server or is the requirement that the email be encrypted in transit between your email gateway and the partner's email gateway, while travelling across the public internet?

    Unless you are dealing in an industry that requires the hightest level of secrecy, the typical encryption requirement is that the message be encrypted gateway to gateway. If that is the case, you would use TLS between the gateways, which is setup on the server side and does not require the client to have any software or do anything. Messages are encrypted at the sending gateway and decrypted by the receiving gateway, so the message is stored at each end unencrypted.


    Author Comment

    Thanks for your responses.

    Breadtan, you hit on the main crux of my it possible and how do you put the private key on multiple devices?  When I try to do an export, it doesn't seem to give me the option of including the keys.

    How do I get that Digital ID private key on my desktop at work onto my Blackberry, OWA, Exchange over HTTP?

    Also, the idea of a self signed Certificate Authority that I setup myself on a Windows Server is appealing price wise, but the support overhead is going to be tremendous isn't it?  And unless I can figure out how to get the certificate on multiple devices it won't do me any good anyway.

    Zip files are not an option, the solution must be as transparent as possible to the end users.

    Encryption requirements are that the message header, subject and body be encrypted...the whole payload...not just the connection.
    LVL 60

    Accepted Solution

    For private key to be exportable, during the original pfx import, it need to be defined as  exportable. This option to allow the private key to be exported may have been unchecked. Pls see this and ret-try. For info, p12 and pfx are containing private keys..


    For blackberry, pls see BlackBerry Certificate Synchronization Manager

    For OWA, pls see

    For Outlook

    The self-signed is good if for smaller group but as you mentioned the support and maintenance of the key will need to be better addressed. You probably see popu saying not trusted since the Root CA is not trusted. In short, for testing is good but not for actual roll out and long term.

    If going for it Key manager in Firefox plugin is quite useful to even define the validity ... Here are more info and other alternative as well

    There is free one also like Codomo, but I see it as testing purpose for individual not corporate @

    Featured Post

    Highfive Gives IT Their Time Back

    Highfive is so simple that setting up every meeting room takes just minutes and every employee will be able to start or join a call from any room with ease. Never be called into a meeting just to get it started again. This is how video conferencing should work!

    Join & Write a Comment

    Suggested Solutions

    "Migrate" an SMTP relay receive connector to a new server using info from an old server.
    This paper addresses the security of Sennheiser DECT Contact Center and Office (CC&O) headsets. It describes the DECT security chain comprised of “Pairing”, “Per Call Authentication” and “Encryption”, which are all part of the standard DECT protocol.
    To show how to create a transport rule in Exchange 2013. We show this process by using the Exchange Admin Center. Log into Exchange Admin Center.: First we need to log into the Exchange Admin Center. Navigate to the Mail Flow >> Rules tab.:  To cr…
    The basic steps you have just learned will be implemented in this video. The basic steps are shown to configure an Exchange DAG in a live working Exchange Server Environment and manage the same (Exchange Server 2010 Software is used in a Windows Ser…

    734 members asked questions and received personalized solutions in the past 7 days.

    Join the community of 500,000 technology professionals and ask your questions.

    Join & Ask a Question

    Need Help in Real-Time?

    Connect with top rated Experts

    18 Experts available now in Live!

    Get 1:1 Help Now