• Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 688
  • Last Modified:

Email Encryption Questions

Our company is a sub to other companies...we have employees on location at various other companies...we host our own Exchnge Server, it is a 2003 Exchange Server.

The companies we do business with are now requiring encrypted email sent between us and them.

I am trying to get a better understanding of SSL Certificates...we currently only have a handful of employees that have Verisign certificate with which they can encrypt their email using Outlook 2007, 2010...but those employees are at corporate and the certificate resides on their desktop.

What I need to accomplish now is that we have about 70 employees who need to be able to send encrypted and Read encrypted on there desktop, PDA, laptops, home computers and smartphones....many of these employees use desktops at the location they are at and that company provides the computer.

This morning I did a test with my own Verisign certificate...I received an email to my work desktop Outlook 2010 and it was encrypted.  I can read it on that computer.
Here is what didn't work:
1.  I tried from my home computer where I had the message forwarded
2.  I tried to read it by logging into OWA
3.  I tried to read it logging in through Exchange over HTTP
4.  I tried logging into the VPN and opening out in Exchange over http
5.  I tried logging onto OWA while on the VPN

How can I be able to read encrypted email on all my devices?
1 Solution
btanExec ConsultantCommented:
First thing, SSL is for securing channel not secure email content. SMIME is the typical email encryption that you may be already using from exchange. All devices that need to decrypt the encrypted email need to have the private key from your Digital ID (Verisign cert) installed. Typically the Digital ID it is exported as .p12 and imported into the device for use in SMIME by the email client supported.

I am suspecting that the private key is only  available in the desktop mentioned. To send to your recipient(s), you need their public key (cert) which can be exchanged when you enabled include cert in sending the email. For your digital signature, you still need your ID's  private key.

Can check this out for OWA
- http://technet.microsoft.com/en-us/library/bb738140.aspx
- http://technet.microsoft.com/en-us/library/bb738137
- http://technet.microsoft.com/en-us/library/bb738151


SMIME - http://www.marknoble.com/tutorial/smime/smime.aspx
Verisign - http://www.verisign.com/static/005326.pdf
iOS related - http://arstechnica.com/apple/2011/10/secure-your-e-mail-under-mac-os-x-and-ios-5-with-smime/
Do you need to encrypt all communications with these companies or just be able to send documents/files in encrypted form?

The easiest way out is to just use file level encryption, such as 7-zip (http://www.7-zip.org) or WinZip to encrypt the file, email it and send the password to the recipient by SMS.

If on the other hand you need full communications protected, you have a few options. One of them, S/MIME, is described by breadtan above. S/MIME is supported by most email applications and servers, but needs configuration on both ends. You do NOT need official (VeriSign) cerificates for it, you can just as well create your own, the "officiality" of the cert issuer adds virtually nothing extra in this case and is not worth it. Either way, a cert is comprised of 2 cryptographic keys, private key and public key. Public key encrypts, private decrypts. Therefore, you need to have the public key of everyone you're sending the mail to, and they can decrypt it with their private keys.

Other option would be PGP/GPG. PGP is commercial, GPG open source:


And here's an easy compiled freeware package of GPG for windows, recommended:

Jamie McKillopIT ManagerCommented:

What exactly are the encryption requirements? Is the requirement that the email be encrypted at the source and remain encrypted on the recipient's server or is the requirement that the email be encrypted in transit between your email gateway and the partner's email gateway, while travelling across the public internet?

Unless you are dealing in an industry that requires the hightest level of secrecy, the typical encryption requirement is that the message be encrypted gateway to gateway. If that is the case, you would use TLS between the gateways, which is setup on the server side and does not require the client to have any software or do anything. Messages are encrypted at the sending gateway and decrypted by the receiving gateway, so the message is stored at each end unencrypted.

rand1964Author Commented:
Thanks for your responses.

Breadtan, you hit on the main crux of my questions...is it possible and how do you put the private key on multiple devices?  When I try to do an export, it doesn't seem to give me the option of including the keys.

How do I get that Digital ID private key on my desktop at work onto my Blackberry, OWA, Exchange over HTTP?

Also, the idea of a self signed Certificate Authority that I setup myself on a Windows Server is appealing price wise, but the support overhead is going to be tremendous isn't it?  And unless I can figure out how to get the certificate on multiple devices it won't do me any good anyway.

Zip files are not an option, the solution must be as transparent as possible to the end users.

Encryption requirements are that the message header, subject and body be encrypted...the whole payload...not just the connection.
btanExec ConsultantCommented:
For private key to be exportable, during the original pfx import, it need to be defined as  exportable. This option to allow the private key to be exported may have been unchecked. Pls see this and ret-try. For info, p12 and pfx are containing private keys..


For blackberry, pls see BlackBerry Certificate Synchronization Manager

For OWA, pls see

For Outlook

The self-signed is good if for smaller group but as you mentioned the support and maintenance of the key will need to be better addressed. You probably see popu saying not trusted since the Root CA is not trusted. In short, for testing is good but not for actual roll out and long term.

If going for it Key manager in Firefox plugin is quite useful to even define the validity ... Here are more info and other alternative as well

There is free one also like Codomo, but I see it as testing purpose for individual not corporate @ http://www.comodo.com/home/email-security/free-email-certificate.php

Featured Post

Free Tool: IP Lookup

Get more info about an IP address or domain name, such as organization, abuse contacts and geolocation.

One of a set of tools we are providing to everyone as a way of saying thank you for being a part of the community.

Tackle projects and never again get stuck behind a technical roadblock.
Join Now