Email Encryption

Posted on 2014-02-10
Last Modified: 2014-02-11
My client requested that she wants to email another company and have the email password protected and the email encrypted.  So i immediately thought of zix, which im not a big fan of, so im asking if anyone has done anything like this using digital certificates or other methods that not only work with one client but can work with all other external mail systems and clients.  We already ruled out zipping or password protecting attachments in the message, too much of a hassle.

Client is Exchange 2013 running on Windows Server 2012 standard configuration for the most part....
Question by:PlatinumInfo
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 4
  • 3
  • 2
  • +1
LVL 12

Expert Comment

by:David Paris Vicente
ID: 39847462
Probably you will need to implement S/MIME.

S/MIME lets users encrypt outgoing messages and attachments so that only intended recipients who have a digital identifier (ID) can read them. With S/MIME, users can digitally sign a message, which allows recipients to verify both the sender’s identity, and that no one has tampered with the message.

S/MIME requires users to sign in to Outlook Web App using either Internet Explorer 7 or Internet Explorer 8. Users must have a digital ID, and must install the S/MIME control for Outlook Web App before they can send encrypted and digitally-signed messages through Outlook Web App. They must also have both a digital ID and the S/MIME control to read encrypted messages in Outlook Web App.

The S/MIME control is necessary for signature verification on a digitally signed message. Use the SMIME tab in the Options menu to install the S/MIME control for Outlook Web App on a user’s computer.

But if you deploy third party software IDS/IPS or IRM this will not be able to read or change the email.

For protecting the username and password for your user, you have to deploy an SSL certificate on your client access server and then choose an authentication option you have several, but the better ones in my opinion are integrated windows authentication and Forms Bases Authentication, this last one deploy a cookie on your client that is responsible to encrypt the user and pass and time for the session, if your user closed the browser this cookie will be deleted.

Hope this can help you.


Author Comment

ID: 39847548
My client is using Microsoft Outlook 2010 and 2013, not the Outlook Web App version with is browser based, and the other side i have no idea though i would assume the same.  

I dont care to password protect the email credentials, she asked to password protect opening an email and to my knowledge it cant be done without using a third party like zix.  

LVL 12

Expert Comment

by:David Paris Vicente
ID: 39847608
SO you can use the AD RMS with Information rights management. With this service you can set security polices on outlook and in your infra-structure in a granularity way, but this require that the users as to have a microsoft account, what this means. That the user as to have an AD account or microsoft login live.

Are your AD admin tools letting you down?

Managing Active Directory can get complicated.  Often, the native tools for managing AD are just not up to the task.  The largest Active Directory installations in the world have relied on one tool to manage their day-to-day administration tasks: Hyena. Start your trial today.


Author Comment

ID: 39847680
I cant predict the other side.  They might be using Thunderbird pulling pop mail from a 1992 type of config or hotmail or gmail or lotus notes...
LVL 12

Expert Comment

by:David Paris Vicente
ID: 39847732
Well you can use S/Mime and digitaly certificates for the users, this will ensure end to end encryption, and also works with Outlook and other mail softwares.

LVL 63

Expert Comment

by:Simon Butler (Sembee)
ID: 39847829
If you cannot predict what the other side is going to use using, then anything client side is completely out of the question.
You need to look at one of the hosted encrypted email solutions. These usually work where you send an email in the normal way, but if there is a tag in the subject line the recipient doesn't get the email. Instead they get a link to read it on a secure portal. They can then reply to the message through the portal.
These are used by a lot of financial institutions and works well - most of the major security players have a solution for this.

LVL 15

Expert Comment

by:Giovanni Heward
ID: 39847867
Give DocuSign a go.

Authentication Options:

Access Code: Your recipient must enter an access code you provide before they can view the envelope.
Phone Authentication: The system provides a validation code to the recipient and then places a call to the recipient’s chosen number. After answering the phone, the recipient is prompted to enter the validation code and speak their name.
ID Check: The recipient to provide some initial personal information and then answer a set of questions based on publicly available data before the recipient can view the envelope.
Live or Social ID: This option requires your recipient to enter their Live ID or Social ID (Salesforce, LinkedIn, Google, etc.) credentials before they can view the envelope.

Author Comment

ID: 39848642
I think giovanni is on the right track.  Any other third party ideas?

Author Comment

ID: 39848940

this is kinda cool, anyone know of a paid english version of this that is a bit simpler?
LVL 15

Accepted Solution

Giovanni Heward earned 500 total points
ID: 39849067
Gpg4win requires installation on both endpoints (author/recipient), in addition to key generation-- if implemented properly.

Your link *is* the English version.  The GUI, Kleopatra, is merely displaying hieroglyphics to emphasize its own name.

The commercial version is PGP, Symantec Desktop Email Encryption, and is required on both ends as well.

On online equivalent would be Hushmail, which takes care of the technical details for you; though both sender/receiver would need a Hushmail account.  Hushmail has been known to disclose confidential correspondence when compelled to do so.

Featured Post

Technology Partners: We Want Your Opinion!

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Learn to move / copy / export exchange contacts to iPhone without using any software. Also see the issues in configuration of exchange with iPhone to migrate contacts.
Scam emails are a huge burden for many businesses. Spotting one is not always easy. Follow our tips to identify if an email you receive is a scam.
In this video we show how to create a Contact in Exchange 2013. We show this process by using the Exchange Admin Center. Log into Exchange Admin Center.: First we need to log into the Exchange Admin Center. Navigate to the Recipients >> Contact ta…
In this Micro Video tutorial you will learn the basics about Database Availability Groups and How to configure one using a live Exchange Server Environment. The video tutorial explains the basics of the Exchange server Database Availability grou…

749 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question