Opinions on email encryption & Voltage

Posted on 2016-09-02
Last Modified: 2016-09-14
Our organization currently is on MS Exchange 2010 (with Outlook clients) without encryption.

We are contemplating to embark on encryption using Voltage.

a)Voltage allows users to choose to encrypt & it can also not let the users have the option but
   enforce encryption for all emails.  Can Voltage be set (or is it smart enough) that if emails
   don't go through Internet, then it doesn't encrypt them but otherwise encrypt them?

b)if users can't be trusted to decide to encrypt emails even if users is fully aware the content
   of the emails is sensitive, I suppose this means we ought to enforce encryption regardless
   of the email's sensitivity.  What if the emails are only sent within the organization's LAN (ie
   don't go thru Internet nor point-to-point WAN links), is encryption still essential?
   My view is it is essential because if there are highly-sensitive emails (say news by the top
   to acquire another company at a certain share price), we don't want a staff who has a
   sniffing device or Wireshark to intercept such emails (though the local LAN is a 'trusted'
   network but internal staff who is not supposed to know certain info tapped onto the
   LAN to intercept)

c)If unencrypted emails travel between our various offices in different countries via point-to
   -point leased circuits (ie not thru Internet)  & the links are not encrypted (say by site-to-site
   VPN or using hardware encryption at both ends), can it be intercepted or subject to MITMA
   by external parties (say Telco staff or people who have access to the telcos' exchanges)  ?
d)If emails are sent from trusted source to trusted destination but the emails go thru the Internet,
   what's the best practice out there?   I suppose currently most people don't encrypt but the
   extent of unencrypted emails being intercepted by MITMA on the Internet must be quite

e)For encryption & decryption at the other end, does both ends need to use Voltage?  If the
   emails are between our various branches in different countries, we can make both ends
   use this same product but if it's with our suppliers & customers, can encryption using such
   appliances still be feasible?  Or we are only left with the option that users have to zip (with
   a password) sensitive data into an attachment & send them as this is the most universal
   encryption/decryption method or am I mistaken (ie different vendors appliances at both
   ends could still allow encryption & decryption as long as they adhere to a certain protocol,
   say AES-256)?  In this case how does the keys exchange work ?
Question by:sunhux
  • 2

Author Comment

ID: 41781587
2 more query:

f) Assuming we have a firewall, an antispam (which also do AV scan on emails) device, a
   DLP device (to screen for sensitive & block emails containing sensitive data from going
   out but don't screen for incoming emails), a bluecoat proxy (to block social networking,
   public emails like yahoo), a Network IPS/IDS, a WAF, an encryption gateway & MS
   Exchange  server, how should they be inter-connected?

   I think WAF is not required as it's only web servers that sit behind the WAF though
   Exchange server sits in DMZ.

   I think it's:
   external firewall - proxy - Netwk IPS/IDS - antispam - DLP - encryption gateway -
   internal firewall (or it's not applicable for DMZ, only for App & DB zones?) -
   Exchange server

g)if we are moving our MS Exchange to MS' Office365 in the cloud, do we port our
    existing antispam, DLP, encryption gateway over to O365?
LVL 39

Accepted Solution

Adam Brown earned 500 total points
ID: 41781818
There's probably a need to examine exactly what you have and need, first. A few concepts that should be pointed out...I wrote an article a while back on this subject:
But there are a few things in addition to that to point out:
1. All email traffic inside an Exchange environment (That is, between Exchange users) is encrypted "in transit," which means the messages are already encrypted by default while traveling from Outlook to Exchange server and back, plus between Exchange servers. In Exchange versions prior to 2010, this wasn't enabled by default, but afterward it was, and can't be disabled.
2. Exchange does not do encryption of data "at rest," which means that once an email is received and stored to the DB, it's not encrypted by default. MS doesn't enable encryption at rest by default because it causes a significant impact on performance, and not everyone needs it.
3. Voltage was purchased by HP and has been rebranded to HPE Secure Mail. It functions by using a publicly available Key Exchange server that tracks messages and sends them as an encrypted attachment. When the attachment is opened, it either queries the server for key information and opens the message automatically (if both sides use the Outlook add in) or prompts the recipient to open the attachment and register their email address with the key exchange server to decrypt the attachment.

All that said, let's look at your questions:

A) I haven't used Voltage, so I can't say for sure, but I imagine there are options/rules to allow this. Alternatively, you could just place it in your mailflow so it only examines/applies to messages that leave the environment.

B) Most solutions like Voltage have the capability to examine messages for protected content and encrypt on the fly. However, Exchange encrypts organizational traffic by default, so it isn't necessary to use Voltage for internal mail traffice

C) As long as the other offices are not in a completely different Exchange environment, all message traffic will be encrypted by default. If each office has its own AD forest and Exchange organization, the SMTP traffic between offices will utilize Opportunistic TLS if it's enabled on the send and receive connectors (Exchange 2013 and later forces use of Opportunistic TLS on Send connectors, but Receive connectors can have it turned on or off), so message traffic will be encrypted in that situation as well. If, however, you want to enforce encryption to those other offices and they aren't using the same exchange organization, you can set up Domain Auth TLS relationships with them to force in-transit encryption.

D) Opportunistic TLS is very common in mail servers these days. Exchange servers have it by default and most modern mail servers do so as well, but there are many many mail servers out there that are either so old they don't support it or the admins that run them have turned TLS off on them (for some incredibly stupid reason that I don't understand). If you have a relationship with another organization and can verify that they support opportunistic TLS and you haven't disabled it on your server, all messages between you and that trusted partner will be encrypted.

E) Recipients do not need to have the outlook add-in installed to receive the messages, but it is much easier for them to read the messages if they do. Read point 3 above.

F) Mail flow should go like this: Exchange Server > Spam Filter > Email Encryption Gateway (if needed) if you want to have outgoing mail inspected by the spam filter. If you don't, you can leave it out. Incoming mail doesn't need to touch your Email Encryption Gateway, so that just goes Spam Filter > Exchange server. The other functions you have will usually examine the traffic automatically as they are firewall solutions that the email data has to go through anyway. As far as actual mailflow goes, Only the Exchange server, Spam Filter, and Email Encryption gateway will be actively involved in mail examination. The other functions (Except WAF) will be passively involved. WAF can be used to protect your CAS server in Exchange, which is preferred. I would not recommend putting a full Exchange server in a DMZ, since it has to communicate with AD. If you have an Edge Transport server in DMZ communicating with an Exchange server in your regular network, that's fine, but having a CAS/MBX server sitting in the DMZ completely defeats the purpose of the DMZ (Which, frankly, is a completely outdated concept, IMO).

G) Here's the fun answer: It depends. Exchange Online provides its own Anti-spam at all subscription levels, so you don't need that once you move over (unless you don't want to use Exchange Online Protection). The E3 Office 365 subscription (And Exchange Online Plan 2 subscription) provide significant DLP features as well as a built in Encryption Gateway system that is actually very similar to what Voltage offers. However, you may want to port over what you have if that's what you are used to managing. O365's versions of those features aren't particularly user-friendly. There are a ton of DLP options available, and they are all configured in different places. The Encryption Gateway solution in Exchange Online relies on Azure AD's Rights Management Service, which has to be enabled and configured as well as set up with activation rules to function. So like I said, it depends on what makes sense for your environment. All of the features you are asking for are already available in Office 365, but it will take some effort to get them functioning properly. If you already have a functioning system, you may want to continue using it. It's up to you.

Author Comment

ID: 41782894
Gee, thanks for the excellent reply.

Glad to hear that only 1 unit of Voltage is needed to allow encryption+decryption of
our country's outgoing email (ie our suppliers & customers' organizations dont need it)

In the different countries' branches, they have their individual Exchange servers and AD server
(ie different domains), so are emails still encrypted?  My guess is even with Exchange 2010,
it has to be a common Exchange server (shared by all branches) for emails to be encrypted?

So Exchange emails between  & are not encrypted?

Featured Post

U.S. Department of Agriculture and Acronis Access

With the new era of mobile computing, smartphones and tablets, wireless communications and cloud services, the USDA sought to take advantage of a mobilized workforce and the blurring lines between personal and corporate computing resources.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

Title # Comments Views Activity
Exchange 2013 POP3 2 29
Intune/ Microsoft EMS 1 36
Data encryption when using public Wi-Fi 4 26
Azure Active Directory Connect change from domain.local to 1 27
Phishing attempts can come in all forms, shapes and sizes. No matter how familiar you think you are with them, always remember to take extra precaution when opening an email with attachments or links.
When you’re making plans to join the modern business race, you should analyze various details that may affect your results. Nowadays, millions of businesses are trying to grow into established and appreciated professional enterprises.
The video tutorial explains the basics of the Exchange server Database Availability groups. The components of this video include: 1. Automatic Failover 2. Failover Clustering 3. Active Manager
This video discusses moving either the default database or any database to a new volume.

777 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question