What is Email Encryption?
Any time you send information over the internet there is a chance that this information will fall into the wrong hands. If the message is simply “great seeing you, let’s get together again soon” it really doesn’t matter who reads it. But if the email includes confidential information – such as social security numbers, financial data or intellectual property – the consequences of a security breach can be quite dire.

Email encryption is a way of protecting the information being sent and ensuring that only the intended recipients can read the message’s content (including any associated attachments), and that the contents of the email arrive unaltered.

What is a Digital Email Signature?
Email encryption programs can also allow for the creation of a digital email signature that verifies the identity of the message’s sender. While encryption refers to locking up an email so that no one can open it without authorization, a digital signature provides proof to the recipient that the message really is from this person and that it has not been altered in any way.

A “signed” email is signed by a certificate, such as a VeriSign certificate, that verifies the identity of the sender.

How Does Email Encryption Work?
The concept behind encryption is similar to the concept behind the safety deposit boxes at your local bank. Each safety deposit box has two keys. One is “private,” or specific to your box. The other is “public,” good for many or all of the boxes in the room. Accessing your safety deposit box requires the use of both keys simultaneously.

Encrypted emails also involve both public and private keys, although these “keys” are of course digital rather than physical. Encryption keys are generated by something called “certificates,” which can either be purchased from commercial certificate authorities such as GoDaddy.com or VeriSign, or produced through an in-house certificate authority. The certificates and their associated keys usually expire and need to be renewed on an annual basis.

With email encryption each private key is assigned to one person within your organization, who loads this private key into their email program (such as Microsoft Outlook). If that person wants to share encrypted emails with another individual, they must first send this person a digitally signed email. The recipient then right clicks on the email address in the “from” box of that email and saves this “from” address, which includes the sender’s public key, to their contact list. Doing so allows the recipient to automatically open future encrypted emails received from that sender.

Each private key can be associated with any number of public keys. For example, one person can send public keys to hundreds of people, and each of these hundreds of people will then be able to open encrypted messages from that sender.

This type of encryption is known as Public Key Infrastructure, or PKI.

What are Our Options for Encrypting Email?
If you only have a handful of users who need to send encrypted email, it might be easiest to handle things on the individual user basis. But if you have many users who need to send encrypted email, it’s best to go with server-side encryption. Here is a description of your four basic options:

1. Email Encryption at the Individual User Level: The Easy Way
   The easiest way to handle email encryption at the individual user level is through the use of commercially available software such as PGP (which stands for “Pretty Good Privacy,” but actually offers very good privacy). This quick and uncomplicated off-the-shelf software allows the user to easily configure their email program to encrypt email, without having to think about buying and managing certificates, creating keys and so forth.
   
   
2. Email Encryption at the Individual User Level: The Harder Way
   Another option is to obtain individual certificates for each user. The typical cost for an individual certificate ranges from free to $20.00 per year. Once received the certificate is loaded into the user’s email program and used to create private and public keys for that person.
   
   
3. Complete Email Encryption at the Server Level
   Handling email encryption at the server allows you to have an organization-wide encryption program with just one certificate to purchase and manage (vs. potentially hundreds of certificates, each with its own expiration date). This type of encryption uses S/MIME, the “standard” encryption protocol.

   With this encryption approach you obtain one certificate, load it onto your email servers (such as Microsoft Exchange), and then generate individual private keys for each person in your organization who needs to send encrypted emails. Just as with encryption at the individual level, these private keys then need to be loaded into each individual’s email program (such as Outlook or Thunderbird). Each individual then sends out public keys to those people to whom they wish to send encrypted messages.

   If you’re concerned about your organization’s individual users actually remembering to hit the “encrypt” button before they send out sensitive messages, one advantage of server-side encryption is the ability to set up encryption rules within Microsoft Exchange. For example, you can set things up so that if a message meets certain specified requirements – such as a particular topic in the message content or some particular words in the title – then it will automatically be encrypted before it is sent.

4. Partial Email Encryption at the Server Level
   Another option is to use TLS (Transport Layer Security), an encryption protocol that encrypts the communication between two servers. With this method it is just the server-to-server communication that’s encrypted, not the individual emails.

   TLS is useful for situations where organizations at different locations need to share confidential information with each other, but the only real concern is with keeping the information out of the hands of people outside the organization, rather than keeping it away from other individuals within the organization. A good example of this might be a doctor’s office that has two locations and needs to send confidential medical records back and forth between the two offices.

   To implement a TLS encryption system you must obtain and install a certificate, and then configure your server to use TLS. The recipient to whom you will be sending encrypted messages must also have TLS enabled on their server for this to work. Once the system is set up all messages sent between the two servers will automatically be encrypted, with no action required by the users.

Conclusion
If anyone at your organization is sending emails that contain confidential information, you need to have an email encryption program in place to protect this important data. Coyote Creek has handled email encryption numerous times, in a wide variety of different environments. We can answer your questions about email encryption, or we can get the entire system up and running for you.

Back to News & Events