none
Email encryption with External recipients RRS feed

  • Question

  • Hi Can you provide me how to enable users to use email encryption using external digital certificates to encrypt mail with external recipients? There are 13000 users in my organization

    I saw the user has to get digital certificate by them self from External vendor. is this mandatory? is there any way to get certificate for users as IT administrator end (organization level)?


    Thanks in advance


    Thanks, chandru CT1

    Friday, June 16, 2017 11:37 AM

All replies

  • Hi Can you provide me how to enable users to use email encryption using external digital certificates to encrypt mail with external recipients? There are 13000 users in my organization

    I saw the user has to get digital certificate by them self from External vendor. is this mandatory? is there any way to get certificate for users as IT administrator end (organization level)?


    Thanks, chandru CT1

    Friday, June 16, 2017 7:03 AM
  • As far as I am aware if you use the native Outlook capabilities, digital IDs need to be exchanged before encryption take place. This means that both the sender and recipient, need to send each other a digitally signed cert first - not very efficient for 13000 users!

    If it were purely for internal recipients, it's fairly easy to push out a Secure Email certificate to all users, but this wouldn't be trusted outside the network.

    I've previously used things like PGP Universal, but this would once again mean that both parties need to have this implemented and there's a fair amount of setup involved.

    The easiest way to get some level of protection is to use TLS. Whilst this doesn't offer non-repudiation and individual message protection, it does protect the message while in transit from sender to recipient. This is fairly easy to configure - both parties need to have TLS enabled, but there's not much more to it. (I also assume you're using Outlook + Exchange Server)


    If this helped you please click "Vote As Helpful" if it answered your question please click "Mark As Answer"

    Georg Thomas | CISSP, CISM, CEH, GIAC, MCSE (Security), MVP Twitter @georgathomas This forum post is my own opinion and does not necessarily reflect the opinion or view of Microsoft, its employees, or other MVPs.

    Monday, June 19, 2017 4:28 AM
  • In order to send encrypted email to a recipient, you must first acquire that recipient's certificate and public key.

    The email is then encrypted with that key, such that only the possessor of that key's associated private key can decrypt the email. And that's the point.

    Within an enterprise, these public keys are often distributed by AD. The user account is looked up in the AD directory, and if the user's Certificate is associated with the user account, this can be made somewhat automatic.

    Outside of an organization, this becomes more of a challenge, as there generally is no automated method to look up, and acquire a recipient's certificate (and public key).

    So to exchange an encrypted email, with recipients outside of the enterprise, the sender will first need to manually acquire that recipient's certificate.  

    This is doable, but not trivial, especially across an Enterprise of your size.  

    As others have stated, there are other ways to send secure email to external recipients.  

    Good Luck,

    Wayne

    Monday, June 19, 2017 12:55 PM