Email Encryption

Get Technical

Entrust's Email encryption gateway, the Entrust Entelligence™ Messaging Server is delivered on an appliance platform, offering simplified email security with broader support for email encryption standards including OpenPGP, S/MIME, Adobe PDF and SSL encryption for web-based email. The Messaging Server's Web administration provides comprehensive, yet easy to use, management, administration, configuration and reporting of email encryption capabilities, including many self-service capabilities to reduce administration costs. Policy-based boundary security can be enabled using on-board content-scanning capabilities, or by integrating external content-control products.

This email encryption appliance delivers:

  • Embedded, standards-based Certification Authority that transparently retrieves existing S/MIME and OpenPGP external user certificates; generates new S/MIME proxy certificates, for BOTH internal and external users, when necessary
  • Flexible encryption options including automatic, security policy-driven encryption based on message header or message content, end-to-end encryption for Microsoft® Outlook®, and user-initiated boundary encryption through email plug-ins for Microsoft Outlook and Lotus Notes®
  • Flexible inbound and outbound email delivery allows external recipients to communicate securely using the encryption standard of their choice, including S/MIME, Open PGP, Adobe PDF, WebMail Pull, WebMail Push and S/MIME gateway; external recipients do not have to have a secure email application installed or even an encryption certificate
  • Ease-of-use, simplified email encryption for end-users
  • Web administration interface, system dashboard and simplified deployment
  • Clustering capabilities to enable load-sharing, fail-over and disaster recovery deployment models.
  • Offline encryption for external recipients and senders
  • Server-side Distribution List (DL) expansion
  • Integration with Microsoft Active Directory for group policy encryption
  • Automated management of external certificates and keys
  • Support for Microsoft Certification Authority and Entrust Authority Security Manager
  • Robust system monitoring, auditing and reporting
  • Policy-based security at your organizational boundary
  • Support for secure Web-based email
  • Support for mobile email clients such as BlackBerry and browser-enabled wireless devices
  • DKIM (DomainKeys Indentified Mail) signing of outgoing messages
  • Highly customizable deployment through integration with optional solution components such as portal authentication systems, content control, email archiving, storage area networks, anti-spam/antivirus, SNMP monitoring and multifactor authentication

View the architecture diagram for:

Secure Messaging for Microsoft Outlook/Exchange

Entrust Entelligence™ Messaging Server works in conjunction with the Entrust Entelligence™ Security Provider for Outlook to enable Microsoft Outlook users to send secure emails to external partners and customers.

  1. Using the Email Plug-in, a user sends an encrypted and/or digitally signed email via Microsoft Outlook addressed to one or more recipients; the email is encrypted for and delivered to the Entrust Entelligence™ Messaging Server
  2. Messaging Server expands any distribution lists and determines the appropriate secure delivery method for each recipient
  3. If a secure delivery method has not been determined for a recipient, the message is queued until one is established
  4. Delivery occurs using the appropriate secure delivery method

S/MIME and OpenPGP delivery

Although S/MIME and OpenPGP security technologies are built into the majority of deployed mail clients, they are still perceived to be difficult to use. One of the primary challenges to email encryption adoption is key exchange — in other words, how to get the certificate of the person for whom you wish to encrypt. Individual key exchanges are relatively simple, but don't scale well in large organizations. Certificate searches in LDAP directories are also possible, but most organizations are unwilling to open their directories up to the Internet.

The Entrust Entelligence™ Messaging Server finds the middle ground between the above two scenarios by supporting "harvesting":

  1. If a recipient's key or certificate is not available in the directory or local repository, Messaging Server will send an email to the recipient requesting a certificate
  2. The recipient replies to the request and digitally signs the message
  3. Upon receipt of the signed reply, Messaging Server extracts the certificate and stores it in the repository for use in future correspondences with that recipient by any user within the organization; several models are available for establishing trust in harvested certificates
  4. Queued messages are securely delivered using the retrieved certificate

In addition to "harvesting" existing credentials, Entrust Entelligence™ Messaging Server can generate S/MIME credentials for external users that do not already have S/MIME certificates

Adobe PDF and Web-based secure email for recipients without credentials
The Messaging Server offers a choice of Adobe PDF and secure Web-based email to reach recipients that are uncomfortable using S/MIME or OpenPGP. This capability enables users to view encrypted emails using their desktop PDF reader software or through their Web browsers and reply to them securely.

Various deployment models are available to suit customer preferences: Secure PDF offline push, WebMail Pull and WebMail Push. With Secure PDF, users receive an encrypted PDF document containing the email body, attachments and even a secure reply link. With WebMail Pull users receive a notification message indicating that a secure email is available for viewing by clicking on a URL. With WebMail Push the entire message contents are delivered in encrypted form to the recipient and are decrypted upon successful authentication.

Performance for end-users doing email encryption
In many email encryption systems, if a user sends an encrypted email to several recipients the client-side software encrypts the message for all these recipients. The key lookup process can take time for a large recipient list. Using the Messaging Server, the sender encrypts the message for a single recipient — Messaging Server — so the email encryption process is much faster on the client side.

Simplified, easy-to-use email encryption for end-users
Users do not have to change their messaging environment or the way they currently work in order to enhance their messaging security. The Messaging Server is easy to use, configurable and interoperable with a range of messaging solutions. In addition, its flexibility enables it to be combined with other Entrust solutions or vendor products, adding additional capabilities such as archiving or virus-scanning.

Policy-based security with onboard content-filtering
The Messaging Server supports native content-filtering of outgoing messages based on customer-definable policies. Messaging Server also seamlessly integrates with third-party content scanners that customers may already have deployed. Messaging Server will automatically encrypt sensitive emails containing customer account information, personal employee data, client lists, merger and acquisition information, financials, source code and other valuable informational assets that have been flagged by content scanners before they are routed outside an organization's boundary.

Advanced Web administration interface, simplified deployment
The Messaging Server email encryption appliance is a comprehensive, secure platform that includes a fully configured operating system and supporting applications. It enables backup and restore capabilities in addition to online updates. The Web administration interface provides simplified management, administration and configuration capabilities, including the ability to assign multiple roles for segregation of system configuration and administration duties.

Clustering capabilities to enable load-sharing and fail-over
The Messaging Server's native clustering makes it easy to deploy multiple Messaging Server appliances to support load-sharing, fail-over and disaster recovery planning requirements for your email security solution.

Offline end-users and email encryption certificates
Users who are not connected to the Directory (also called "offline users") don't have access to other users' public encryption keys stored in the Directory. Typically, users who work offline must use either the encryption certificates of other users stored in their certificate cache or import the certificates into their Personal Address Book (PAB) on their local machine. Using the Messaging Server, the task of importing certificates is virtually eliminated because the Messaging Server rather than the sender performs the encryption for recipients. The only encryption certificate that offline users must have cached before they try to encrypt is that of the Messaging Server.

Message queuing
Message queuing enables the Messaging Server to store messages that have been sent, until the recipient specifies an appropriate key or a delivery method to send the message securely. The Messaging Server administrators are able to configure the message queuing options and to monitor and delete the messages in the queue.

Server-side Distribution List (DL) resolution
The Messaging Server simplifies the use of Global Address List (GAL) DLs (Entrust Entelligence™ Security Provider for Outlook) with secure email. By expanding the list membership on the server, instead of in the client, the Messaging Server:

  • Offloads work for the client, speeding the client's secured email processing
  • Ensures that an email is encrypted for the most up-to-date version of the DL
  • Frees users from synchronizing their Entrust information for offline use, a slow and network-intensive operation, making offline use more transparent

Management of external certificates
The Messaging Server can efficiently manage external certificates. In many email encryption systems a user sending an encrypted message to an external unknown recipient would send a verbal or written request to the recipient to obtain their encryption certificate. Even after the user has an external recipient's certificate, it may expire over time without the user's knowledge.

Using the Messaging Server, requests are sent automatically to unknown recipients asking for their email encryption certificates. After recipients send back their certificates (usually by clicking "reply"), the Messaging Server places them in its database for future email encryption use by other users in your organization. The Messaging Server administrators centrally manage the database and keep the external certificates updated.

On-board Certification Authority
The Messaging Server includes an on-board Certification Authority that can seamlessly issue certificates on behalf of internal users and is automatically configured during system startup.

Support for Offboard Microsoft Certification Authority and Entrust Authority Security Manager
The Messaging Server supports email encryption for email security customers who have deployed certificates from the Microsoft CA or Entrust Authority Security Manager to their internal users. The Messaging Server also supports retrieval of external S/MIME certificates and OpenPGP encryption keys from external users.

Notification of system errors
You can configure the Messaging Server to send an email to a set of administrators notifying them of "Critical" or "Alert" errors as soon as they occur. The email notification indicates the level of the error, and also contains the error log message.

Request more information on the Messaging Server email encryption appliance.

Contact Me about Technical
Exchange Architecture