Exchange Hosted Encryption - Steps for Configuration and Use

  • Article

ATTENTION: OBSOLETE CONTENT. (FOR EDUCATION ONLY)

EXCHANGE HOSTED ENCRYPTION HAS BEEN PHASED OUT.

THE NEW SERVICE THAT HAS TAKEN ITS PLACE IS CALLED "OFFICE 365 MESSAGE ENCRYPTION".

PLEASE NOTE THAT BY THE END OF 30 SEPTEMBER 2014, 100% OF OUR EHE CUSTOMERS WILL BE ON THE NEW OFFICE 365 MESSAGE ENCRYPTION.

FOR THE NEW SETUP PROCESS, CLICK HERE.

 

___

 

Exchange Hosted Encryption helps you to deliver confidential business communications safely, letting users send and receive encrypted email directly from their desktops as easily as regular email. Email can be encrypted without complex hardware and software to purchase, configure, or maintain, which helps to minimize capital investment, free up IT resources, and mitigate messaging risks.

You can configure your Microsoft Office 365 or Exchange Online Protection service to have outgoing email encrypted and to decrypt incoming encrypted mail. In order to do this, you have to be an existing subscriber for Exchange Hosted Encryption (EHE) and then set up a transport rule in the Exchange Administration Center that will engage your encryption service.

For Reference - To enable encryption and decryption

 

EHE uses an approach in cryptography known as Identity-Based Encryption (IBE). IBE enables a simple identity, such as an email address, to be used as a public key to facilitate secure communication with any recipient. IBE does not require end-user certificates and thereby eliminates the usability and management problems inherent in traditional PKI-based communication solutions.

 

<Excerpt>

Use the EAC to create a transport rule that uses EHE to encrypt outgoing messages

As an example for the procedure here, only the message being sent to one person (trish@fabrikam.com) will be encrypted. You don’t have to set up your rules this way. You can use any conditions available in the rules and not just one person.

To allow users to encrypt outgoing messages:

  1. In the EAC, navigate to Mail flow > Rules, and click New to create a new rule.
  2. In New rule, give a name to the rule. For example, Encrypt mail for trish@fabrikam.com.
  3. Select the condition you want from the list of available conditions listed in the *Apply this rule if… dropdown. Some of the conditions will require you to specify values. For example, if you want to encrypt messages going to trish@fabrikam.com, do the following: 
    1. In the *Apply this rule if… dropdown select The recipient is…
    2. In the check names box, type trish@fabrikam.com and then click check names and clickok.
  4. In New rule click More options.
  5. For the second condition, we want to apply encryption only if trish@fabrikam.com is outside the organization, do the following.
    1. Click add condition.
    2. In the drop down select The recipient is… and then select is external/internal.
    3. Select Outside the organization and click ok.
  6. Under Do the following… select Modify the message properties… > set a message header.
  7. For message header, click *Enter text… and type x-voltage-encrypt and click ok.
  8. For header value, click the second *Enter text… and type encrypt and click ok.
  9. Under Except if... select A message header… > includes any of these words…
    1. For header name, click *Enter text… and type X-Voltage-Encrypted and click ok.
    2. For the words the header should include, click the second *Enter text… and type Encryptedin the text box, click Add, and click ok.
  10. Click Save to finish creating the rule.

Use the EAC to create a transport rule that uses EHE to decrypt incoming messages

As an example for the procedure here, only the messages received by one person (anatoly@contoso.com) will be decrypted. You don’t have to set up your rules this way. You can use any conditions available in the rules and not just one person.

To allow users to decrypt incoming messages:

  1. In the EAC, navigate to Mail flow > Rules, and click New to create a new rule.
  2. In New rule, give a name to the rule. For example, Decrypted mail for anatoly@contoso.com
  3. In *Apply this rule if… select the conditions and that you want to apply before messages are decrypted.
  4. In New rule click More options.
  5. Add another condition by selecting A message header > includes any of these words.
    1. For header name, click *Enter text… and type X-Voltage-Encrypted and click ok.
    2. For the words the header should include, click the second *Enter text… and type Encryptedin the text box, click Add, and click ok.
  6. Under Do the following… select Modify the message properties… and select set a message header.
    1. For message header, click *Enter text… and type x-voltage-decrypt and click ok.
    2. For value, click the second *Enter text… and type decrypt and click ok.
  7. Under Except if... , click add exception then select A message header > includes any of these words…
  8. For header name, click *Enter text… and type X-Voltage-Decrypted and click ok.
  9. For the words the header should include, click the second *Enter text… and type Decrypted in the text box, click Add, and click ok.
  10. Click Save to finish creating the rule.

<End of Excerpt>

Follow these screenshots enable encryption.

 

1. Go To Exchange Admin Center

 

2. Go To Mailflow > Rules > Create a new Rule. In this screenshot, I already have a few rules created.

 

3. Complete necessary configurations as mentioned earlier in this article. Note that the settings in this screenshot will trigger encryption, when a message is going out of the organization.

 

 

4. Save and Close

5. Now that the rules are ready - Let us send a mail! - Note that the mail is going to someone (me), who is outside the organization. So that will trigger encryption based on the transport rule that we created.

 

6. When the recipient receives the email, it looks like this. But note that there is an attachment to the email.

 

7. Click on the attachment

 

8. Double click on the attachment to open it in the browser

 

9. Now when it is the first encounter with an encrypted message from EHE - the recipient will be asked to create a credential.

 

10. A verification email is sent to the recipient's email address.

 

11. Verification process has to be followed.

12. Go back to the encrypted email and double click on the attachment - Enter your credentials.

 

13. View the message. Note that once a secure email is sent - all the subsequent emails which are part of the same conversation thread are encrypted - provided that the responses are sent by the recipient, from the web based EHE client. As in the screenshot below, the reply to this encrypted email can be sent from this browser based application - And the same is secure.

And for this, the recipient does not require an EHE Subscription.

 

 

The EHE Service also lets the recipient include attachments as part of the encrypted response.

 

14. Opening the reply in Outlook Web App

Open the attachment as before.

 

 

To Open the attachment in Outlook Web App, right click on the attachment and select "Open link in new Tab".

 

 

Follow the same steps as mentioned earlier, to view the reply from the recipient.

 

 

 

 

For further information on EHE Subscription, please refer to https://office.microsoft.com/en-us/exchange/microsoft-exchange-hosted-encryption-email-encryption-FX103934580.aspx

 

<Excerpt>

Secure and reliable

  • Exchange Hosted Encryption provides advanced security and reliability to help protect your information.
  • Send encrypted email messages to anyone, regardless of the recipient's system configuration.
  • Provide strong, automated encryption with a cost-effective infrastructure.
  • Eliminate the need for certificates and use a recipient's email address as the public key.
  • Communication through a TLS-enabled network further enhances message security.

Stay in control

  • With Exchange Hosted Encryption, you can keep your data safe, while maintaining control over your environment.
  • Protect sensitive information and data leaving your gateway consistently and automatically.
  • Policy-based encryption encrypts messages at the gateway based on policy rules.
  • Help manage compliance with security and privacy requirements such as HIPAA and GLBA.
  • Integrate with existing email infrastructure for minimal up-front capital investment. 

Easy to use and maintain

  • It's easier than ever to protect your organization's email.
    Encrypted email delivered directly to recipients' inbox and not to a Web service.
  • Email decrypted and read with confidence, without installing client software.
  • A managed key server eliminates the need for certificate maintenance.
  • Encryption process is transparent to the sender, who does not need to do anything other than write and send the message as usual.

How to Buy Exchange Hosted Encryption

You can purchase Exchange Hosted Encryption through Microsoft partners. There are different options for purchasing, with the following licensing programs:

  • Enterprise Agreement
  • Enterprise Agreement Subscription
  • Select
  • Select Academic
  • Select U.S. Government
  • Open Value
  • Open Value Subscription
  • Campus (Higher Education)
  • School (K-12)
  • Service Provider License Agreement (SPLA)
  • Exchange Hosted Encryption is not available through Microsoft Open License Program.

 

<End of Excerpt>