Documentation | Support

Go to the table of contents Go to the previous page Go to the next page View or print as PDF
Defining Email Policies > Encryption tab > Advanced encryption
Advanced encryption
 
Related topics:
*
Editing advanced encryption settings
If you have the Email Security Encryption Module, you can send messages that use identity-based encryption, with no need for users to manually exchange passwords. You can also customize the email notification that the recipient sees before decrypting the message.
*
Prerequisites for advanced encryption
*
How advanced encryption works
*
Adding an advanced encryption rule
Prerequisites for advanced encryption
To use advanced encryption, you must have a TLS certificate on the server designated as an outbound connection. This certificate must meet the following requirements:
*
The certificate is issued by a supported certificate authority. For a list of supported CAs, see the knowledge base article What are the trusted Certificate Authorities?
*
Wildcard certificates are supported. Note that multi-level subdomains (for example, sub2.sub1.mydomain.com) are not supported with a standard subdomain wildcard certificate (for example, *.mydomain.com).
*
Subject Alternative Name (SAN) certificates are not fully supported. Only the name listed as the Common Name (CN) will be recognized. Any names defined as SANs will be ignored.
*
The Subject CN of the certificate must match the outbound connection's fully-qualified domain name (FQDN).
In addition, note the following requirements for your TLS connection:
*
The sending IP address must resolve to the outbound connection's FQDN.
*
The outbound connection's FQDN must resolve to the sending IP address.
*
Your MTA's sending HELO string must match the outbound connection's FQDN.
For more information about TLS, see Transport Layer Security.
How advanced encryption works
When an advanced encryption rule is matched, the following process takes place:
1.
Sender sends email that triggers the rule.
2.
The email is encrypted by Forcepoint Email Security Cloud using identity-based encryption, and sent on to the recipient's MTA for delivery.
3.
The recipient is sent an email notification containing an HTML attachment. When opened in a browser, the attachment displays a button that the recipient clicks to access to the secure encryption network via HTTPS. The recipient must register their email address and a password with the secure encryption network if this is the first time they have received an encrypted message via Forcepoint Email Security Cloud. The recipient then uses this password to access all subsequent encrypted messages sent to their email address.
4.
If the recipient replies to the encrypted message, the message is decrypted by Forcepoint Email Security Cloud and then analyzed in the same way as other inbound mail before delivery.
There are 3 ways to use advanced encryption:
*
Content-based. Set up lexical rules so that a message will automatically be encrypted if it contains certain phrases. See Creating a lexical rule in advanced mode.
Note that if a message triggers a lexical rule with a Quarantine action and a rule with an Encrypt action, the Quarantine action will take precedence and the message will be quarantined without encryption.
If a message triggers a rule with the Encrypt action and a rule with either Forward, Tag Subject, BCC, or BCC and Tag Subject, the Encrypt action will take precedence and the other action(s) will not be applied.
If a message triggers lexical rules with the Encrypt and Keep Copy actions, both actions will be applied.
*
Sender/recipient-based. Set up an advanced encryption rule that encrypts a message sent from or to specific users.
*
Subject and content-based. Set up an advanced encryption rule that encrypts a message with a certain trigger word in the subject header, a particular sensitivity header, or specific phrases in the message headers or body.
You can combine these methods to configure the encryption policy that you require.
Advanced encryption integrates with other aspects of your email policy as follows:
*
If you have set up attachment parking, an attachment that meets the parking criteria will be parked before the message is encrypted. The decrypted message will contain a link to retrieve the attachment. See Parking attachments.
*
If you have outbound aliases, the aliases will be applied before the message is encrypted. The resulting encrypted message will always show the external address.
Adding an advanced encryption rule
To set up sender/recipient-based or subject and content-based advanced encryption, click Add in the Encryption section of the Encryption tab.
1.
Enter a name for the encryption rule, and ensure Advanced Encryption is selected as the encryption type.
2.
To notify the message sender when a message has been encrypted, mark Notify sender. You can also notify others by entering a comma-separated list of email addresses.
3.
Optionally, enter one or more senders or recipients for the rule to apply to. Recipients can be either specifically included in or excluded from the rule.
You can enter individual email addresses, groups configured in Forcepoint Email Security Cloud, or domain names. You can enter multiple senders or recipients, separated by commas.
To edit an existing sender or recipient, click the item. Press Enter to save your changes as a new entry in the sender or recipient list. To discard your changes, press Esc.
To remove an item from a sender or recipient list, click the Delete icon next to the item.
4.
If you are including subject criteria, content criteria, or both in the encryption rule, select whether the message should match any of the criteria, or all of the criteria you select to trigger the rule.
5.
To include messages with a sensitivity setting in the email headers for encryption, mark The message contains a sensitivity header, and select an option from the drop-down list. If you want the rule to match against all sensitivity headers, select Any.
6.
To define a trigger word that appears in the subject line for messages to be encrypted, mark The subject box, and select whether the trigger word is at the start of the subject or is contained anywhere in the subject line. Then enter the trigger word.
 
* 
Note 
A trigger word is not case sensitive and MUST be followed by a space.
7.
To specify phrases that trigger encryption if contained in a message, mark The message contains any of the following phrases, and select whether the phrases appear in the message body or headers.
Enter each phrase on a new line, by pressing Enter after each phrase. The phrases are not case sensitive.
8.
Click Submit.

Go to the table of contents Go to the previous page Go to the next page View or print as PDF
Defining Email Policies > Encryption tab > Advanced encryption
Copyright 2023 Forcepoint. All rights reserved.