Advanced email encryption

Email Encryption | TRITON AP-EMAIL | Updated: 02-May-2016


Applies To:	TRITON AP-EMAIL v8.2

The email hybrid service can perform cloud-based message encryption on outbound messages if your subscription includes both the Email Hybrid Module and Email Encryption Module.

The email hybrid service must be registered and enabled in order to use advanced email encryption. See TRITON AP-EMAIL Administrator Help for details about hybrid service registration.

After you have successfully registered with the email hybrid service, you should contact Forcepoint Order Processing (op@websense.com) to ask that advanced email encryption capabilities be enabled for your account.

After advanced encryption is enabled, configure advanced email encryption by selecting the Advanced Email Encryption option in the Encryption method drop-down list (Settings > Inbound/Outbound > Encryption).

Because advanced email encryption does not function properly with the self-signed certificate provided with TRITON AP-EMAIL, a trusted third-party certificate from a CA is required. See Trusted third-party certificates for a list of trusted certificates to use with the advanced email encryption function. See Generating encryption keys and a CSR for information regarding CSR generation.

Message encryption process

A content policy that specifies the conditions under which an outbound message should be encrypted is configured in the TRITON Manager Data module. See Data Security Manager Help for details about configuring an outbound email data loss prevention (DLP) policy with an encryption action plan. See Creating an email DLP policy for encryption for a high-level procedure for email DLP policy configuration.


	Important The outbound DLP policy mode set in the Email module console must be set to Enforce in order for advanced email encryption to work properly (Main > Policy Management > Policies > Outbound > Data Loss Prevention).

When an email DLP policy identifies an outbound message for encryption, the message is sent to the email hybrid service via a TLS connection. If a secure TLS connection is not made, the message is placed in a delayed message queue for a later delivery attempt.

The email hybrid service analyzes a message for threats in email routed for encryption. If threats are detected, the email hybrid service sends a non-delivery receipt (NDR) to the Email module.

If the analyses determine that a message contains no email-borne threats, the hybrid service encrypts the email, which is then sent as an HTML message attachment to the email recipient. Encrypted content is not stored in the cloud during this process. After the email hybrid service encrypts a message, it is forwarded directly to its recipient.


	Important The email hybrid service checks the email appliance FQDN for a valid public "A" record. This record should contain the FQDN IP address. The email hybrid service also checks the public IP address for an associated PTR, or reverse DNS lookup record. This record must point to the FQDN referenced in the certificate subject and set in the Email module Settings > General > System Settings Fully Qualified Domain Name field.

When opened in a browser, the message attachment displays a button that allows the recipient to access a secure encryption network via HTTPS. The email recipient must register an email address and password with the encryption network on first access. This password is used to open all subsequent encrypted messages to this email address.

Encryption is not performed on inbound or internal email messages, although the email protection system can forward inbound email to an encryption gateway for decryption. The DLP policy must designate only outbound messages for encryption when advanced email encryption is used. See the Data Security Manager Help for details.

When decryption is enabled (Settings > Inbound/Outbound > Encryption), the email hybrid service attempts to decrypt inbound encrypted mail, and adds an x-header to the message to indicate whether the decryption operation succeeded. Message analysis is performed regardless of whether message decryption is successful.