Go to the table of contents Go to the previous page Go to the next page View or print as PDF
Forcepoint Email Security Message Encryption : Forcepoint Email Encryption
Forcepoint Email Encryption
Email Encryption | Forcepoint Email Security | Updated: 29-Apr-2022
 
The email hybrid service can perform cloud-based message encryption on outbound messages if your subscription includes both the Forcepoint Email Security Hybrid Module and Forcepoint Email Security - Encryption Module.
The email hybrid service must be registered and enabled in order to use Forcepoint Email Encryption. See Forcepoint Email Security Administrator Help for details about hybrid service registration.
After Forcepoint Email Encryption is enabled, configure advanced email encryption by selecting the Forcepoint Email Encryption option in the pull-down menu Encryption method (Settings > Inbound/Outbound > Encryption).
Because Forcepoint Email Encryption does not function properly with the self-signed certificate provided with Forcepoint Email Security, a trusted third-party certificate from a CA is required. See Trusted third-party certificates for a list of trusted certificates to use with the Forcepoint Email Encryption function. See Generating encryption keys and a CSR for information regarding CSR generation.
Message encryption process
A content policy that specifies the conditions under which an outbound message should be encrypted is configured in the Security Manager Data Security module. See Forcepoint DLP Administrator Help for details about configuring an outbound email data loss prevention (DLP) policy with an encryption action plan. See Creating an email DLP policy for encryption for a high-level procedure for email DLP policy configuration.
 
Important 
The outbound DLP policy mode set in the Email Security module must be set to Enforce for Forcepoint Email Encryption to work properly (Main > Policy Management > Policies > Outbound > Data Loss Prevention).
When an email DLP policy identifies an outbound message for encryption, the message is sent to the email hybrid service via a TLS connection. If a secure TLS connection is not made, the message is placed in a delayed message queue for a later delivery attempt.
The email hybrid service analyzes a message for threats in email routed for encryption. If threats are detected, the email hybrid service sends a non-delivery receipt (NDR) to the Email Security module.
If the analyses determine that a message contains no email-borne threats, the hybrid service encrypts the email, which is then sent as an HTML message attachment to the email recipient. Encrypted content is not stored in the cloud during this process. After the email hybrid service encrypts a message, it is forwarded directly to its recipient.
 
Important 
When opened in a browser, the message attachment displays a button that allows the recipient to access a secure encryption network via HTTPS. The email recipient must register an email address and password with the encryption network on first access. This password is used to open all subsequent encrypted messages to this email address.
Encryption is not performed on inbound or internal email messages, although the email security system can forward inbound email to an encryption gateway for decryption. The DLP policy must designate only outbound messages for encryption when Forcepoint Email Encryption is used. See Forcepoint DLP Administrator Help.
When decryption is enabled (Settings > Inbound/Outbound > Encryption), the email hybrid service attempts to decrypt inbound encrypted mail, and adds an x-header to the message to indicate whether the decryption operation succeeded. Message analysis is performed regardless of whether message decryption is successful.
Trusted third-party certificates
Forcepoint Email Encryption requires a certificate from a third-party CA that is trusted by the email hybrid service. See Generating encryption keys and a CSR for information about obtaining a certificate. After you have generated a CSR, follow the third-party CA acquisition procedures for the certificate to purchase.
Use a certificate from one of the following trusted CAs for Forcepoint Email Encryption:
*
*
*
*
*
*
*
*
*
*
*
*
*
*
*
*
*
*
*
*
*
*
*
*
*
*
*
*
*
*
*
*
*
*
*
*
*
*
*
*
*
*
*
*
*
*
*
*
*
*
*
*
*
*
*
*
*
*
*
*
*
*
*
*
*
*
*
*
*
*
*
*
*
*
*
*
*
*
*
*
*
*
*
*
*
*
*
*
*
*
*
*
*
*
*
*
*
*
*
*
*
*
*
*
*
*
*
*
*
*
*
*
*
*
*
*
*
*

Go to the table of contents Go to the previous page Go to the next page View or print as PDF
Forcepoint Email Security Message Encryption : Forcepoint Email Encryption
Copyright 2022 Forcepoint. All rights reserved.