7.4 Encryption with PGP/GnuPG
Encryption Sequence with PGP or PGP/MIME
1. The user sends an email via his/her client in the usual way.
2. On the server, Crypt retrieves the public key for the email recipients from the GnuPG or PGP key ring.
3. The email is encrypted.
With PGP, all of the email elements are encrypted individually (attention: any formatting and embedded images are lost); with PGP/MIME, the email is enc-rypted as a whole (formatting remains intact).
4. The email is delivered to its recipients.
7.4.1 Sample Job: Encrypting Emails with PGP/GnuPG
1. Consider the preparations for PGP or GnuPG usage. Refer to “Preliminaries for PGP or GnuPG” on page 149.
2. Copy the Encrypt with GnuPG (or PGP) job to MAIL TRANSPORT JOBS. a) Activate the job44.
b) Configure the recipient addresses in the job. If necessary, create and enable several jobs.
If encryption is configured for a sender-recipient combination, such a sender will normally be unable to send an unencrypted email to one of the configured recipi-ents. However, it could be desirable to reach some of these recipients with an unencrypted email. To do this, select in the iQ.Suite a command: CONDITIONS ->
CONDITION: ...WITHFOLLOWINGSUBJECTCOMMAND. When the sender add this com-mand to the email‘s subject line, the job will not be executed and the email will be sent in unencrypted form.
Searching for the command is not case-sensitive. The search is stopped as soon as the command has been found and it is removed from the subject.
44. This example only illustrates the job-specific details. For a description of the settings under stan-dard tabs, please refer to “Stanstan-dard Tabs of Mail Transport Jobs” on page 51.
3. Open the Crypt Engine tab:
In the Crypt Engine tab, specify the encryption method for this job.
Under Select method, specify the desired encryption method. In the following field, select the version of the Crypt engine that you have installed.
Specify in the following fields how exception emails (special cases) are to be handled, e.g. TNEF emails:
‘Ignore’: The email is passed to the next job without being further processed by this job. The email is not encrypted.
‘Execute actions’: The actions specified in the Actions tab are performed.
The subject command may only contain characters from the 7-bit ASCII charac-ter set (US-ASCII - 126 characcharac-ters possible).
The conditions set in both the Addresses and Conditions tabs must come true for the job to be run (logical AND).
IQ.SUITE CRYPT - ENCRYPTIONWITH PGP/GNUPG
‘Proceed’: The job processes the email like those that do not fall into this category.The special cases are:
When emails is in TNEF format, then: The Outlook TNEF format cannot be processed by iQ.Suite Crypt. The TNEF format is used by Exchange when an Outlook user (not Outlook Express!) sends an email within an Exchange organization. This format is not used for communication via the Internet or when using other email clients.
Email already S/MIME or PGP/MIME encrypted/signed: Emails that arrive on the server encrypted or encrypted and signed with S/MIME or PGP/MIME.In your corporate email policies, specify how such emails are to be handled.
Email already S/MIME or PGP/MIME signed only: Not encrypted emails that are already signed by the user with S/MIME or PGP/MIME and when they arrive on the server.
Email already PGP encrypted and/or signed: If PGP/MIME or S/MIME is used, the email structure and the headers allow to determine whether the email is encrypted or signed. If encrypted with PGP, only the contents of the individual email elements are replaced with the encrypted part, not the entire email. The structure remains unchanged. As a consequence, to determine whether an email has been partially or entirely encrypted by PGP, the finger-prints set in the configuration are applied to all of the elements of the email (message body and attachments). To define the PGP fingerprints for indivi-dual email elements, please refer to “Configuration of the PGP or GnuPG Crypt Engine” on page 150.
PGP Options:
‘Encrypt attachments only’: Only the email attachments will be encrypted.All other elements of the email, such as the message body, remain unen-crypted. If this option is disabled, all elements of the email (attachments, body, HTML text) will be encrypted.
‘PGP Universal Server compatibility’: This option ensures compatibility with the PGP Universal Server. Enable this option if an encryption partner uses the PGP Universal Server. Set up two different encryption jobs, ifyou communicate with encryption partners with Universal Server and encryption partners without Universal Server.
‘Remove HTML bodies’: For HTML emails encrypted with PGP/GnuPG, decryption or display problems may occur on the recipient side45. While email programs such as Mozilla Thunderbird or Microsoft Outlook simply display the email body as text and ignore the HTML body, Lotus Notes attempts to display the HTML body as well. This can cause difficul-ties, especially in reply emails. In this case, enable the option that allows to remove the HTML body before encrypting the email with PGP/GnuPG.
‘Convert e-mail bodies to UTF-8‘: The message bodies are converted into Unicode character set.4. Open the Crypt Mode tab:
In the Crypt Mode tab, specify the encryption mode and security settings (VPN channel) to be called with this job.
45. These problems are due to technical PGP/GnuPG restrictions. As a general rule, neither PGP nor GnuPG supports encrypting HTML bodies.
This issue does not occur when iQ.Suite for Microsoft Exchange is also used on the recipient side.
IQ.SUITE CRYPT - ENCRYPTIONWITH PGP/GNUPGIn the sample jobs, the Crypt mode is preconfigured.
The individual options show the possible security settings for outgoing emails (VPN channels). The options only apply to encryption, since signatures are added with the private key. If this key is missing, no signature can be added and the actions specified in the Actions tab are performed.
‘Optional encryption’: The emails are encrypted with the existing public certifi-cates. Any emails to recipients for whom no valid certificate is available are sent unencrypted. The information from the Subject extension field (Gene-ral tab) is added to the email subject.
‘Low security’: Emails are encrypted with the existing public keys. Emails to recipients for whom a valid key exists are sent encrypted. For all recipients without a valid key, the actions specified in the Actions tab are performed.
‘Medium security’: Emails are encrypted with the available public keys only if at least one valid key exists. All outgoing emails are encrypted. Recipients with a valid key can open the emails with their private key. Thus, recipients without a valid private key that matches one of the public keys used will notbe able to open the encrypted emails. The actions specified in the Actions tab are performed only if no valid key exists at all.
‘High security’: Emails are encrypted with the available public keys only if valid keys exist for all recipients. The actions specified in the Actions tab are performed as soon as one key is invalid or missing.5. Open the Mapping tab:
In the Mapping tab, specify the type of address mapping for encryption and, if necessary, create your own mapping table.
‘First use mapping list below’: The entries in the user-defined mapping table below have priority over the entries in the public key ring. If no key ID isente-
Jobs are performed only for recipients specified in the Addresses tab. If you enter only the communication partners with a valid public key, you can select a high security setting to create tap-resistant channels without missing keys trig-gering the actions specified in the Actions tab. Create a separate job for each security setting. Thus, to send emails at maximum security to some recipients while offering others optional decryption or verification, set up two jobs.
IQ.SUITE CRYPT - ENCRYPTIONWITH PGP/GNUPGred in this table, the job looks for this key ID in the public key ring and the associated key is used. The encryption job looks for a key ID under the recipi-ent address in the public key ring only if no suitable recipi-entry has been found in the table. This setting is advisable for implementing encrypted communica-tions with another company through secure VPN channels.
‘First use public key ring‘ (default): The entries in the public key ring have pri-ority over the entries in the user-defined mapping table. The encryption job looks for the required key ID in the mapping table below only if no entry mat-ching the recipient address has been found in the key ring. Example: Sepa-rate encryption for emails to the management.
‘Use public key ring only’: The job looks for keys only by recipient address in the public key ring. In this case, the mapping table is not enabled. Some exis-ting entries may not be deleted. Use this option to communicate with individu-als who each have their own key.
‘Use global mappings’: If specific recipient addresses are to be used in multi-ple Crypt jobs, you can create these addresses as "global mappings"46. Enable this option if you want the job to use all recipient addresses defined as global. Please note that local addresses are read before the global addres-ses.46. Refer to “Global Mappings” on page 146.
7.5 Decryption with PGP/GnuPG
Decryption Sequence with PGP or PGP/MIME
1. On the server, iQ.Suite Crypt retrieves the private key for the incoming email from the GnuPG or PGP key ring.
2. The email is decrypted.
With PGP, the encrypted email elements are decrypted, with PGP/MIME the email as a whole.
3. The email is delivered to the recipient.
4. Users receive their email through their clients as usual; encryption is comple-tely transparent for the recipients.
7.5.1 Sample Job: Decrypting Emails with PGP/GnuPG
1. Consider the preparations for PGP or GnuPG usage. Refer to “Preliminaries for PGP or GnuPG” on page 149.
2. Copy the Decrypt with GnuPG (or PGP) job to MAIL TRANSPORT JOBS. a) Activate the job47.
b) Configure the recipient addresses in the job. If necessary, create and enable several jobs.
3. Open the Crypt Engine/Mode tab:
In the Crypt Engine/Mode tab, specify the decryption method and the security settings to be used by this job. You can also select additional options here.
47. This example only illustrates the job-specific details. For a description of the settings under stan-dard tabs, please refer to “Stanstan-dard Tabs of Mail Transport Jobs” on page 51.