Please note, that the facility described below is currently not a full service.
print friendly version

Questions and answers

2536
How can I send and receive encrypted attachments?


The Sussex email systems don't normally accept encrypted email attachments, for two reasons:

  1. Our anti-virus scanner cannot scan encrypted attachments, which could contain viruses.

  2. The usual password protection mechanisms (for PDF files, for example) aren't secure because they require exchange of passwords, and the exchange of passwords isn't usually done in a secure manner.

Public key encryption

The Sussex email systems will accept emails that are entirely encrypted using public and private key pairs. The best analogy for the way this works is to imagine that you give the sender a box that anyone can lock (your public key), but that only you have a key to unlock (your private key).

The easiest way of arranging this is to use the S-MIME standard that is supported by Outlook, Apple Mail, Thunderbird, and other modern email applications. It isn't supported by the Sussex Webmail service, because this would require storing private keys on the web server, and there is a risk that they could all be stolen.

To use S-MIME, the sender and receiver of the emails both need to have personal email security certificates, based upon your respective email addresses. They can be obtained from trusted certificate vendors like Comodo.  Other vendors supply such certificates, but Comodo's can be obtained free of charge. The sender and receiver can use certificates from different vendors, if they wish.

Signatures and encryption

As well as encrypting email for secrecy, you can sign emails so that the recipient can verify the origin of the email. A signed email isn't secure, unless it's also encrypted. 

Your private key is used to sign emails, and the recipient can use your public key to verify that the content hasn't been altered since you signed it. 

Your public key is used by senders to encrypt emails that only you can read. Usually the email will also be encrypted with the sender's public key, so that the sender can read it. It may also be encrypted with public keys of additional recipients, so that they can read the email.

Exchanging keys

You should not share your private key with anyone. You can share your public key freely, but should not share it too freely because it could be used to smuggle viruses through the Sussex email systems. Keys need to be renewed annually, and this prevents them from becoming too widely known. They can also be revoked by you, if you suspect that your private key has been compromised.

Once you have certificates, you need to exchange public keys with your correspondents. This can be as easy as sending a digitally-signed email. It will carry a copy of your public key, and the recipients can add it to their certificate repositories. The exact mechanism depends on the software that you each use, but you don't need to know what your correspondents are using: you just send a signed email.

Step by step guides to installing and using certificates

Follow the instructions in our step-by-step guides for Windows PCs (specifically for Outlook) and for Apple Macs.

Help us to improve this answer

Please suggest an improvement
(login needed, link opens in new window)

Your views are welcome and will help other readers of this page.

Categories

This is question number 2536, which appears in the following categories:

Created by Ian Eiloart on 6 December 2012 and last updated by Richard Byrom-Colburn on 23 September 2016