DoD uses their PKI infrastructure (built to support their Common Access Card) to support email encryption. Outbound emails are signed with the cert stored on your CAC (private key) and are encrypted with your private key, allowing other DoD people to decrypt with your public key. Alternatively, you can do single person encryption by using their public key which requires them to decrypt with their CAC.
Basically, you need either a well-established PKI which you and the recipient trust or pre-exchanged public keys. You’re sending encrypted data that way (encrypted at rest) through a means that may or may not be encrypted in flight as well (SMTP/TLS, etc). On Apr 23, 2014, at 12:01 PM, Matthew W. Ross <[email protected]<mailto:[email protected]>> wrote: I am no security expert, so forgive my ignorance. I understand that Exchange servers have the ability to encrypt all the "data at rest" on the server, and may well be able to encrypt the data sent to a client using ActiveSync. But, isn't it true that an email, once it leaves the sever via SMTP, is unencrypted? --Matt Ross Ephrata School District Michael B. Smith <[email protected]<mailto:[email protected]>> , 4/23/2014 8:54 AM: This would be better on the Exchange list. But two concepts come into play. Data-at-rest and data-in-motion. Data-in-motion – in MANY (not even most, just many) modern systems is encrypted using SSL or TLS. If the system is Exchange, then Exchange ensures that all data in transit is always encrypted. Data-at-rest is far more complex and requires a certain level of operational maturity to implement. Lots of third party compliant email systems do this on THEIR servers. But not on yours. Authenticated data-in-motion and authenticated data-at-rest are what you refer to by suggesting “key exchange is required”. Typically, this is S/MIME. And that’s a whole different kettle of fish. From: [email protected]<mailto:[email protected]> [mailto:[email protected]<mailto:[email protected]>] On Behalf Of Jimmy Tran Sent: Wednesday, April 23, 2014 11:31 AM To: [email protected]<mailto:[email protected]> Subject: [NTSysADM] RE: is email over SSL same as email encryption? After doing some more reading, it looks the sender and recipient needs to exchange keys for this to work. To the members here who have to be HIPPA compliant for email, do you mind sharing what you have in place? Do you use a 3rd party to handle this? How do you communicate with users outside your organization and also be compliant? From: [email protected]<mailto:[email protected]> [mailto:[email protected]] On Behalf Of Jimmy Tran Sent: Wednesday, April 23, 2014 8:19 AM To: [email protected]<mailto:[email protected]> Subject: [NTSysADM] is email over SSL same as email encryption? I ask this because I have a client who wants to be HIPPA complaint with patient communication. I don’t know much about compliance with email except that the email needs to be encrypted. Currently, they use email hosted by bluehost via imap and over SSL. This just means the connection to bluehost is encrypted, but by the time it hits the patient’s inbox, it is no longer encrypted correct? TIA, Jimmy
