Endpoint Encryption

I have written several VBA macros in Outlook that handle emails in various conditions and have encountered the following undesirable effect:

whenever I move an encrypted email from a folder to another (using the Item.Move method), the resulting item (ie the email in the target folder) is stored decrypted, whereas I need it to remain encrypted (and be decrypted on the fly by PGP Desktop when I access it).

I have searched this forum and various other places but have not found answers for the following points:

• how to detect programmatically that an email is PGP encrypted ?
• how to then move the original, encrypted item, as opposed to the locally buffered decrypted version ?

Any help/hint/pointer to resources greatly appreciated.

My specs: Win XP SP3 32bits, Outlook 2007 connected to a Corporate Exchange server, PGP Desktop 10.0.0

laurent

Are you absolutely certain the message being moved is in an encrypted state? The reason I ask is because PGP Desktop's messaging proxy handles the encryption and decryption of messages to and from your email client and thus stored messages are in plaintext.

I am certain it is NOT being moved in an encrypted state, meaning that it is moved in a decrypted state, ending up as plaintext on the Exchange server. And that's the issue. How to make sure the proxied, decrypted message is flushed out before Outlook tries to move it ?

The proxy does not cache nor buffer the decrypted message so there is nothing to flush. This is best illustrated by the following scenario:

1. Start Outlook and send yourself an encrypted message
2. Close Outlook
3. Right click on the PGP Desktop icon in the System Tray and select Exit PGP Services
4. A PGP Alert dialog box is shown, click Yes
5. Start Outlook
6. Perform a Send / Receive, if it does not happen automatically on starting Outlook
7. Select a received message known to have been encrypted but not that from step 1.
8. The message should appear in plaintext and thus affirms my previous post
9. Close Outlook and run PGP Desktop to restart the services stopped by step 3 and 4 above.
10. Start Outlook
11. Select the message received from step 1; this message is decrypted on the fly each time it is accessed

FYI: You do not need to Exit PGP Services to stop the proxy from decrypting message, the same can be achieved by selecting Options, Messaging tab, and unselecting the Secure Email checkbox. However, this will stop the automatic encryption and decryption of messages.

First of all thanks Suhaib for the help :)

After more tests I think I now understand what happens.

Whenever the encrypted message gets written back to outlook's store (locally and on Exchange) THEN it's written back in plaintext. It gets written back when inserting Annotations or when moving it to a different folder programmatically.

And that is a severe security breach for me.

But interestingly, when I move the message directly within Outlook (ie with the UI as opposed to a macro) then it's NOT written back in plaintext. I think it's also true with the QuickSteps in Outlook 2010 but can't confirm at the moment.

So I guess then the question is more at the outlook/PGP interface level, or even maybe at the programmatic access to Outlook level: how to programatically move messages around outlook without storing the result in plaintext ? Is this even possible ?

While moving things around using vba isn't something we support per se, I think it should be possible. I know it is possible to cause PGP to leave server stored IMAP folders encrypted. (See: http://www.symantec.com/docs/TECH14924) I suspect you may be able to use a similar tactic to secure cached exchange or server stored exchange email. The local preferences file is in %appdata%\PGP Corporation\PGP\ and is named PGPprefs.xml. The file does have unix style line endings. Therefore, do not use notepad. Also, you will need to have PGPtray stopped if you want  to edit the file. Do make a backup copy before you make any changes.

A while back I dug up these criteria for detecting encrypted email. The context in which I was looking was for routing rules for a mail server. However I expect the detection rules would still apply.

     Rule #  Condition            Attribute     Operator  Value
    1       Attachment Name                    is        *.pgp
    2       Attachment Name                    is        *.gpg
    3       Attachment Name                    is        *.asc
    4       Message Header       content-type  Contains  multipart/encrypted
    5       Message Header       content-type  Contains  multipart/signed
    6       Message Header       content-type  Contains  application/pkcs7-mime
    7       Message Header       content-type  Contains  application/x-pkcs7-mime
    8       Message Header       content-type  Contains  application/pkcs7-signature
    9       Any part of message                Contains  -----BEGIN PGP
    10      Any part of message                Contains  -----BEGIN=20PGP
    11      Any part of message                Contains  * PGP
    12      Any part of message                Contains  LS0tLS1CRUdJTiBQR1Ag
    13      Any part of message                Contains  LS0tQkVHSU4gUEdQI
    14      Any part of message                Contains  LS0tLUJFR0IOFBHUC 

The above rules will detect both S/MIME and openPGP secured emails. Adjust as needed for your purposes.