Endpoint Encryption

I'm working in a solution to enable end-to-end encryption of all email messages between a set of internal users.

There are 200 internal users, but only 10 users (VIP Users), need to encrypt all emails that any of that "VIP" group sent to another member. Encryption must be End-To-End. I mean, the messages must to be encrypted even from the Outook email client.

All messages that are sent form any member of this group to an internal user that is not member of the "VIP" group must be encrypted only if the VIP user writes a keyword on the subject of the email.

All VIP users have mobile devices (Android and iOS). Capacity to read encrypted messages on the mobile devices is important but is not a hard restriction.

All keys for internal users are KMS.

Can you guide me to create a rule for that users?

Thanks

Goltrek

End to End you need the client installed on the VIP's endpoints.  Then you can create a dictionary with the list of the VIP email addresses within and create a rule that if it matches those then encrypt.  Add these users to a different consumer policy, and add the rule under the outbound server chain for Client.

Thank you Alex_CST

I created the a Policy Chain (Applicable: Client), just with one rule.

Conditions:

All of the following are true:

-Sender address is in dictionary: VIP dictionary

-Recipient address is in dictionary: VIP dictionary

Actions:

Send encrypted/signed

-Encrypt to recipient's key

Is this rule Ok?, must I to make some change?

That looks fine.

There's 1 rule you need to watch out for though.  It's called "Passthru for internal users"  I recommend you disable this rule, or move the newly created rule above it in the chain.

That rule will ignore all other rules and send in the clear if the recipient address is from the same domain as the sender (in a managed domain in other words)