Endpoint Encryption

 View Only
  • 1.  Using multiple keys for same e-mail address?

    Posted Mar 24, 2014 08:03 PM

    Hi there. I have an existing S/MIME certificate that I was using with Outlook 2010. I set Outlook to sign with that certificate by default. I am now kicking the tires on Symantec Encryption Desktop as I have a client that prefers using PGP which Outlook doesn't handle natively very well. So I downloaded, created a PGP key, imported my client's public keys and all seemed to be well.

    However, it seems that I cannot leave S/MIME signing on in Outlook, as that seems to disable Symantec - if I have signing on in Outlook, trying to set encryption on (using the "Encrypt" button above "PGP" that SED added to the ribbon) does nothing, Same with signing. I suppose that makes sense.

    I have also added by existing S/MIME cert to SED, so that I can pick either S/MIME or PGP to sign or encrypt using SED. However, that seems to be something that needs to be done manually. Which brings me to my questions:

    Is there a way to set up policies so that if I have a PGP public key of a recipient on my keyring, SED will automatically choose my PGP private key and by default sign, encrypt and send, and for all others for whom I don't have any public key, SED will automatically choose my S/MIME private key and by default sign and send?

    I can't seem to find anything in the policy set up that would allow this, so thought I'd take the liberty of asking here. Any suggestions would be most appreciated.



  • 2.  RE: Using multiple keys for same e-mail address?

    Broadcom Employee
    Posted Mar 25, 2014 04:46 AM

    Hi slartibartfast098,

    You should be able to create new policies (place the most restrictive at the top) to do this.
    I believe you could have this handles with one policy "If recipient is" recipient XYZ > "Encrypt to" (+) Sign encoding "PGP/MIME"; and another rule placed below "If recipient is" * > Sign encoding S/MIME.

    Search the help for "Creating a New Security Policy" you have there step-by-step instructions.

    See also:
    How to Pass Through Inbound Email with S/MIME Certificates - TECH166867
    Outlook S/MIME Encryption is not working with PGP Messaging Running - TECH168529
     


    HTH,
    dcats



  • 3.  RE: Using multiple keys for same e-mail address?

    Posted Mar 25, 2014 08:53 AM
    Thanks dcats - most appreciated. Your comment is quite helpful. That being said, I was looking for a solution where the trigger condition would be the existence of a public key on my keyring, rather than a characteristic of the e-mail. There doesn't seem to be a way to set that as the trigger. I checked the help but it also doesn't mention anything of the sort - would you happen to know either way? On your second point, regarding sign encoding, does that actually select a different key, or just change the formatting of the outbound e-mail? As far as I can tell, it only does the latter - i.e. selecting S/MIME will send something signed with my PGP key in S/MIME format rather than PGP/MIME (assuming my PGP key has been selected as the default key). Do le tme know if I'm mistaken.


  • 4.  RE: Using multiple keys for same e-mail address?

    Broadcom Employee
    Posted Mar 28, 2014 04:38 AM

    Hi slartibartfast098,

    You can have the policies configured for Opportunistic encryption. Which means it will encrypt if the public key is found, otherwise send in clear. In alternative you can configure to encrypt or bounce.
    I think it would be applicable only to PGP keys as far as I remember.

    Good point with that S/MIME signature, I will need to test that. I guess I made an association error.


    HTH,
    dcats



  • 5.  RE: Using multiple keys for same e-mail address?

    Posted Mar 28, 2014 02:45 PM
    Thanks again, very much, dcats. I explored the use of the opportunistic encryption and that part works perfectly. A shame about the use of keys though.


  • 6.  RE: Using multiple keys for same e-mail address?

    Broadcom Employee
    Posted Apr 09, 2014 11:45 AM

    Hi slartibartfast098,

    I would suggest you to post an Idea here: https://www-secure.symantec.com/connect/security/ideas
    If you have the possibility to open a Technical Support case, please do it and file a Feature Request, this would bring traction to this request.


    Thank you and regards,
    dcats