OpenPGP support

Your website states that the email encryption gateway supports S/MIME and OpenPGP. It goes on to described how S/MIME works, but could you give similar details about how OpenPGP works with the gateway?

Thanks in advance.

PGP support works in a similar way as S/MIME. The major difference is
that S/MIME works with X509 certificates and PGP works with PGP keys.
Trust with S/MIME is hierarchical whereas with PGP, keys are
individually trusted.

See admin guide for more info:

https://www.ciphermail.com/documents/html/administration-guide/

Kind regards,

Martijn Brinkers

Thanks for the quick response, Martijn. I'm still unclear.

The docs state that if PGP is checked, "outgoing email is encrypted". Does that mean that if a message is received encrypted with a PGP key, the message is not automatically decrypted?

Also, where are the PGP keys maintained? On the individual recipient's machine or on the server running CipherMail? If the later, how are keys managed? Does each user need to add their key and the associates keys manually?

Thanks for the quick response, Martijn. I'm still unclear.

The docs state that if PGP is checked, "outgoing email is encrypted".
Does that mean that if a message is received encrypted with a PGP
key, the message is not automatically decrypted?

If an email comes in, it's decided whether the email is for an internal
recipient or an external recipient. Email for internal recipients is
handled by the internal pipeline and decrypted if encrypted and if a
private key for decryption is available. Email for external recipients
is handled by the external pipeline and is encrypted if some sort of
rule says that the email must be encrypted and if encryption is
possible. Whether or not a recipient is internal or external is defined
by the "Locality" property (by default, a recipient is considered
external). Typically you would add a domain object for every domain you
receive email for and set the Locality of the domain to "Internal".

To come back to your question, email encrypted with PGP for internal
recipients is decrypted. Email for external recipients is encrypted
(either with S/MIME, PGP, PDF etc.).

Also, where are the PGP keys maintained? On the individual
recipient's machine or on the server running CipherMail? If the
later, how are keys managed? Does each user need to add their key and
the associates keys manually?

Because it's a gateway product, all keys are maintained on the gateway.
With a gateway solution the administrator maintains the keys and sets
the policies. For example, a policy can be defined to always encrypt
email sent to a particular domain. Hardcore PGP users might consider
storing keys on a gateway a no-go. Whether or not this is acceptable
depends on your requirements. The best way to look at it is to consider
the keys to be corporate keys (more or less similar to DKIM). For
additional security, you might consider storing and generating the keys
inside an HSM which is a hardware device that securely stores keys.

Kind regards,

Martijn Brinkers

Are keys associated with domains or individuals? In other words, if I want to send an encrypted message to joe(a)abc.com and to mark(a)abc.com, do I have to import 2 keys or 1? If I need separate keys and require that all messages going to abc.com must be encrypted, what happens if I only have 1 key?

It looks like HSM support is only available for the Enterprise version -- is that correct?

I'm more interested in the answers being related to PGP, not S/Mime or PDF.

And, last question, how much is the Enterprise version and how is it licensed (per user, per domain, other)?

Thanks again for your fast response.

Are keys associated with domains or individuals? In other words, if I
want to send an encrypted message to joe(a)abc.com and to mark(a)abc.com,
do I have to import 2 keys or 1? If I need separate keys and require
that all messages going to abc.com must be encrypted, what happens if
I only have 1 key?

That depends on how you set it up. If a PGP key is trusted, it's
associated with the email addresses embedded in the PGP key (to be
precise in the UID). You can however associate a domain with a PGP key.
Once a domain is associated with a key, all email sent to that domain
will be encrypted with that key. This way you can setup domain to domain
encryption with PGP keys.

Now suppose you did not setup domain to domain encryption and you send a
message to joe(a)abc.com and to mark(a)abc.com and you only have a valid key
for joe(a)abc.com, then an encrypted email will be sent to joe(a)abc.com.
What happens with the email to mark(a)abc.com depends on the settings. If
email encryption is mandatory or there is some trigger that triggered
encryption (for example a subject rule or DLP rule), then the email will
not be PGP encrypted and other encryption forms are tried (for example
PDF encryption or webmail). If all other forms of encryption are not
available (or not enabled), then the sender will receive a bounce
message that the message to mark(a)abc.com cannot be sent.

It looks like HSM support is only available for the Enterprise
version -- is that correct?

Yes that is correct. An HSM is a specialized (and expensive) device
which requires additional configuration and libraries.

Kind regard,

Martijn Brinkers