Set up email encryption and digital signing
1. Request DigiCert KU digital credentials through myKU portal (requires log in with a KU Online ID)
You will receive two separate emails from DigiCert. Read the instructions for this step BEFORE opening the emails
. Use Internet Explorer (on Windows) or Safari (on Macintosh) to process the links in the emails you receive in this step. If you use Firefox, you will need to manually
export the certificates it generates, and then import them for use with Outlook.
2. Process email from DigiCert to create certificates
After requesting KU digital credentials you will receive two email notices from DigiCert: one for creating a digital ID for escrowed encryption, and one for creating a digital ID for email authentication. You need both of these. The emails will come from DigiCert Support (email@example.com) and the links will be to https://www.digicert.com/ and will not request any personal information other than a certificate password. Be sure to process both
of the emails. Select a system below for specific instructions:
Please read the instructions for the system you are using before you open the email from DigiCert and generate your certificates.
After installing the two certificates, configure your email program to use them as shown in step 3, below. If you have questions, please contact your departmental technical support staff or the Information Technology Customer Service Center (785-864-8080 or firstname.lastname@example.org
3. Configure your email program to use the certificates.
Why should I use digital signatures and/or encryption?
Digital signatures and encryption are complementary methods for making email more secure. A digital signature ensures the recipient that the email is really from the stated sender and that it has not been modified. Encryption protects the contents of the email so that only the recipient(s) to whom it is addressed can read it. This permits the use of email for sending confidential or sensitive information that must be kept secure. KU has Data Classification Policies and Standards that require encryption when sending any sensitive information. These policies are online at:
Data Classification and Handling Policy
Data Classification and Handling Procedures Guide
When should I use a digital signature?
A digital signature should be used whenever you want to prove to the recipient that you are the true sender of the email and that the email contents have not been modified. In an ideal world, all email would be digitally signed; however, not all email clients can validate digital signatures. You might want to sign email only if you know that the recipient uses Outlook, OWA with the S/MIME extension, or another email client that can verify the signature.
When should I encrypt email?
Encryption is appropriate for transmitting Personally Identifiable Information and/or confidential information, such as information covered by FERPA, HIPAA, GLB, PCI, etc. Anytime there is a name along with an identifying number (e.g., employee number, student ID number, grades or rosters information, etc.), encryption is appropriate. Encryption is not recommended for non-identifiable information or for general communication regarding meeting times, non-confidential info, etc. Overuse of encryption for normal business matters is not recommended.
Will having encryption on my Outlook change or mess-up my email?
No, everything will work exactly the same except that you will be able to send and receive encrypted messages when communicating with others who have encryption capabilities.
What if I try to send encrypted email to someone who does not have encryption capabilities?
When you click send, you will receive a pop up on your screen indicating that the intended recipient does not have encryption. You will also see buttons that allow you to cancel or send the message unencrypted. Choosing to send the email without encryption removes encryption for all recipients. If you are sending to a list of multiple users or to a distribution list and one or more of the users does not have encryption, you will see an additional option to 'Continue.' Choosing this option encrypts the message to all recipients but only those with encryption capabilities will be able to view it.
What happens if someone receives an encrypted message, but does not have email encryption installed?
They will receive the message, but they will not be able to open or read the contents of the message; they will only be able to see the header and the sender of the message. If the user installs encryption at a later date, they still will not be able to read encrypted messages sent before they set up encryption.
What is the best way to maintain access to old encrypted email?
Do not delete or overwrite the certificates when you get new certificates. Do not remove your old certificates or keys from the Windows keystore or Macintosh keychain. For archival and recovery purposes always retain all your certificates and keys in a specially marked folder.
Why can't I see the Encryption\Digital signature buttons on my toolbar?
(This is dependent on which version of Outlook you are running)
Encryption icons are not available on the Toolbar. In order use the encryption, once you are in a message view, you must go to Options and select the box(es) to digitally sign and/or encrypt a message.
Outlook 2003 or later:
- Make sure you are looking in a message view. The Encryption/Digital Signing buttons do not appear on the toolbars of the main Outlook page. You must be on a screen where a message can be sent in order for the buttons to be visible. By clicking New, Reply or Forward, you will be able to see the digital signing and encryption buttons on your toolbar.
- If the buttons still are not showing, make sure that the Formatting toolbar is visible. (Go to View->Toolbars-> Formatting) Once the Formatting toolbar is visible, use the drop down arrow to add the Encryption/Digital signature buttons. (When adding these buttons, they actually appear on the Standard toolbar).
- If the buttons were showing but are no longer visible, click the drop down arrow on the Standard tool bar and re-add them.
Can I send a digitally signed and/or encrypted message to a distribution list?
- KU Group Lists will allow you to send encrypted emails, but only those recipients who have encryption certificates installed will be able to read the message.
- Mailman mailing lists will not allow you to send an encrypted email.
(Learn more about differences between KU Groups Lists and Mailman mailing lists)
Are departmental email accounts eligible for this service?
Yes, it is possible. Please contact the KU IT Customer Service Center with your request at 785-864-8080 or email@example.com
If I forward an encrypted message to someone else will they be able to read it?
Yes, if they have encryption certificates installed. The forwarded email will be sent using the public key in the new recipient's certificate.
What happens if I attach an encrypted message that I received to an outgoing email?
The user will be unable to open the attached email because the encryption was directed to you, the person who originally received it.
Why did a screen pop up that says a specific user does not have encryption capabilities when I know that they have set up encryption?
The user's certificate may not have been published to the Global Address List (GAL), or may have been published too recently. Outlook on Windows uses an "offline address book." Each night Exchange generates a new address book for Outlook to download. If the user you are sending to published their certificate recently, just wait a day for the update to take effect. Alternatively, you can add a contact record for the person. This will pull a copy of their certificate directly from Active Directory.
You can use the Certificate Directory link on the KU Email Certificates page in the myKU Portal to make sure that someone has published their encryption certificate. If they have not, contact them and ask them to publish their certificate if it does not appear in the certificate directory.
Another alternative is to have the person send you digitally signed email. When you receive this, it will provide you with their certificate, which you can then use to send them encrypted email. A final option is to manually retrieve the person's certificate from the Certificate Directory link on the KU Email Certificates page in the myKU Portal. Whichever option you choose, you only need to use it once for any given recipient. You will then be able to send them encrypted email without any special setup in the future.
How do I publish to the Global Address List?
In Outlook, click on the Tools menu->go to the bottom of the list and click on Options-> Choose the security tab-> Click the bottom left hand button that says Publish to GAL->Enter your encryption password. If you do not use Outlook, send email signed using your certificate to firstname.lastname@example.org with the subject line: Publish my certificate.
How do I change my encryption password?
You will need to export the encryption certificate from the certificate store with the private key and enter another password. After it has been exported as a PFX, the certificate can be deleted out of the store and the exported one can be installed with the new password. (Be sure that the private key is exportable. The option will be grayed out if it is not possible. Do not remove the private key from the certificate store if the private key was not exported.)
Why can I no longer open encrypted messages or send digitally signed messages?
The most common reason for this problem is losing access to keys in your Windows keystore. This will result in the following message: "Your Digital ID cannot be found by the underlying security system
Re-installing credentials from the file in which you originally received your encryption certificate may fix the problem. If the problem is with your signing certificate contact the IT CSC to have a link sent from DigiCert to generate a new signing certificate.
Do I need to save the emails I got after requesting my certificates?
No, it is not necessary to save the emails but it is STRONGLY RECOMMENDED that you save a copy of the downloaded credentials file to a secure location. This may be your U: drive, other network drive, or an encrypted USB device. Contact your IT Support Staff
for advice or assistance.
Can I set my email client options to automatically digitally sign, or to automatically encrypt all email?
Yes, either or both can be set as defaults; however, automatically encrypting all email is rarely a good idea. You must have access to a recipient's certificate in order to send them encrypted email. The Exchange Global Address List (GAL) automatically provides certificate access for all KU users configured to use encrypted email. You can store certificates for others in your Contacts or Macintosh Keychain. If you attempt to send email to an address for which a certificate cannot be found, you will receive a warning and can cancel sending the email.
If a professor wanted to email a student and include private information, such as the student's KU Online ID or grades, would the student also need encryption?
Yes. However, KU does not provide encryption services to students at this time (except for student employees). Without the option to encrypt, it is inappropriate to include confidential or sensitive information in an email.
I got a new computer and now my encryption doesn't work. Why?
The encryption set up has to be done on each computer you use to process email.
I use more than one computer, how does that affect my ability to send or read encrypted messages?
Encryption capabilities will only be available if it is set up on each computer.
I use my home computer to do campus work and read or respond to email. Can I have encryption set up on it?
The handling of University Information must comply with University policy and procedures. The certificates will need to be installed on the machine and should be set to use “strong private key protection” which will require you to type in the password for the certificate every time you wish to open an encrypted email.
Can I use encryption on my mobile device?
At this time, KU's encryption service does not support the use of encryption on mobile devices.
Can I use a different KU-issued email address (alias) rather than my default KU email address to send/receive encrypted email?
Certificates are generated using your registered KU address, which can
be a KU alias address. If you have not already requested certificates, you can use the Manage Email Aliases and Forwarding
link in MyIdentity to set your registered address to the one you want to use. If you already have a certificate and want to change to a different email address, you will need to change your registered address and get a certificate for the new address. You may request this by contacting the KU IT Security Office at email@example.com
I read my KU email through the Email link on the main KU Web Page. Can I use encryption?
Yes, encryption can be used with the Outlook Web App (OWA), but only with Windows Internet Explorer. As with any other use of encryption, you must have downloaded and installed DigiCert certificates, and configured your computer to use them.
When traveling I use my phone, tablet or OWA access on other computers (e.g., motel computers), will I still be able to use my email?
Yes, but you will be limited to opening un-encrypted email only. All emails you receive will be listed in your inbox as usual. You will be able to see that you have received an encrypted message and who it is from, but will not be able to open it because you will not have encryption capabilities on the machine you are using. If you must use encryption, plan to carry a University laptop that has the encryption software installed and configured.
Can I exchange encrypted email with someone outside of KU?
You must both set your email client programs (e.g. Outlook) to use digital certificates for S/MIME security. If you are currently using KU email encryption, you have already set up your computer. The non-KU person should follow instructions provided by the source of their certificate. If the non-KU person is using a certificate issued by their own university or company, you may need to set your computer to accept their certificate. This will not be necessary if their certificate is issued through a commercial certificate authority such as DigiCert, Thawte, VeriSign, or Comodo, which has a root certificate already on your system. If you are asked to install a root certificate from another school or company, please contact the KU IT Security Office at firstname.lastname@example.org
. To send encrypted mail, you must each have a digital certificate for the other person. The easiest way to arrange this with someone outside KU is to send them a digitally signed email and have them send you a digitally signed reply. Once you have each other's certificates, you can exchange encrypted email exactly as you would with someone at KU.
How can a non-KU person get a certificate for email encryption?
Options for non-KU people include getting a certificate from a commercial certificate authority or getting a certificate from their company or university if it operates a certificate authority. (A certificate authority is a trusted central administrative entity that can issue digital certificate to users.) Have the non-KU person with whom you want to exchange encrypted email go to Instant SSL by Comodo »
and follow the instructions to set up a certificate and configure their email client.
What are some risks of using non-KU email encryption?
The level of assurance that a certificate provides depends on the processes used by the certificate authority issuing it. There is a risk in accepting a certificate from an unknown source. You are trusting the certificate as evidence that the person you are communicating with is who they claim to be. This assurance can come from trust in how the certificate authority that issued the certificate verified the person's identity, or you can confirm their identity in some other way, such as a non-email communication. When you receive encrypted email, remember that KU mail services have not been able to check it for viruses or other malware. Be especially careful that the antivirus and anti-malware software on your computer and/or device is up to date. If you receive encrypted email from a non-trusted source it is safest to discard it without opening. Always consider the risks in sending information in any form, whether encrypted or not. Never distribute proprietary or confidential information to someone who does not have a legitimate need for the information, or to anyone who cannot keep the information secure.