Set up email encryption and digital signing
1. Request DigiCert KU digital credentials through myKU portal (requires log in with a KU Online ID)
You will receive two separate emails from DigiCert. Read the instructions for this step BEFORE opening the emails
. Use Internet Explorer (on Windows) or Safari (on Macintosh) to process the links in the emails you receive in this step. If you use Firefox, you will need to manually
export the certificates it generates, and then import them for use with Outlook.
2. Process email from DigiCert to create certificates
After requesting KU digital credentials you will receive two email notices from DigiCert: one for creating a digital ID for escrowed encryption, and one for creating a digital ID for email authentication. You need both of these. The emails will come from DigiCert Support (email@example.com
) and the links will be to https://www.digicert.com/
and will not request any personal information other than a certificate password. Be sure to process both
of the emails. Select a system below for specific instructions:
Please read the instructions for the system you are using before you open the email from DigiCert and generate your certificates.
After installing the two certificates, configure your email program to use them as shown in step 3, below. If you have questions, please contact your departmental technical support staff or the Information Technology Customer Service Center (785-864-8080 or firstname.lastname@example.org
3. Configure your email program to use the certificates.
Why should I use digital signatures and/or encryption?
Digital signatures and encryption are complementary methods for making email more secure. A digital signature ensures the recipient that the email is really from the apparent sender and that it has not been modified. Encryption protects the contents of the email so that only the recipient(s) to whom it is addressed can read it. This permits the use of email for sending confidential or sensitive information that must be kept secure. KU has Data Classification Policies and Standards that require encryption when sending any sensitive information. These are online at:
Data Classification and Handling Policy
Data Classification and Handling Procedures Guide
When should I use a digital signature?
A digital signature should be used whenever you want to prove to the recipient that you are the true sender of the email and that the email contents have not been modified. In an ideal world all email would be digitally signed; however, not all email clients can validate digital signatures. You may want to sign email only if you know that the recipient uses Outlook, OWA with the S/MIME extension, or other client that can verify the signature.
When should I encrypt email?
Encryption is appropriate for transmitting Personally Identifiable Information or confidential information such as information covered by FERPA, HIPAA, GLB, PCI, etc. Anytime there is a name along with an identifying number (such as employee number, student ID number, grades or rosters information, etc.), encryption is appropriate. Encryption is not recommended for non-identifiable information or for general communication regarding meeting times, non-confidential info, etc. Overuse of encryption for normal business matters is not recommended.
Will having encryption on my Outlook change or mess-up my email?
No, everything will work exactly the same except that you will be able to send and receive encrypted messages when communicating with others who have encryption capabilities.
What if I try to send encrypted email to someone who does not have encryption capabilities?
When you click send, you will receive a pop up on your screen indicating that the intended recipient(s) do(es) not have encryption. You will also see buttons that allow you to cancel or send the message unencrypted. Choosing to send unencrypted removes encryption for all recipients. If you are sending to a list of multiple users or to a distribution list and one or more of the users does not have encryption, you will see an additional option to 'Continue'. Choosing this option encrypts the message to all recipients but only those with encryption capabilities will be able to view it.
What happens if someone receives an encrypted message, but does not have email encryption installed?
They will receive the message, but they will not be able to open or read the contents of the message; they will only be able to see the header and the sender of the message. If the user installs encryption at a later date, they still will not be able to read encrypted messages sent before they set up encryption.
What is the best way to maintain access to old encrypted email?
Do no delete or overwrite the certificates when you get new certificates. Do not remove your old certificates or keys from the Windows keystore or Macintosh keychain. For archival and recovery purposes always retain all your certificates and keys in specially marked folder.
Why can't I see the Encryption\Digital signature buttons on my toolbar?
(This is dependent on which version of Outlook you are running)
Encryption icons are not available on the Toolbar. In order use the encryption, once you are in a message view, you must go to Options and select the box(es) to digitally sign and/or encrypt a message.
Outlook 2003 or later:
- Make sure that you are looking in a message view. The Encryption/Digital Signing buttons do not appear on the toolbars of the main Outlook page. You must be on a screen where a message can be sent in order for the buttons to be visible. By clicking New, Reply or Forward you will be able to see the digital signing and encryption buttons on your toolbar.
- If the buttons still are not showing, make sure that the Formatting toolbar is visible. (Go to View->Toolbars-> Formatting) Once the Formatting toolbar is visible, use the drop down arrow to add the Encryption/Digital signature buttons. (When adding these buttons, they actually appear on the Standard toolbar).
- If the buttons were showing but are no longer visible, click the drop down arrow on the Standard tool bar and re-add them.
Can I send a digitally signed and/or encrypted message to a distribution list?
- KU Group Lists will allow you to send encrypted emails, but only those recipients who have encryption capabilities will be able to read the message.
- Mailman mailing lists will not allow you to send an encrypted email.
(Learn more about differences between KU Groups Lists and Mailman mailing lists)
Are departmental email accounts eligible for this service?
Yes, it is possible. Please contact the KU IT Customer Service Center with your request at 785-864-8080 or email@example.com
If I forward an encrypted message to someone else will they be able to read it?
Yes, as long as they have encryption capabilities. The forwarded email will be sent using the public key in the new recipient's certificate.
What happens if I attach an encrypted message that I received to an outgoing email?
The user will be unable to open the attached email because the encryption was directed to you, the person who received it originally.
Why did a screen pop up that says a specific user does not have encryption capabilities when I know that they have set up encryption?
The user's certificate may not have been published to the Global Address List (GAL), or may have been published too recently. Outlook on Windows uses an "offline address book." Each night Exchange generates a new address book for Outlook to download. If the user you are sending to published their certificate recently, just wait a day for the update. Alternatively, you can add a contact record for the person. This will pull a copy of their certificate directly from Active Directory.
You can use the Certificate Directory link on the KU Digital Email Certificates web page in the myKU Portal to make sure that someone has published their encryption certificate. If they have not, contact them and ask them to publish their certificate if it does not appear in the certificate directory.
Another alternative is to have the person to whom you want to send encrypted mail send you digitally signed email. When you receive this it will provide you with their certificate, which you can then use for encryption. A final option is to manually retrieve the person's certificate from the Certificate Directory link on the KU Digital Email Certificates web page in the myKU Portal. Whichever option you choose, you only need to use it once for any given recipient. You will then be able to send them encrypted email without any special setup in the future.
How do I publish to the Global Address List?
In Outlook, click on the Tools menu->go to the bottom of the list and click on Options-> Choose the security tab-> Click the bottom left hand button that says Publish to GAL->Enter your encryption password. If you do not use Outlook, send email signed using your certificate to firstname.lastname@example.org
with the subject line: Publish my certificate.
How do I change my encryption password?
You will need to export the encryption certificate from the certificate store with the private key and enter another password. After it has been exported as a PFX, the certificate can be deleted out of the store and the exported one can be installed with the new password. (Be sure that the private key is exportable. The option will be grayed out if it is not possible. Do not remove the private key from the certificate store if the private key was not exported.)
Why can I no longer open encrypted messages or send digitally signed messages?
The most common reason for this problem is losing access to keys in your Windows keystore. This will result in the following message: "Your Digital ID cannot be found by the underlying security system
Re-installing credentials from the file in which you originally received your encryption certificate may fix the problem. If the problem is with your signing certificate contact the IT CSC to have a link sent from DigiCert to generate a new signing certificate.
Do I need to save the emails I got after requesting my certificates?
No, it is not necessary to save the emails but it is STRONGLY RECOMMENDED that you save a copy of the downloaded credentials file to a secure location. This may be your U: drive, other network drive, or an encrypted USB device. Contact your technical support person for advice or assistance.
Can I set my email client options to automatically digitally sign, or to automatically encrypt all email?
Yes, either or both can be set as defaults; however, automatically encrypting all email is rarely a good idea. You must have access to a recipient's certificate in order to send them encrypted email. The Exchange Global Address List (GAL) automatically provides certificate access for all KU users configured to use encrypted email. You can store certificates for others in your Contacts or Macintosh Keychain. If you attempt to send email to an address for which a certificate cannot be found you will receive a warning and can cancel sending the email.
If a professor wanted to communicate with student(s) private information like Student ID, would the student(s) also need encryption?
Yes and no. Students are the keepers of the information, and can choose to divulge or share that information with the professor. At some point, encryption may be made available to students, but currently email encryption is supported only for faculty and staff.
I got a new computer and now my encryption doesn't work. Why?
The encryption set up has to be done on each computer you use to process email.
I use more than one computer, how does that affect my ability to send or read encrypted messages?
Encryption capabilities will only be available if it is set up on each computer.
I use my home computer to do campus work and read or respond to email. Can I have encryption set up on it?
The handling of University Information must comply with University policy and procedures. The certificates will need to be installed on the machine and should be set to use “strong private key protection” which will require you to type in the password for the certificate every time you wish to open an encrypted email.
Can I use encryption on my mobile device?
At this point KU IT does not support the use of encryption on mobile devices. Theoretically, any smartphone or tablet that supports S/MIME email could process encrypted email, but because such devices are generally less secure it is not recommended.
Can I use encryption through KUAnywhere?
Yes, encryption can be used through any ISP (Internet Service Provider) as long as the computer you are using contains your digital IDs (keys and certificates) (or is configured to access them from an Aladdin eToken) and Outlook is configured to use them.
Can I use a different KU-issued email address (alias) than my registered (official) KU email address to send/receive encrypted email?
Certificates are generated using registered KU addresses. This doesn't have to be the same as the Exchange username. If you have not already requested certificates you can use the Manage Email Aliases and Forwarding
MyIdentity link to set your address to the one you want to use. If you already have a certificate and want to change to a different address you will need to change your registered address and get a certificate for the new address. You may request this by contacting IT Security, email@example.com
I read my KU email through the Email link on the main KU Web Page. Can I use encryption?
Yes, encryption can be used with the Outlook Web App (OWA), but only with Windows Internet Explorer. As with any other use of encryption, the user must have downloaded and installed DigiCert certificates, and configured their system to use them.
When traveling I use my phone/PDA or OWA access on other people's computers (i.e. motel computers), will I still be able to use my email?
Yes, but will be limited to opening un-encrypted email only. All emails you receive will be listed as usual. You will be able to see that you have received an encrypted message and who it is from but will be unsuccessful in trying to open it because you will not have encryption capabilities on the machine you are using. If you must use encryption plan to carry a University laptop that has the encryption software installed and configured.
Can I exchange encrypted email with someone outside of KU?
You must both set your email client programs (e.g. Outlook) to use digital certificates for S/MIME security. If you are currently using KU email encryption you have already set up your end. The non-KU person should follow instructions provided by the source of their certificate. If the non-KU person is using a certificate issued by their own university or company you may need to set your computer to accept their certificate. This will not be necessary if their certificate is issued through a commercial certification authority (CA) such as Thawte, VeriSign, or Comodo whose root certificate is already on your system. If you are asked to install a root certificate from another school or company please contact the KU IT Security Office, firstname.lastname@example.org
. To send encrypted mail you must each have a digital certificate for the other person. The easiest way to arrange this with someone outside KU is to send them digitally signed email and have them send you a digitally signed reply. Once you have each other's certificates you can exchange encrypted email exactly as you would with someone at KU.
How can a non-KU person get a certificate for email encryption?
Options for non-KU people include getting a certificate from a commercial CA or getting a certificate from their company or university if it operates a CA.(A Certificate Authority (CA) is a trusted central administrative entity that can issue digital certificate to users). Have the non-KU person with whom you want to exchange encrypted email go to: http://www.instantssl.com/ssl-certificate-products/free-email-certificat...
. Follow the instructions at that link to set up a certificate and configure their email client.
What are some risks of using non-KU email encryption?
The level of assurance that a certificate provides depends on the processes used by the CA (Certificate Authority) issuing it. There is a risk in accepting a certificate from an unknown source. You are trusting the certificate as evidence that the person you are communicating with is who they claim to be. This assurance can come from trust in how the CA that issued the certificate verified the person's identity or you can confirm their identity in some other way, such as a non-email communication. When you receive encrypted email remember that KU mail services have not been able to check it for viruses or other malware. Be especially sure that the anti-malware software on your device is up to date. If you receive encrypted email from a non-trusted source it is safest to discard it without opening. Always consider the risks in sending information in any form, whether encrypted or not. Never distribute proprietary or confidential information to someone who does not have a legitimate need for the information or to anyone who cannot keep the information secure.