Email Encryption & Digital Signatures
Email encryption is a way to send an encoded message that can only be decoded by someone with the proper key. A digital signature is a mathematical algorithm that helps validate that a message is from the stated sender, and that the content of the message has not changed since it was sent.
KU uses InCommon certificates for email signing and encryption, and digital certificates are available to all current KU faculty, staff, and student staff. You can digitally sign email to anyone — on or off campus — with no special setup required by the recipient.
More information, including the difference between digital signatures and email encryption:
Request Security Certificates
Information on how to request and install digital certificates for email encryption is available in our Knowledge Base.
Digital Certificate FAQs
Digital signatures and encryption are complementary methods for making email more secure protecting your privacy.
A digital signature ensures the recipient that the email is really from the stated sender and that it has not been modified. Encryption protects the contents of the email so that only the recipient(s) to whom it is addressed can read it. This permits the use of email for sending confidential or sensitive information that must be kept secure. KU's data classification policies and standards require encryption when sending any sensitive information. These policies are online at:
A digital signature should be used whenever you want to prove to the recipient that you are the true sender of the email and that the email contents have not been modified. In an ideal world, all email would be digitally signed; however, not all email clients can validate digital signatures. You might want to sign email only if you know that the recipient uses Outlook, OWA with the S/MIME extension, or another email client that can verify the signature.
Encryption is appropriate for transmitting Personally Identifiable Information and/or confidential information, such as information covered by FERPA, HIPAA, GLB, PCI, etc. Anytime there is a name along with an identifying number (e.g., employee number, student ID number, grades or rosters information, etc.), encryption is appropriate.
Encryption is not recommended for non-identifiable information or for general communication regarding meeting times, non-confidential info, etc.
Overuse of encryption for normal business matters is not recommended.
When you click send, you will receive a pop up on your screen indicating that the intended recipient does not have encryption. You will also see buttons that allow you to cancel or send the message unencrypted. Choosing to send the email without encryption removes encryption for all recipients. If you are sending to a list of multiple users or to a distribution list and one or more of the users does not have encryption, you will see an additional option to 'Continue.' Choosing this option encrypts the message to all recipients but only those with encryption capabilities will be able to view it.
They will receive the message, but they will not be able to open or read the contents of the message; they will only be able to see the header and the sender of the message. If the user installs encryption at a later date, they still will not be able to read encrypted messages sent before they set up encryption.
Yes, either or both can be set as defaults; however, automatically encrypting all email is rarely a good idea. You must have access to a recipient's certificate in order to send them encrypted email. If you attempt to send email to an address for which a certificate cannot be found, you will receive a warning and can cancel sending the email.
You must both set your email client programs (e.g. Outlook) to use digital certificates for S/MIME security. If you are currently using KU email encryption, you have already set up your computer. The non-KU person should follow instructions provided by the source of their certificate. If the non-KU person is using a certificate issued by their own university or company, you may need to set your computer to accept their certificate. This will not be necessary if their certificate is issued through a commercial certificate authority such as DigiCert, Thawte, VeriSign, or Comodo, which has a root certificate already on your system. If you are asked to install a root certificate from another school or company, please contact the KU IT Security Office at firstname.lastname@example.org. To send encrypted mail, you must each have a digital certificate for the other person. The easiest way to arrange this with someone outside KU is to send them a digitally signed email and have them send you a digitally signed reply. Once you have each other's certificates, you can exchange encrypted email exactly as you would with someone at KU.