More and more organizations have a need for a smooth solution to secure emails. Managing the full lifecycle and securing the distribution of certificates for email encryption and signatures is critical for most businesses.
Emails have long been exploited as a gateway into an organization. With phishing, email spoofing and other email-based attacks on the rise, the need to secure email communication and channels has become urgent. Especially when sensitive information is being communicated, such as personal data, financial information and customer contracts, emails must be protected to avoid harming the company’s reputation.
S/MIME (Secure/Multipurpose Internet Mail Extensions) protects your emails from unwanted access, by using asymmetric cryptography. The standard provides message integrity and privacy via data encryption, as well as proving the origin of the message and ensuring non-repudiation via digital signatures.
The S/MIME protocol is the industry standard for public-key encryption for MIME-based data, and is based on X.509 digital certificates.
Secure email applications with S/MIME
S/MIME certificates enable the following applications for protecting your email communication:
- Digital signatures
The content is digitally signed with an individual’s private key and is verified by the individual’s public key.
The content is encrypted using an individual’s public key and can only be decrypted with the individual’s private key.
Key benefits of S/MIME
- Proof of origin
The sender's identity can be validated by using digital signatures.
- Message integrity
The email content can be validated to ensure that it has not been altered.
Only the intended recipient of emails can actually read them, since only the recipient's private key can decrypt them.
The sender cannot claim to NOT have applied the digital signature, since it includes the sender's private key.
With the Digital ID management solution, you can issue and manage the lifecycle of certificates and distribute them to multiple devices, using the Smart ID Identity Manager. Some tasks are available via self-service, for example to request S/MIME certificates. For more information on the available use cases, self-service tasks, approval steps, and so on, see Digital ID.
Certificates can be issued from a trusted root, for example D-Trust or QuoVadis, or from Nexus' Corporate PKI solution. See also Integrate Identity Manager with certificate authority (CA).
With Nexus' Corporate PKI, key archiving and recovery is provided. If the encryption key for S/MIME is lost, it can be recovered and any loss of encrypted data can be avoided.
Use S/MIME certificates on desktop
When a smart card or virtual smart card is provisioned, the S/MIME certificates are ready to use in Outlook on your desktop. Your IT department need to configure the options to encrypt or digitally sign email messages in Outlook.
- Smart cards
S/MIME certificates can be issued on smart cards for signing and encrypting emails on your desktop. For more information on lifecycle management, available use cases and workflows in Smart ID, see Smart card management.
Most common card types are supported, see also Personal Desktop Client requirements and interoperability.
- Virtual smart cards
S/MIME certificates can be issued on virtual smart cards for signing and encrypting emails on your desktop. For more information on lifecycle management, available use cases and workflows in Smart ID, see Virtual smart card management.
Use S/MIME certificates on mobile device
Virtual smart cards can also be used for signing and encrypting emails on Android and iOS mobile devices. This works with all email apps with S/MIME functionality and access to a corresponding key chain, for example Apple mail.
- Single user
For a single user to sign or encrypt with S/MIME certificates, they must first be installed in the system keychain. See Install digital certificates using Smart ID Mobile App.
- Mobile device management
If a mobile device management (MDM) system is used within an organization, the IT department can set up email encryption for all users. This can be integrated with for example the MobileIron email client.
For more information on lifecycle management, available use cases and workflows in Smart ID, see Mobile virtual smart card management.