Encrypting Sent Email — An Often Overlooked Part of End-to-End Encryption

September 26th, 2012

You are proactive and security conscious.  You use end-to-end encryption software, like PGP or S/MIME or LuxSci SecureLine, to send your sensitive messages to their destinations, ensuring that the message content is encrypted the entire way … because otherwise, email is just plain insecure.

Oh – but what about the copies of these messages saved to your “Sent Email” folders?  Are they encrypted or secure?  Should they be?

Just Checking … Are they encrypted?

This depends a whole lot on both your provider and your software settings.  This discussion will be in the context of LuxSci.  Some of the concepts will be generalizable.  If you have a different provider and are unsure how these apply, ask them!

There are two ways for sent messages to be encrypted:

  1. Each message is individually encrypted
  2. The hard disk(s) on on the server may be encrypted

People often ask if the hard disks are encrypted.  The general answer is “no” (though we offer this option at a premium price in certain dedicated scenarios).  Why?

  • Encrypted hard drives are slower and do not work well with non-specialized RAID for redundancy, size, and speed.  You can get around this by using specialized and more expensive hardware or encrypting the file system instead of the drive … but that is also slower.
  • They require pre-boot authentication … which often makes rebooting slower than otherwise (read manual intervention).
  • They protect you against the theft of the drives, but not against a hacker breaking into the system when it is running.  In modern premium data centers, the chance of a drive being stolen or misplaced is very, very small… vastly dwarfed by the chance of data being exposed to someone accessing the server remotely while it is running (legitimately or not).

As such, we generally do not use encrypted hard drives except for special orders. Of course, if it is worth the premium to you, hard drive encryption is always a good way to go.

What about individual message encryption?  The individual messages in your sent email folder(s) are encrypted on LuxSci only if you need a password to open them.  E.g. these could be encrypted with PGP, S/MIME, or saved in our Escrow system.

In general, sent email will not be encrypted unless you take steps to make it so.  There are many ways to do this.  One good method is covered below.

Why would sent email not be encrypted?

Sent email is generally not encrypted on a per-message basis because the vast majority of users are interested in the added usability of this scenario vs. that where everything is encrypted.  Why?  If every sent email message were individually encrypted:

  • You could not open individual messages without a password
  • You could not open individual messages in your regular email program (e.g. Outlook) without a special plugin or configuration (e.g. for PGP or S/MIME)
  • You could not search your sent email folder

Generally, most users prefer to do away with annoyance.  Also, these messages are stored on LuxSci’s servers and they already trust LuxSci as their business partner and enjoy its strict privacy policies.

However, some folks prefer that their email be encrypted all of the time — in sent email, in email archives, when sent to the recipient, etc.  Trusting anyone is out of the question and usability is an OK sacrifice for security.  Encrypted sent email and archives is doable to accomplish this.  It just takes a little bit of set up.  And, for this situation, an encrypted hard drive would not be enough — every message needs to be encrypted so that noone with access to the server or the backups could access the actual message content.

Ways to encrypt you sent email.

The simplest and best way to accomplish end-to-end encryption including sent email encryption and protection against anyone else accessing your message content is to use PGP or S/MIME in your email program (e.g. Thunderbird or Outlook) and to send secure messages only to others similarly configured (see How to Install S/MIME and PGP Encryption Certificates into Major Email Clients).  Why?

  1. Your messages are encrypted in your email program and decrypted in that of your recipient.  Your sent messages can be suppressed or, if your program supports it, may be saved encrypted for you.
  2. You do not have to trust any service provider or server in between you and your recipients.

So, while this is ideal, it doesn’t work if:

  • Your recipients can’t all be configured to use PGP or S/MIME (it takes some work to setup properly).
  • You need to use a web-based email interface for sending and/or reading email.
  • Your email program doesn’t support saving sent email in an encrypted manner.
  • You do not want to be bothered by the amount of work involved in using PGP and/or S/MME (e.g. program setup, key exchanges, explanations to recipients, etc.)

Encrypted Sent Email Recipe

The following recipe works with LuxSci SecureLine to encrypt all of your sent messages that are encrypted to the recipients (some folks send selected messages encrypted, some folks send all encrypted … this works for both).

  1. Add an S/MIME (or PGP if you like PGP) certificate to your user under your “Account > My Profile > Security Certificates” area.  We can generate one for you if you don’t already have one.
  2. Under “Email > My Email Tools > Outbound Email > Copies of Messages“, enable the “Forward a copy of all messages sent via SMTP or WebMail to a specific email address.” feature and enter your own email address as the destination.  Note: do not enable the “Send a copy of all messages sent via SMTP to your sent email folder” option on the same list, as that will not auto-encrypt the message on the way to your sent email folder.
  3. Under “Account > My Preferences > Email Composition > Behavior“, uncheck the option “Save a copy of sent messages…” under “Email Sent from WebMail”.  This prevents WebMail from saving an additional [insecure] copy of your sent messages.
  4. In your email program, if you are using one, turn off saving copies of sent email messages.
  5. In your LuxSci account, be sure that you do not have “Auto-decrypt inbound email” enabled.  It is disabled by default, but if you enabled it, then your secure email messages could be turned insecure on arrival if you have your PGP or S/MIME password saved with us (escrowed) for ease of recovery.
  6. Finally, in your “Email > My Email Tools > Inbound Email > Custom Email Filters” area, create a new custom email filter that matches all messages sent from you (the email address that you use as your From address in WebMail or your Email Program) to you (the email address entered in #2 above) and save them in your chosen sent email folder.
  7. In your “SecureLine TLS” areas (global and domain-wide), be sure that you do not have “use TLS whenever possible” enabled, or if you do, be sure to exclude your email address (from #2, above) from TLS. This will ensure that your certificate is used for encryption instead of TLS (which would leave the copies of your messages unencrypted when they arrive in your sent email folder).

How does this work?

  1. WebMail and your email program will no longer save copies of your sent email.
  2. Instead, copies of all sent email are emailed to you automatically after you send them from our servers.  If you used SecureLine to send the message securely, then this copy will also be sent securely.
  3. The secure copies of the messages will be encrypted via S/MIME or PGP for you.
  4. The copies will be emailed to you, match your customer email filter, and be saved in your chosen sent email folder.
  5. Insecure copies of your insecure messages will be easily opened and searched.  Secure copies of your secure messages will require a password to open (to decrypt using your S/MIME or PGP certificate).
  6. No insecure copies of secure messages will be saved in your sent email.

What about Email Archival?

In general, email archival systems may use encrypted disks, but they do not encrypt messages on a per-message basis.  And, even when they do, they keep enough of the message content in plain text in search indices that there can be information leakage there.  If you would like all secure messages in Premium Email Archival to be encrypted so that noone can access their content except for you (and so the content is out of the archival search engine), then you need to:

  1. Generate a PGP or S/MIME certificate for your email archival user just like you did for yourself.
  2. Be sure that “Use TLS Whenever Possible” in your SecureLine settings is off, or that the archival user is excluded from TLS use.  This ensures that this certificate is used instead of TLS for messages going to your archives.
  3. In the archival user’s LuxSci account, be sure that it does does not have “Auto-decrypt inbound email” enabled.  It is disabled by default, but if you enabled it, then your secure email messages could be turned insecure on arrival.

With these settings in place, copies of outbound secure messages will be encrypted using the archival user’s certificate and end up in the archives in an encrypted form. In order to read the messages, you would need to download them from the archives and load them into an email program that can decrypt the PGP or S/MIME encryption.

Other Considerations

Can I use SecureLine Escrow instead of PGP or S/MIME for my sent email?

Yes, you can do this by following the same steps as above with the exception that you should not use a PGP or S/MIME certificate.  This will send the messages via Escrow (where all messages are individually PGP-encrypted and saved in a secured database).  If you choose to do this, we recommend:

  1. Update your preferences so that messages saved in escrow do not expire for a long time .. e.g. 1 year or 10 years.  The default is 30 days, after which the messages are deleted.
  2. Configure SecureLine to use “SecureLine SecureSend Login” for message authentication instead of “Question and Answer” as it will give you a more consistent and more easily managed login to accessing these messages (this is the default setting for accounts).
  3. Use Premium Private Labeling with Message Center so that you can view and access any or all of the messages saved for you in Escrow from the SecureSend web portal.  Without this, you cannot actually open any Escrow message without the corresponding “notification” email (as that contains the passphrase to decrypt that single message).  This is slightly less secure but vastly more usable.

 Are there any other cases where messages might be saved insecurely?

  • If you save a message as a “Draft” (or have auto-save Drafts enabled), then these “Draft” copies will be saved insecurely to your online “Drafts” folder.  We recommend disabling auto-saving of drafts if you are concerned about that.
  • Your email program may also auto-save drafts, check its particular settings in that regard.
  • When messages are received by LuxSci’s servers and processed for encryption, it is possible that very short lived unencrypted temporary files may be created (in a space that is never backed up for good reason).  The only way to avoid this is to have the messages pre-encrypted in your email program, as discussed above.
  • When you open an encrypted message in LuxSci WebMail the decrypted version of that message will be temporarily cached in a secured database so that WebMail can efficiently allow you to view it.  The only way to avoid this is to only use an email program to download and decrypt your messages on your own computer.

 What about your backups?

LuxSci’s backups are snapshots of you email folder contents.  If a message is encrypted in your folder, then it is encrypted in all of our backups.

Can LuxSci operations staff access these encrypted messages?

LuxSci operations staff do have access to the raw contents of your email folders and even to your PGP and S/MIME keys if you have them uploaded in your LuxSci profile for use in WebMail.  However:

  • It is not possible for them to decrypt your PGP or S/MIME encrypted messages unless you give them the password to your certificate or unless you have that escrowed with us for safe keeping (e.g. in case you forget it).
  • It is not possible for them to decrypt SecureLine Escrow messages unless either (a) you provide them with the emailed notice that there is a message waiting in Escrow, or unless the “Message Center” of Premium Private Labeling is enabled which makes it easier for the end users to access their Escrow messages (notifications not needed).

So if you are concerned about any kind of access, even that of LuxSci staff, you should:

  • Use PGP or S/MIME in your email program and not through LuxSci SecureLine, or
  • Use SecureLine with PGP or S/MIME but do not “Escrow” your certificate passwords with us so we can’t access any encrypted messages, or
  • Use Escrow without the Premium Private Labeling “Message Center” feature.