SecureLineTM: Email Encryption
Encrypted, Secure Email: To Anyone, From Anyone
Home > Secure Email > HIPAA-compliant Email Hosting > SecureLine Email Encryption > How it Works
OVERVIEW
- Send Secure Email to Anyone.
- SecureLineTM seamlessly integrates three distinct modes of secure email communications: SMTP TLS, SecureLineTM Escrow, and SecureLineTM PKI, to ensure that you can securely communicate with anyone.
- Receive Secure Emails from Anyone.
- SecureLine's SecureSend Portal enables anyone to freely send secure emails to you.
Three Methods of Secure Email
- TLS
- Simple, Seamless, Transport Encryption. TLS ensures that
each message is transmitted from you all the way to your recipient's email
server over an "enforced secured channel", even though the message itself
is not encrypted within the channel. The message emerges from the
TLS-secured channel onto the recipient's email server and is delivered to the
recipient's INBOX like any regular email message. SMTP TLS prevents
eavesdropping, ensures transport encryption of messages, and is a
sufficient level of encryption for HIPAA.
Your recipients' email servers must support TLS for this mode of easy encryption to work (most do) — LuxSci determines this automatically for you and falls back to other mechanisms as needed. See also: SMTP TLS: All About Secure Email Delivery over TLS.
SecureLineTM users can disable TLS-Only sending on a per-message basis (e.g., if you prefer TLS in general, but would like to use Opportunistic TLS + something more secure (Escrow, PGP, or S/MIME) for particular messages).
More Details — SecureLineTM TLS
- Escrow
- Retrieve Secure Messages from a Web Portal. With SecureLineTM
Escrow, each recipient receives a simple email notice of a waiting message
in his/her INBOX. The recipient clicks on a link in that notice, answers a
security question or provides a password to verify his/her identity, and
then accesses the message over a secured connection.
Escrow enables sending secure messages to anyone, no matter what mail service they have.
More Details — SecureLineTM Escrow
- PKI
- PGP and S/MIME Certificates. SecureLineTM supports use of
S/MIME and PGP for message encryption and decryption. If you require
message content to be always encrypted and to be sent in full to the recipient,
then this is for you. It does require that your recipient be "set up" to
use S/MIME or PGP.
More Details — SecureLineTM PKI
SecureLineTM integrates all of these methods, using the best choice for each recipient based on your sending preferences. In general:
- TLS is easiest to use, though least secure. It is compatible with most recipients
- Escrow is very secure and compatible with any recipient; however, recipients have to go to our Web Portal to pick up messages.
- PKI is the most secure, but hardest to use as it requires communication of certificates and setup of email software for all recipients using it. Most people do not use PKI unless they have a specific need for it.
Three Methods Compared
| Security | TLS | Escrow | PKI |
|---|---|---|---|
Meets HIPAA Requirements |  |
|
|
Message encrypted during tranmission | |
|
|
Message encrypted at rest |  |
|
|
If the recipent's email account is compromised, messages can still be safe | |
 * |
|
Message content at rest protected from any LuxSci staff access? | |
** |
*** |
* Use of Escrow with "Question and Answer" recipient verification protects the messages if you use well chosen questions and answers. Use of "SecureSend Login" recipient verification allows the recipient's password to be easily reset by anyone with access to the user's email account. This is why "Question and Answer" authentication can be more secure.
** Escrow with "Message Center" enabled technically allows LuxSci operations staff to unlock saved messages, as the system needs to be able to open any saved messages for the user. Escrow with Message Center off (the default) eliminates the possibility of anyone for except the individual recipients themselves to unlock their messages.
*** PKI-encrypted messages can never be opened by LuxSci operations staff unless you have "Escrowed" the password to your private key with LuxSci for auto-decryption or password-recovery purposes.
| Feature | TLS | Escrow | PKI |
|---|---|---|---|
Recipient can reply securely to sender | |
|
|
Message content delivered to recipient INBOX | |
|
|
Secure messages appear just like regular messages to recipient | |
|
|
Recipient must retrieve message from a secure web site | |
|
|
Recipient must set up security software ahead of time | |
|
|
Sender can retract a message after sending | |
|
|
Sender can tell if recipient has read a message | |
|
|
Open tracking must be enabled in your LuxSci account to track if recipients have read messages sent over
TLS or PKI. Escrow has its own read tracking system included. | |||
Sender can get read receipts that always work | |
|
|
How Messages Are Encrypted
SecureLineTM selects the encryption method to use separately for each recipient of each message. As a result, a single message to multiple people can employ many different encryption methods. SecureLineTM takes care of this all behind the scenes — in general, little or no sender interaction is needed.
For every recipient, SecureLineTM goes through the following list of possible encryption options, in order, and uses the first one available for that recipient.
| Encryption Option | Discussion | |
|---|---|---|
1. | SMTP TLS Only | TLS Only for delivery is used if:
a. TLS Only delivery is enabled account-wide or domain-wide
b. The recipient's email servers support TLS
c. The recipient is not excluded from TLS delivery by your administrator
d. The sender has not opted this message out of TLS Only use |
TM and
the recipient's personal LuxSci preferences."> | ||
3. | PKI or Escrow Question and Answer from Address Book data | SecureLine will look in the sender's address
books for pre-configured encryption information for the recipient. This could be a PGP or S/MIME
public key or an Escrow Question and Answer. The first entry with encryption information found is used. User Address Books are searched in the following order: a. Preferred address book for SecureLine data, if specified
b. All subscribed address books, if there are any
b. Default address book, if none are subscribed
|
4. | Escrow with SecureSend Login | If the 'SecureSend Login' mode of Escrow recipient verification is enabled for your account, this will be used. |
5. | Escrow with SecureSend Login | If the recipient already has a SecureSend account, then the 'SecureSend Login' mode of Escrow recipient verification will be used. |
6. | Escrow with Default Question and Answer | If there is a default Escrow Question and Answer configured on the per-account, per-domain, or per-user level for this recipient, then that will be used. |
7. | Escrow prompts sender for a Question and Answer | When using LuxSci WebMail or Windows Outlook with the SecureLine Plugin, SecureLine can ask the sender to provide Questions and Answers as needed for new recipients. These can be auto-saved to the sender's address books for easy re-use. |
In cases where none of the first 6 options work and SecureLineTM cannot interact with the sender, SecureLineTM cannot send the message securely. The message will fail to send to this recipient and the preferred action to take in this case is followed (e.g. Send insecurely or send a bounce notice to the sender indicating the failure).
As long as "Escrow with SecureSend Login verification" or a default Question and Answer are provided, messages will always be able to be sent securely to anyone without sender input.
eBook: HIPAA-compliant Email Basics
Safeguarding your healthcare practice and protecting patient privacy
Book 1 in the LuxSci Internet Security Series.
Created by Erik Kangas, PhD
Get the HIPAA eBook
