Internal Recipients Encryption

If Internal Recipients have not been added in your system under Gateway --> Internal Recipients, this page will not show a recipient listing.

By default, When Internal Recipients are added into Hermes SEG, they are NOT configured with the ability to send encrypted email. Each Internal Recipient must be individually configured for the type of encryption you wish for them to use.

On this page, a listing of only previously added Internal Recipients will appear. Note, that under the Encryption Status section the PDF and S/MIME and PGP columns are set to No. Additionally, under the S/MIME Cert(s) section, the certificateimage-1609681511189.pngicons are disabled indicating that no S/MIME Certificates are present, and under the PGP Keyring(s) section the keyringimage-1609681527764.pngicons are disabled indicating that no PGP Keyrings are present  (Figure 1).

Figure 1

image-1609681541466.png

Filter Internal Recipients Encryption

Setting a filter will assist you in narrowing down specific recipients by email address or domain in order to manage encryption settings easier.

  1. In the Filter By field, enter a complete or partial email address or domain and click the Set Filter button. If any matches are found, the Internal Recipients Encryption listing will be populated with only the entries matching the filter you set (Figure 2).

Figure 2

image-1609681552196.png

  1. You can clear a filter you set by clicking the Clear Filter button at any time.

 

Configure Internal Recipients Encryption

  1. Under the Configure Encryption column of the Internal Recipient you wish to configure, click on theimage-1609681570492.pngicon.
  2. In the Edit Internal Recipient Encryption page, under the PDF Encryption field, select Enabled if you wish to enable PDF Encryption for this recipient.
  3. Under the S/MIME Encryption field, select Enabled if you wish to enable S/MIME Encryption for this recipient. Please note, that if you enable S/MIME Encryption, you must also create or import a S/MIME Certificate for this recipient.
  4. Under the Digital Signature field, select Digitally Sign ALL Outgoing Messages if you wish to have all outgoing messages from this recipient to be digitally signed by S/MIME Certificate regardless if the messsage is encrypted or not. Otherwise, leave selected the default setting of Digitally Sign ONLY Encrypted Outgoing Messages which will ONLY digitally sign outgoing messages that have been encrypted. Please note, Digital Signature requires a S/MIME certificate to be created or imported before any messages can be digitally signed.
  5. Under the PGP Encryption field, select Enabled if you wish to enable PGP Encryption for this recipient. Please note, that if you enable PGP Encryption, you must also create or import a PGP Keyring for this recipient.
  6. Click on the Save and Apply Changes button (Figure 3).

Figure 3

image-1609681584848.png

  1. The button will display a status of Saving and Apply Changes, please wait...(Figure 4).

Figure 4

image-1609681592985.png

  1. Configuring encryption can be a time consuming process. Please wait for a Success message from the system before clicking the Back to Internal Recipients Encryption button at the bottom of the page (Figure 5).

Figure 5

image-1609681604978.png

 

Generate Internal Recipient S/MIME Certificate

Do not attempt to generate a S/MIME Certificate for an Internal Recipient unless you have already enabled S/MIME encryption on that recipient.

  1. Under the S/MIME Certificate(s) section of the Internal Recipient you wish to generate a certificate, click on theimage-1609681614972.pngicon.
  2. You will be re-directed to the Add Recipient S/MIME Certificate page.
  3. Assuming you have previously created an Internal Certificate Authority, under the Certificate Authority field, select the Internal Certificate Authority you wish to use to generate the S/MIME certificate.
  4. Under the S/MIME Certificate Validity Period, select the number of years you wish this S/MIME Certificate to be valid. The default setting of 5 Years is recommended.
  5. Under the S/MIME Certificate Encryption Length, select the length of the certificate. The default setting of 4096-bits is recommended.
  6. Under the S/MIME Certificate Algorithm, select the algorithm you wish to generate the certificate. The default setting of RSA-SHA-512 is recommended.
  7. Under the Auto-Generate S/MIME Certificate and Private Key PFX password field, select Yes to have the systtem automatically generate a password for the PFX file or select No if you wish to specify your own password. When generating a certificate, the system will also create a PFX file (Personal Information Exchange) and assign a password to it for security. A PFX file will contain both the public AND the private key of the generated certificate. The PFX file is used by the system for sending both the private and public key to the recipient that the certificate is  being generated for for backup purposes or for configuring an email client. It's recommended that you allow the system to generate a PFX file password.
  8. If you selected No in the Auto-Generate S/MIME Certificate and Private Key PFX password, enter the password you wish to use under the S/MIME Certificate and Private Key PFX password and enter the same password under the Verify S/MIME Certificate and Private Key PFX password field.
  9. Click on the Create Certificate button (Figure 6). Please note that clicking the Create Certificate button will not change the button status and the system may appear unresponsive. Please wait until the certificate get created and the system re-directs you back to the Internal Recipients Encryption page.

Figure 6

image-1609681629583.png

  1. The system will generate the certificate and automatically redirect you back to the Internal Recipients Encryption page.
  2. Under the Internal Repients listing on the S/MIME Cert(s) section of the recipient you just generated a certificate, you will note theimage-1609681647880.pngicon which will now be enabled and clickable indicating that there are certificates present (Figure 7).

Figure 7

image-1609681659089.png

Import Internal Recipient S/MIME Certificate

Do not attempt to import a S/MIME Certificate for an Internal Recipient unless you have already enabled S/MIME encryption on that recipient.

Hermes SEG ONLY supports importing S/MIME certificates from PFX (Personal Information Exchange) files. Ensure that you have a PFX file which will contain both the certificate and the private key along with the password of the PFX file before proceeding.

  1. Under the S/MIME Cert(s) section of the Internal Recipient you wish to import a certificate, click on theimage-1609681669236.pngicon.
  2. You will be re-directed to the Import Recipient S/MIME Certificate page.
  3. Under the Select PFX File section, click on the Choose File button.
  4. Browse to the location of the PFX file, select the file and click the Open button (Figure 8).

Figure 8

image-1609681683343.png

  1. The name of the PFX file you chose will appear next to the Choose File button (Figure 9).

Figure 9

image-1609681693427.png

  1. Under the PFX file password field, enter the password to the PFX file (Figure 10).

Figure 10

image-1609681700633.png

  1. Under the Add to Certificate Trust List field, select Yes to add the certificate to the system Certificate Trust List. Selecting Yes is always recommended unless you have a specific reason not to trust the certificate you are importing. In that case, select No (Figure 10).

Figure 10

image-1609681707879.png

  1. Click the Import Certificate button (Figure 11).

Figure 11

image-1609681716057.png

  1. After a succesful import, click on the Back to Internal Recipients Encryption button on the bottom of the page (Figure 12).

Figure 12

image-1609681724264.png

  1. Back at the Internal Recipients Encryption page, under the Internal Repients listing on the S/MIME Cert(s) section of the recipient you just imported a certificate, you will note theimage-1609681735000.pngicon which will now be enabled and clickable indicating that there are certificates present (Figure 13).

Figure 13

image-1609681747069.png

Download or Send PFX File

Hermes SEG will allow you to download or send to the Internal Recipient the password protected PFX file containing the certificate and private key.

  1. At the Internal Recipients Encryption page, under the S/MIME Cert(s) section, click on theimage-1609681756705.pngicon of the recipient you want to download or send the PFX file. You will be re-directed to the View Recipient S/MIME Certificates page (Figure 14).

Figure 14

image-1609681772173.png

Download PFX File

NEVER share PFX File passwords via unsecured means such as unencrypted email, SMS text etc.

  1. Click on theimage-1609681783491.pngicon of the certificate you wish to download. Your browser will immediately start downloading the PFX file.
  2. If you wish to view the PFX password, click on theimage-1609681796269.png icon. You will be re-directed to the Send Recipient PFX Certificate File & Password page, where you will be able to view the PFX file password under the PFX Certificate File Password field (Figure 15).

Figure 15

image-1609681810036.png

Send PFX File

NEVER share PFX File passwords via unsecured means such as unencrypted email, SMS text etc.

Hermes SEG will send the PFX file ONLY to the recipient email address that the certiciate was generated/imported for.

  1. Click on theimage-1609681817414.pngicon of the certificate you wish to send.
  2. You will be re-directed to the Send Recipient PFX Certificate File & Password page.
  3. Click on the Send Certificate button (Figure 16).

Figure 16

image-1609681830409.png

  1. If necessary, provide the password to the PFX file to the recipient via secured means.

 

Generate Internal Recipient PGP Keyring

Do not attempt to generate a PGP Keyring for an Internal Recipient unless you have already enabled PGP encryption on that recipient.

  1. Under the PGP Keyring(s) section of the Internal Recipient you wish to generate a PGP Keyring, click on theimage-1609681840135.pngicon.
  2. You will be re-directed to the Add Recipient PGP Keyring page.
  3. Under the Recipient Real Name section, enter the recipient's First and Last Name.
  4. Under the PGP Keyring Size, select the size of the keyring. The default setting of 4096-bits is recommended.
  5. Under the Auto-Generate PGP Secret Key Password field, select Yes to have the systtem automatically generate a password for the Secret Key or select No if you wish to specify your own password. It's recommended that you allow the system to generate a Secret Key password.
  6. If you selected No in the Auto-Generate PGP Seccret Key password, enter the password you wish to use under the PGP Secret Key Password and enter the same password under the Verify PGP Secret Key Password field below the first one.
  7. Click on the Create Keyring button (Figure 17). Please note that clicking the Create Keyring button will not change the button status and the system may appear unresponsive. Please wait until the keyring get created and the system re-directs you back to the Internal Recipients Encryption page.

Figure 17

image-1609681853742.png

  1. The system will generate the keyring and automatically redirect you back to the Internal Recipients Encryption page.
  2. Under the Internal Repients listing on the PGP Keyring(s) section of the recipient you just generated a keystore, you will note theimage-1609681862499.pngicon which will now be enabled and clickable indicating that there are keyrings present (Figure 18).

Figure 18

image-1609681875758.png

Import Internal Recipient PGP Keyring

Do not attempt to import a PGP Keyring for an Internal Recipient unless you have already enabled PGP encryption on that recipient.

  1. Under the PGP Keystore(s) section of the Internal Recipient you wish to import a keystore, click on theimage-1609681888101.pngicon.
  2. You will be re-directed to the Import Recipient PGP Key page.
  3. Under the PGP Key Type field, select whether you will be importing a Public or a Private Key type. If you select a Private PGP Key Type, the Private PGP Key Password field below will become enabled.
  4. If you selected a Private PGP Key Type above, enter the private key password in the Private PGP Key Password field.
  5. Under the Select PGP Key File section, click on the Choose File button.
  6. Browse to the location of the PGP key file, select the file and click the Open button (Figure 19).

Figure 19

image-1609681901975.png

  1. The name of the PGP Key file you chose will appear next to the Choose File button (Figure 20).

Figure 20

image-1609681911068.png

  1. Click the Import Key button (Figure 21).

Figure 21

image-1609681917473.png

  1. After a succesful import, click on the Back to Internal Recipients Encryption button on the bottom of the page (Figure 12).

Figure 22

image-1609681924310.png

  1. Back at the Internal Recipients Encryption page, under the Internal Repients listing on the PGP Keyring(s) section of the recipient you just imported a certificate, you will note theimage-1609681931865.pngicon which will now be enabled and clickable indicating that there are keystores present (Figure 23).

Figure 23

image-1609681944363.png

Delete Key, Download Public Key, Download Private Key, View Private Key Password and Publish Public Key

  1. At the Internal Recipients Encryption page, under the PGP Keystore(s) section, click on theimage-1609681952987.pngicon of the recipient. You will be re-directed to the View Recipient PGP Keyrings page (Figure 24).

Figure 24

image-1609681965377.png

Delete Key

  1. Click on theimage-1609681973148.pngicon of the key you wish to delete. You will be re-directed to the Delete Recipient PGP Key page (Figure 25).

Figure 25

image-1609681986666.png

  1. Click the Delete Key button. Please note that if you are deleting the Master Key, the system will automatically delete both the Master and any associated Sub Keys. If you are deleting a Sub Key, the system will only delete the Sub Key you selected to delete. If you wish to cancel, click on the Back to Recipient PGP Keyrings button.
  2. Clicking the Delete button will delete the key and re-direct you back to the Internal Recipients Encryption page (Figure 26).

Figure 26

image-1609681996852.png

Download Public Key or Private Key

Downloading the Public and Private Keys is useful for importing those keys in 3rd party PGP applications such as Enigma, Kleopatra etc.

  1. Click on theimage-1609682007409.pngicon under the Download Public or the Download Private column of the key you wish to download. Your browser will automatically begin downloading the key you clicked in ASCII armor format.

View Private Key Password

This feature is useful in determining the Private Key password that the system automatically generates when generating a PGP Keyring. NEVER share Private Key passwords via unsecured means such as unencrypted email, SMS text etc.

  1. Click on theimage-1609682021264.pngicon under the View Password column of the key you wish to view the private key password.
  2. You will be re-directed to the View Recipient PGP Private Key Password page (Figure 27).

Figure 27

image-1609682140278.png

Publish Public PGP Key

This feature is helpful with publishing recipient Public PGP Keys to Public PGP Key Servers. Public PGP Key Servers act as central repositories for public keys in order to assist in PGP cryptography.

Please note that if no PGP Key Servers are defined under Encryption --> PGP Key Servers the icons under the Publish Key column of every key will be disabledimage-1609682188837.png.

  1. Click on theimage-1609682219443.pngicon under the Publish Key column of the key you wish to publish.
  2. You will be re-directed to the Publish Recipient PGP Public Key page (Figure 28).

Figure 28

image-1609682314479.png

  1. By default all the configured Public PGP Key Servers are selected. If desired, uncheck any key servers from the list that you do not wish to publish the public key and click the Publish Key button.
  2. When finished, click, on the Back to Recipient PGP Keyrings button on the bottom of the page.