Configuring Stormshield Data Mail

Stormshield Data Mail makes it possible to encrypt and sign e-mails to guarantee their confidentiality and integrity, and confirm the identity of the sender. Stormshield Data Mail runs with the help of an extension built into users' Outlook mail client.

For more information, refer to Securing e-mails in the SDS Enterprise Advanced user guide.

Securing e-mails: a few concepts

Stormshield Data Mail uses public key cryptography technology.

Each peer has one or several pairs of keys: a private key and a public key. The private key is carefully kept by its owner. The public key (certificate), by contrast, is freely distributed.

Stormshield Data Mail can use one of the following:

  • A single key pair for encryption and signing,
  • Two different key pairs, one for encryption, the other for signing.

For more information on key pairs, refer to Setting account creation parameters.

Encrypting and signing e-mails

To configure how e-mails are encrypted and signed:

  • Go to Policies > Features > Mail, and enable the settings of your choice.

Properties

Select the type of opaque or detached signature to use when sending and receiving e-mails. Refer to the section Digital signatures for further information.

If you choose to enable signature and encryption by default on all messages, the user will still be able to disable them on individual messages.

PGP encryption If you choose to allow message encryption and decryption in PGP format, you must specify one or several WKDs (Web Key Directories) to query. Refer to the following line in this table.
WKD server

In the Directories menu of the policy, you can indicate the WKD servers to query for PGP encryption. These public key directories allow Stormshield Data Mail to retrieve the public PGP keys belonging to the recipients of encrypted e-mails. For more information, see the section Configuring corporate directories.

Directory update

When sending encrypted messages:

To update the trusted address book when sending encrypted messages, you must have declared an LDAP directory beforehand. For more information, see the section Configuring corporate directories.

When receiving a signed message:

Users can send their encryption certificates (their public keys) to their co-workers by sending them a signed e-mail. You can choose whether to allow recipients to manually import the certificate into their trusted address books to update them, and whether to allow the address book to be automatically updated. If you allow these operations only for known authorities, this means that the user's encryption certificate will be imported only if it was issued by an authority with a certificate already in the recipient's trusted address book.

Automatic encryption and signature with Microsoft Purview

If your company uses the sensitivity label system offered by Microsoft Purview Information Protection, you can declare these labels in your SDS Enterprise policy and associate an automatic agent action. When the user applies a label to a message, the Agent checks its presence in the policy and triggers the corresponding security action: message encryption only, message signature only, or a combination of both.

To use sensitivity labels in the policy, you must know their names as defined by your company in the Microsoft Purview Information Protection configuration.

For each label:

  1. Enter the name (corresponding to the “Name” field and not “Display name” of the label configuration in the Microsoft Purview Information Protection product).

  2. Select the action(s) that the agent should automatically trigger when the label is used on a message.

The PGP encryption format is not supported by this feature.

NOTE
The sensitivity label feature only works with Office365. For more information, see the Microsoft documentation.

 

For more information on the advanced use of the Mail feature on the SDS Enterprise agent, refer to the section Stormshield Data Mail.