Configuring Stormshield Data Mail

Stormshield Data Mail makes it possible to encrypt and sign e-mails to guarantee their confidentiality and integrity, and confirm the identity of the sender. Stormshield Data Mail runs with the help of an extension built into users' Outlook mail client.

For more information, refer to Securing e-mails in the SDS Enterprise Advanced user guide.

Securing e-mails: a few concepts

Stormshield Data Mail uses public key cryptography technology.

Each peer has one or several pairs of keys: a private key and a public key. The public key is closely guarded by its owner. The public key (certificate), by contrast, is freely distributed.

Stormshield Data Mail can use one of the following:

  • A single key pair for encryption and signing,
  • Two different key pairs, one for encryption, the other for signing.

For more information on key pairs, refer to Setting account creation parameters.

Encrypting and signing e-mails

To configure how e-mails are encrypted and signed:

  • Go to Policies > Features > Mail, and enable the settings of your choice.


Select the type of opaque or detached signature to use when sending and receiving e-mails. Refer to the section Digital signatures for further information.

If you choose to enable signature and encryption by default on all messages, the user will still be able to disable them on individual messages.

PGP encryption If you choose to allow message encryption and decryption in PGP format, you must specify one or several WKDs (Web Key Directories) to query. Refer to the following line in this table.
WKD server

In the Directories menu of the policy, you can indicate the WKD servers to query for PGP encryption. These public key directories allow Stormshield Data Mail to retrieve the public PGP keys belonging to the recipients of encrypted e-mails. For more information, see the section Configuring corporate directories.

Directory update

When sending encrypted messages:

To update the trusted address book when sending encrypted messages, you must have declared an LDAP directory beforehand. For more information, see the section Configuring corporate directories.

When receiving a signed message:

Users can send their encryption certificates (their public keys) to their co-workers by sending them a signed e-mail. You can choose whether to allow recipients to manually import the certificate into their trusted address books to update them, and whether to allow the address book to be automatically updated. If you allow these operations only for known authorities, this means that the user's encryption certificate will be imported only if it was issued by an authority with a certificate already in the recipient's trusted address book.

For more information on the advanced use of the Mail feature on the SDS Enterprise agent, refer to the section Stormshield Data Mail.