Email Encryption

The UM email encryption service is a selective message-based encryption solution that is available to all users with an @olemiss.edu email address. It encrypts the entire message and all attachments and then sends them securely to another email account.

Instructions

To encrypt an email, simply include the phrase *encrypt* anywhere in the subject line and send the message as normal. Note: This trigger phrase is not case-sensitive; otherwise, it must be entered exactly as shown, with both asterisks and no spaces between.

When to Use, and When not to Use, Email Encryption

Email, even when encrypted, is not an appropriate medium for transmitting many types of data. Any data protected by FERPA (student identification, grades, etc.), HIPAA (protected health information), GLBA (credit and banking information), or US government classification (confidential, secret, etc.) should NEVER be emailed to or by anyone regardless of encryption. This kind of information is very valuable, and should be treated as though very smart and sophisticated attackers are attempting to steal it from our organization at all times. If you have any doubts as to whether a particular type of information falls under one of these regulatory regimes, contact us for clarification.

That said, there are other kinds of information that University faculty and staff members may wish to transmit with a little extra protection. Email encryption in Office 365 adds a layer of protection for this kind of information while also preserving most of the convenience of email communication. Examples may include: sharing research ideas or results with collaborators; submitting reviews for a professional journal; transmitting one's own protected IP to an authorized party; and more. These data types fall outside of regulatory frameworks, and the balance between security and convenience in handling them is left to the individual user. Encrypted email is one tool available to University employees as they attempt to find the security/convenience balance that works for their specific purposes.

Encryption Process

The following steps are provided to illustrate the entire encryption process. They demonstrate how an email is created and decrypted by the recipient. In this example a UM user is sending email to an external address, but it is possible to send encrypted email to internal addresses as well. Select the steps and example images below to reveal more information.

1. The UM user sends an email with encrypt in the subject.

The UM user creates a new email and places the *encrypt* trigger phrase in the subject. Any type of file can be attached and it will be encrypted along with the message when it is sent.

2. The recipient receives an email with an encrypted HTML attachment.

The recipient receives an email notification about the encrypted message that includes a special HTML attachment. The attachment contains the entire encrypted contents of the original message.

3. The recipient opens the attachment and chooses a verification method.

The recipient opens the HTML attachment. This loads a portal and provides two methods of identity verification. UM recipients can "sign in" using a WebID; external recipients "use a one-time passcode".

4. Recipients who select "one-time passcode" receive another email.

Recipients who select "use a one-time passcode" will receive another message to the same address as before that contains the passcode. Note: Users who select "sign in" do not receive this email.

5. The recipient enters the passcode into the attachment’s portal.

The recipient returns to the browser where they opened the HTML attachment and enters the provided one-time passcode in the portal. This will verify their identity and decrypt the message for viewing.

6. The original message is decrypted and shown to the recipient.

The decrypted contents of the message are shown to the recipient. The original email can be read and the attachment can be accessed at this point. Note: The decrypted attachment can be saved elsewhere.

7. Optionally, the recipient can send an encrypted reply.

The recipient has the option to send an encrypted reply via the portal. Any documents attached will also be encrypted. Note: The sender will automatically receive a copy of their encrypted reply.

Additional Information

The encryption service is based on Office 365 Message Encryption (OME) technology. OME provides flexibility and it can be applied as-needed to any email that is sent from an @olemiss.edu account. It encrypts the email body, all attachments, and gives recipients the ability to easily send encrypted replies through a built-in portal.

External email (olemiss.edu to non-olemiss.edu) is the most common use case for email encryption. This layer of protection is particularly useful when confidential information needs to be sent to an outside email account, whereby the security of the receiving system is unknown. For example, it can be useful for sending messages to external email services such as Gmail and to other universities or government agencies. The email encryption service may also be appropriate if there is a need to send confidential information to UM students who use external accounts (including @go.olemiss.edu).

Internal email (olemiss.edu to olemiss.edu) is automatically encrypted in-transit between users and at-rest on the Office 365 servers. This assurance of security is upheld as long as the data remains on the Office 365 infrastructure. However, we must consider our email can be forwarded to an external account without our knowledge and/or accessed on improperly secured devices. The encryption service is available to provide an extra layer of protection for highly confidential internal messages.

Select the questions below for additional details about our Office 365 Message Encryption (OME) services:

Q. How does OME secure the contents of a message?

Office 365 Message Encryption (OME) packages the original message into a single encrypted attachment (an HTML file) and sends it to the recipients. The email recipient opens this HTML attachment using their browser (or the optional OME Viewer mobile app) to launch the OME portal. This portal provides an interface to verify their identity, and ultimately, to display the decrypted message. The recipient must verify their identity by proving that they have access to their email account (which was originally specified by the sender). If verification is successful, the original message/attachments are decrypted and shown to the recipient via the portal. The confidentiality and integrity of the original data should be upheld through this OME process.

It should be noted that the email Subject is Not Encrypted, and the original unencrypted message is usually saved in the sender's Sent Items Folder (they may want to manually delete this message). Additionally, it is always important understand the potential ramifications that can occur if decrypted contents are saved elsewhere, particularly on an insecure/shared system, or by way of compromised accounts.

Q. How do OME recipients verify their identity?

There are two methods to verify an identity in OME:

1. It can be verified through the use of a one-time passcode. This passcode is generated on the fly and sent to the recipient’s email account. The passcode verification method is an option for all users (internal and external), and we suggest using it in most cases if there is any confusion.

2. It can be verified by signing in with a Microsoft account. All @olemiss.edu email accounts (excluding aliases and some special accounts) are valid Microsoft Office 365 accounts and they can be used to sign in. A Microsoft account can also be an email address from another organization that use Office 365 services (including other participating universities), an account from an exclusive Microsoft email service (such as @outlook.com or @hotmail.com), or any other email address that has been previously registered with Microsoft (any personal email account can be registered).

Q. Do mobile devices work with OME and are there any other requirements?

With OME there is no dependency on device type, email client, operating system, or need to install software. Recipients use their regular email account and do not need to setup anything beforehand to open the encrypted messages. The only requirement is an internet browser and access to their email account.

There is an optional free OME Viewer application that can be used with mobile devices (instead of using the mobile browser). To view the message on an iPhone or iPad with the app: Open the message again, tap and hold the attachment, and select Open in OME Viewer. Use this link to download the iOS OME app. To view the message on an Android device with the app: Open the message again, tap the attachment, and select OME Viewer. Use this link to download the Android OME app.

Recipients receive basic instructions on how to open the encrypted message. In certain situations, it may also be helpful to let them know to be expecting an encrypted email ahead of time and/or to send them a link to this page, especially if they are unfamiliar with the overall OME process.

Q. Why do some messages come from Office365@messaging.microsoft.com?

When an encrypted reply is sent from the OME portal or the OME Viewer app, the sending email address is set to Office365@messaging.microsoft.com. This is because the encrypted message is sent through a Microsoft server. It helps to prevent encrypted messages from being marked as spam. The displayed name on the email and the address within the encryption portal are not changed because of this labeling. Also, this labeling only applies to messages sent through the portal, not through any other email client.

Q. How is OME different from S/MIME email encryption?

OME is a server-based encryption technology; it has minimal technical requirements and allows messages to be easily opened on most devices. S/MIME is a client-based encryption technology; it requires certificate management and it must be setup by all email recipients ahead of time. S/MIME does offer several unique and compelling benefits, and it can be used with UM Email / Office 365. However, S/MIME it is not an ideal solution for the majority of our users, mainly due to the additional technical requirements.

The IT helpdesk is NOT able to assist with S/MIME certificates, email client setup, data recovery, or provide any other S/MIME support. IT recommends using the supported encryption solution, OME, instead.

Q. How is OME different from RMS, IRM, and file-level encryption technologies?

The primary difference is OME encrypts the entire email message. Other information is provided below.

Rights Management Services (RMS) is the Microsoft technology that allows Office 365 accounts to be used for OME verification. RMS can also be applied directly to files (instead of email). This protection is persistent and independent of where the file is stored or how it is shared. Advanced features such as file expiration are also possible. An RMS aware application is required to manage the permissions. All Office 2013 and later programs are compatible and free standalone Windows and Mac RMS applications are available.

Information Rights Management (IRM) is another related Microsoft technology. It provides granular online/offline access controls, and can be applied directly to an Office document (e.g. to restrict printing/copying in Excel) or within Outlook/365 to internal emails via predefined templates (e.g. "Do Not Forward").

The benefits of other file-level encryption technologies such as password-protected 7zip files and Adobe Acrobat documents are important as well. All of these technologies can be used in conjunction with one another. For example, it is possible to apply file-level encryption to a PDF document (via Adobe Acrobat or Microsoft RMS), attach the PDF to an email, and encrypt it again at the message-level using OME. This would encrypt the message and keep file-level protection intact even if the PDF is saved elsewhere.

Q. What encryption method is used for OME?

The Microsoft Azure Rights Management Services (RMS) infrastructure is used to manage encryption keys for Office 365 Message Encryption (OME) and Information Rights Management (IRM). The specific encryption algorithms used are kept in line with the latest Federal Information Processing Standards (FIPS). See the provided documentation on RMS Cryptographic Modes for more information.

Q. Does OME provide content/language localization?

Incoming email and HTML content is localized based on sender email settings. The viewing portal is localized based on recipient's browser settings. However, the actual content of encrypted message is not localized.

Q. Is it possible to revoke an OME message from a recipient?

No. You cannot revoke a message after it has been sent.

Q. What is the maximum size and number of recipients for OME email?

There is a 25 mb size limit for email; this includes email body and attachments. A single OME encrypted message may be sent to multiple recipients. The recipient limit is based on the number of characters in the To field of the email. When combined (after distribution list expansion), recipient addresses in the To field should not exceed 11,980 characters. Since email addresses can vary in character length, there is not a standard recipient limit for a single encrypted message.

Q. What type of messages or data needs to be encrypted?

Additional restrictions and types of encryption may be required for particularly sensitive data. Please review the policies section of the IT Security website for details. We also recommend asking your supervisor for assistance if there are questions about the types of data that should be encrypted.

IT Security

Contact Information

Request Assistance