Email Encryption

You can encrypt emails and control the way users access their encrypted emails.

Restriction This option is only available with an Email Advanced license.

You can choose from the following email encryption methods.

  • Send via TLS. This uses push based email encryption using AES 256 during email transport. Users manage their encrypted emails with their usual email client.
  • Push Encryption. Encrypted emails are converted to PDF files and attachments are natively encrypted. These are delivered to the users' email client.
  • Portal Encryption. This delivers encrypted emails to Sophos Secure Message. Recipients manage their encrypted emails in Sophos Secure Message.

You can turn on and manage email encryption using Data Loss Prevention policies.

Warning If you turn encryption off in Encryption settings, Data Loss Prevention can't apply rules that require encryption of outbound messages.

TLS authentication

TLS prevents eavesdropping and tampering with the message in transit.

Note Make sure your email gateway has TLS (Transport Layer Security) v1.2 turned on before enabling encryption here. If you don't the connection with Sophos breaks, and you won't be able to send or receive emails. The ciphers required are 'TLSv1.2+FIPS:kRSA+FIPS:!eNULL:!aNULL'. For more information, see FIPS mode and TLS.

Push Encryption

Push Encryptionconverts emails to PDF files. Users must be able to read PDF files.

  • Microsoft Office documents, ZIP files and PDF files are encrypted natively.
  • Multiple attachments may be generated from files that have been encrypted natively.
  • All other files, for example plain text and HTML, are encrypted as PDF files. Email content is encrypted as a PDF file.
  • You need to install Adobe Reader to view encrypted emails and attachments that are encrypted as PDF files.
  • You can view and reply to messages on mobile devices.
The first time a user is sent an encrypted email, Sophos Secure Message sends them a notification email. The notification email contains a link to Sophos Secure Message and asks them to set up a Sophos Secure Message password. The link in the notification email expires after 30 days.
Note The password can only be used for emails within the region that the original encrypted email came from. If users receive an encrypted email from another region, they need to set another password.

After setting their password, the user receives their encrypted email from Sophos, including any encrypted attachments. The user opens the encrypted email and enters the password they created.

Users reply to encrypted emails from their email client. They click Reply in the encrypted PDF file.

Users follow the same process whether you select Encrypt entire message or Encrypt attachments only.

Portal Encryption

Restriction Portal Encryption is only available with a Central Portal Encryption Add-on for Email Advanced license.

If you turn on Portal Encryption, users manage their encrypted emails from Sophos Secure Message.

The first time a user is sent an encrypted email, Sophos Secure Message sends them a notification email. The notification email contains a link to Sophos Secure Message and asks them to set up a Sophos Secure Message account. The link in the notification email expires after 30 days.
Note The account can only be used for emails within the region that the original encrypted email came from. If users receive an encrypted email from another region, they must set up another account.

After setting up their account, the user goes to Sophos Secure Message to read and reply to their encrypted emails.

Setting up your email encryption method

To turn encryption on or off, go to Global Settings > Encryption settings.

You can choose how to send secure messages.

  • Send via TLS. If TLS isn't available, the entire message is encrypted as a PDF file.
  • Push Encryption. Choose whether the whole email, including attachments, is encrypted, or just the attachments.
  • Portal Encryption. If Portal Encryption isn't available, the entire message is encrypted as a PDF file.
    Restriction Portal Encryption may not be available for all customers yet.

You can choose the language used for notification and registration emails. The default is English.

You can create a subject line tag for your users' encrypted messages. The tag isn't case sensitive.

Outlook Add-in (for Office 365 users only)

You can allow users to encrypt emails using the Outlook Add-in by downloading and installing the Outlook Add-in for the user's Outlook client. An Outlook Add-in is available for the Windows client, and another for both the macOS client and Outlook on the web (OWA).

Note The Outlook Add-in used for Mac clients only works if you have set up a subject line tag for your users' encrypted messages. If you change the subject line tag, you must download and re-install the Outlook Add-in on Mac clients.

To download an Outlook Add-in, click Download Windows Outlook Add-in or Download Web/Mac Outlook Add-in.

For installation instructions, see Installing the Sophos Outlook Add-in for Encryption.

To compose an encrypted email in their Outlook client, users click Encrypt. They can deselect Encrypt if they change their minds.

In web clients and Windows clients, clicking Encrypt flags the email for encryption and adds a header to the email.

In the Mac client, clicking Encrypt tags the message subject for encryption.

Addresses and domains

Add recipient addresses and domains for which you want to encrypt messages. Text isn't case sensitive and wildcards aren't supported.