You can encrypt emails and control the way users access their encrypted emails.
This option is only available with an Email Advanced license.
Go to Overview > Global Settings > Email Encryption.
You can choose from the following email encryption methods.
- Send via TLS. This uses push based email encryption using AES 256 during email transport. Users manage their encrypted emails with their usual email client.
- Push Encryption. Encrypted emails are converted to PDF files and attachments are natively encrypted. These are delivered to the users' email client.
- Portal Encryption. This delivers encrypted emails to Sophos Secure Message. Recipients manage their encrypted emails in Sophos Secure Message.
You can turn on and manage email encryption using Data Loss Prevention policies.
If you turn encryption off in Encryption settings, Data Loss Prevention can't apply rules that require encryption of outbound messages.
TLS prevents eavesdropping and tampering with the message in transit.
Make sure your email gateway has TLS (Transport Layer Security) v1.2 turned on before enabling encryption here. If you don't the connection with Sophos breaks, and you won't be able to send or receive emails. The ciphers required are 'TLSv1.2+FIPS:kRSA+FIPS:!eNULL:!aNULL'. For more information, see FIPS mode and TLS.
Push Encryption converts emails to PDF files. Users must be able to read PDF files.
- Microsoft Office documents, ZIP files and PDF files are encrypted natively.
- Multiple attachments may be generated from files that have been encrypted natively.
- All other files, for example plain text and HTML, are encrypted as PDF files. Email content is encrypted as a PDF file.
- You need to install Adobe Reader to view encrypted emails and attachments that are encrypted as PDF files.
- You can view and reply to messages on mobile devices.
The first time a user is sent an encrypted email, Sophos Secure Message sends them a notification email. The notification email contains a link to Sophos Secure Message and asks them to set up a Sophos Secure Message password. The link in the notification email expires after 30 days.
The password can only be used for emails within the region that the original encrypted email came from. If users receive an encrypted email from another region, they need to set another password.
After setting their password, the user receives their encrypted email from Sophos, including any encrypted attachments. The user opens the encrypted email and enters the password they created.
Users reply to encrypted emails from their email client. They click Reply in the encrypted PDF file.
Users follow the same process whether you select Encrypt entire message or Encrypt attachments only.
Portal Encryption is only available with a Central Portal Encryption Add-on for Email Advanced license.
If you turn on Portal Encryption, users manage their encrypted emails from Sophos Secure Message.
The first time a user is sent an encrypted email, Sophos Secure Message sends them a notification email. The notification email contains a link to Sophos Secure Message and asks them to set up a Sophos Secure Message account. The link in the notification email expires after 30 days.
The account can only be used for emails within the region that the original encrypted email came from. If users receive an encrypted email from another region, they must set up another account.
After setting up their account, the user goes to Sophos Secure Message to read and reply to their encrypted emails.
Setting up your email encryption method
To turn encryption on or off, go to Overview > Settings > Encryption settings.
You can choose how to send secure messages.
- Send via TLS. If TLS isn't available, the entire message is encrypted as a PDF file.
- Push Encryption. Choose whether the whole email, including attachments, is encrypted, or just the attachments.
- Portal Encryption. If Portal Encryption isn't available, the entire message is encrypted as a PDF file.
You can choose the language used for notification and registration emails. The default is English.
You can create a subject line tag for your users' encrypted messages. The tag isn't case sensitive.
You can override the default encryption method for individual outbound email data loss prevention (DLP) rules. See Create an email data loss prevention rule.
Outlook Add-in (for Office 365 users only)
You can allow users to encrypt emails using the add-in by downloading and installing the add-in for the user's Outlook client. An add-in is available for the Windows client, and another for both the macOS client and Outlook on the web (OWA).
The add-in for Mac clients only works if you have set up a subject line tag for your users' encrypted messages. If you change the subject line tag, you must download and re-install the add-in on Mac clients.
To get the Windows add-in, click Download Windows Outlook Add-in.
To get the Mac/Web add-in, click Download Web/Mac Outlook Add-in.
For installation instructions, see Installing the Sophos Outlook add-in for Encryption.
To compose an encrypted email in their Outlook client, users click Encrypt. They can deselect Encrypt if they change their minds.
In web clients and Windows clients, clicking Encrypt flags the email for encryption and adds a header to the email.
In the Mac client, clicking Encrypt tags the message subject for encryption.
Addresses and domains
Add recipient addresses and domains for which you want to encrypt messages. Text isn't case sensitive and wildcards aren't supported.