Internal Users

For signing and decrypting messages, either the S/MIME key or the OpenPGP private key must be existent on Sophos UTM on AWS. On the Encryption > Internal Users tab you can create both an individual S/MIME key/certificate and/or OpenPGP key pair for those users for whom email encryption should be enabled.

Important – Starting with version 9.508, the UTM uses new algorithms and engines for S/MIME. Find detailed information on the changes in the Sophos Knowledge Base.

To create an internal email user, proceed as follows:

  1. On the Internal Users tab, click New Email Encryption User.

    The Add User dialog box opens.

  2. Make the following settings:

    Email address: Enter the email address of the user.

    Full name: Enter the name of the user.

    Signing: The following signing options are available:

    • Use default policy: The policy from the Options tab will be used.
    • On: Emails will be signed using the certificate of the user.
    • Off: Emails will not be signed.

    Encryption: The following encryption options are available:

    • Use default policy: The policy from the Options tab will be used.
    • On: Emails will be encrypted using the public key of the recipient.
    • Off: Emails will not be encrypted.

    Verifying: The following verification options are available:

    • Use default policy: The policy from the Options tab will be used.
    • On: Emails will be verified using the public key of the sender.
    • Off: Emails will not be verified.

    Decryption: The following decryption options are available:

    • Use default policy: The policy from the Options tab will be used.
    • On: Emails will be decrypted using the certificate of the user.
    • Off: Emails will not be decrypted.

    S/MIME: Select whether you want to have the S/MIME certificate and key automatically generated by the system or whether you want to upload a certificate in PKCS#12 format. When uploading the certificate, you must know the passphrase the PKCS#12 file was protected with. Note that the PKCS#12 file must both contain the S/MIME key and certificate. Any CA certificate that may be included in this PKCS#12 file will be ignored.

    OpenPGP: Select whether you want to have the OpenPGP key pair consisting of a private key and the public key automatically generated by the system or whether you want to upload the key pair in ASCII format. Note that both private and public key must be included in one single file and that the file must not contain a passphrase.

    Note – If you configure both S/MIME and OpenPGP for an individual user, emails sent by this user will be signed using S/MIME.

    Comment (optional): Add a description or other information.

  3. Click Save.

    The new user appears on the Internal Users list.

Use the toggle switch to turn the usage of one or both keys off without having to delete the key(s).

Note – The files offered for download contain the S/MIME certificate. The OpenPGP certificate offers the public key. For security reasons it is not possible to download the OpenPGP private key or the S/MIME key.