Easiest way to send encrypted email?
To comply with Massachusetts's new personal information protection law, my company needs to (among other things) ensure that anytime personal information is sent via email, it's encrypted. What is the easiest way to do this? Basically, I'm looking for something that will require the least amount of effort on the part of the recipient. If at all possible, I really want to avoid them having to download a program or go through any steps to generate a key pair, etc. So command-line GPG-type stuff is not an option. We use Exchange Server and Outlook 2007 as our email system.
Is there a program that we can use to easily encrypt an email and then fax or call the recipient with a key? (Or maybe our email can include a link to our website containing our public key, that the recipient can download to decrypt the mail?) We won't have to send many of these encrypted emails, but the people who will be sending them will not be particularly technical, so I want it to be as easy as possible. Any recs for good programs would be great. Thanks.
Solution 1:
We've had to go through something similar with our clients for PCI. The best way would be to use some version of PGP/GPG.
Now that being said, it really isn't as painful as you think. We have done this with hundreds of non technical users. What we did was choose two products - the free GPG (which Kronick states have GUI front-ends) as well as the pay for PGP software. We wrote up some really good documentation that could be sent to our clients instructing them how to use the software that they chose as well as trained our Account Managers on basic troubleshooting and how to use the software.
That has kept 95% of the issues that clients run into out of the IT queue. For the other 5% we made IT resources available to answer questions, as well as in the worst case get on a call to help the client out.
As an alternative we also bought some licenses of winzip so that we could use the built in AES encryption with a pass phrase. The commercial PGP software has the ability to create an encrypted file that is opened by passphrase only as well. Although honestly using PGP has worked out so well i think i only create these types of files 2 or 3 times a year.
Solution 2:
Wouldn't it be easier to have them check a website with the data encrypted via SSL, with a button to print the data on their end? That way you're not transmitting anything and you're in control of the dissemination of the data.
Anything with email will likely be too difficult for your users; they'll involve key generation or downloading a keyring or other things users will find to be a hassle or confusing. Your support costs will rocket up, unless the users just give up in frustration.
Solution 3:
Does it just need to be encrypted in transit (SMTP/TLS), or in storage/at the endpoints too (PGP, etc.)?
Working with similar legislations, I've generally setup PKI/SMTP/TLS between two or more organizations that frequently send/receive private/protected information; I just setup a smarthost at each organization matching the domains in question to route mail through either a site-to-site VPN tunnel when applicable or used SMTP/TLS to encrypt the mail in transit with Exchange.