Wikier

Secure email - Digitally sign and encrypt emails

On this page you will find information on how you as an employee at NTNU can sign and encrypt your e-mail.

Norsk side - Sikker e-post - Digital signering og kryptering

Topic page about Email and calendar | Pages labelled with email

Microsoft Information Protection for Windows users

A simpler solution has now been introduced for Microsoft Office users (On Windows)

See this tutorial to get started


Email is a communication channel where it's easy to pretend to be someone else. One way to make this more secure is to use digital signing. A certificate can be linked to an email address and a key so that when a person has signed an email with his/her key, your email client can verify the signature and make sure that the sender is the one it claims to be.

This guide assumes that you are using Windows, some of the steps may be a bit more complicated on other platforms.

Backup

Before you start to use certificates and send encrypted e-mail, make sure you have a backup of the certificate with private key. See how to create a backup in this guide: How to backup your digital certificate. Make sure you store it on a safe location. If this key is lost you will not be able to read encrypted emails.

Create and download your digital ID to send digital signed email

  1. Open your browser and go to: https://cert-manager.com/customer/uninett/idp/clientgeant
  2. Type «Feide» in the field for "Find your institution" and make sure to choose the "Feide"choice that is NOT written in all caps.
  3. Choose NTNU as your affiliation, if you are prompted for this.
  4. Type your username and password and Login
  5. Keep the default options:
    • Certificate Profile: GÉANT Personal Certificate
    • Private Key: Generate RSA
  6. Enter a secure and unique password in the field for P12 Password. This password is required when you are importing this certificate later.
  7. Click Submit. You will be prompted to download a file (certs.p12). Save this file to a secure location, and keep it for later.

Import to Windows

  1. Open your new certs.p12 file. It should open in "Certificate Import Wizard".
  2. Chooce "Current User" for "Store Location", click Next.
  3. Click next at the "File Name" prompt, this should already be filled out.
  4. Enter the same password you created when you ordered the certificate.
  5. Check the option for "Mark this key as exportable". The option for "Include all extended properties" should also stay checked. You don't need to check "Strong private key protection".
  6. Choose "Automatically select the certificate store based on the type of certificate".
  7. Finish.

Enable digital signature in Outlook

  1. Open Outlook
  2. Click File > Options > Trust Center
  3. Click Trust Center Settings…
  4. Choose Email Security on the left side.
  5. Choose Settings under Encrypted e-mail
  6. Choose My S/MIME Settings (email address)...
    1. Click OK if your email address is shown under Security Settings Name
  7. Mark Add digital signature to outgoing messages under Encrypted email
  8. Click OK, followed by another OK

Verify digital email signature

  1. Open Outlook
  2. Click New Email
  3. Click options-pane and check that Sign is checked under Permission
  4. Send a test email to someone that can verify that your digital signature is  working.

If a red ribbon appears on your email to the recipient, you've done everything right.

Publish your digital ID to the Global Address List (GAL)

  1. Click File > Options > Trust Center
  2. Click Trust Center Settings
  3. Choose Email Security on the left side
  4. Click Publish to GAL...
  5. A dialogue window will appear with something like this Your certificate...success, click OK
  6. Close all windows. You’re done!

Encrypt e-mail

Encrypting your e-mail adds a layer of security effective against surveilliance and unauthorized access.

This procedure will only work if both you and your recipient have acquired and published your digital ID to the global address list (GAL).

  1. Create an e-mail as you normally would
  2. Select the tab Options and chose Encrypt
  3. Write your e-mail as you normally would and send it, if you get an error message there might be a problem with your or your recipients digital ID.

Use the same certificate on multiple PCs

In order to send signed e-mail from multiple PCs, only one certificate per user is needed. Once a certificate is installed, you can export this from Outlook, then import it to other PCs (you can move the certificate, for example, using a pen drive). To export and import a certificate, follow these steps:

Export a certificate in Outlook

  1. Open Outlook
  2. Click File > Alternatives > Trust Center
  3. Click the button marked Settings...
  4. Choose Email Security
  5. Click Import/Export
  6. Select Export your Digital ID to a file
  7. Click Select and you will see a dialog window pop up with your certificate > Click OK
  8. Click Browse to choose where you want to save your certificate
  9. Choose a password, enter it twice > Click OK

You have now saved your certificate with password protection. You should save the certificate in a safe location. If you want to use it on another device, you can, for example, copy it to a pen drive.

Import a certificate in Outlook

  1. Locate your certificate that you have exported
  2. Right-click on it and choose Install PFX and an install wizard will start
  3. Choose Current User under Store Location
  4. Press Next until you are asked to enter a password
  5. Enter the password used when you exported your certificate
    - If you want to be notified whenever the certificate is to be used, choose Enable strong private key protection (not recommended)
    - If you want to be able to export the certificate for reuse, choose Mark this key as exportable (recommended)
  6. Press Next, followed by another Next and then press Finish to end this install wizard

You now need to enable the certificate in Outlook. Follow these steps:

  1. Open Outlook
  2. Click File > Options > Trust Center
  3. Click Trust Center Settings…
  4. Choose Email Security on the left side.
  5. Choose Settings under Encrypted e-mail
  6. Choose My S/MIME Settings (email address)...
    1. Click OK if your email address is shown under Security Settings Name
  7. Mark Add digital signature to outgoing messages under Encrypted email
  8. Click OK, followed by another OK

Your certificate should now be installed on your device.

Contact

Orakel Support Services can help if you have questions or if you encounter difficulties.

2312 Visninger
IT-info: digital sikkerhet Målgruppe: Medarbeidere