Sophos Central Email Encryption – field report
To keep you up to date on Sophos Central, I recently signed up for the EAP (Early Access Program) for Email Encryption and took a closer look at the new features and of course tested them.
In this article, I share my experiences so far and want to show you what you can expect from this new feature.
Requirements
To participate in the EAP for Email Encryption and to continue using this feature after this trial period, a Sophos Central Email Gateway Advanced license is required.
Set up Email Encryption
Anyone who has registered for Email Encryption on the EAP will now find the encryption settings item in the Central Email Gateway settings. Once this feature is enabled, you can still set a few rules for message encryption.
- Entire message or attachments only: By default, the entire message is encrypted as a PDF. However, it is also possible to encrypt attachments only and continue sending the message as plain text.
- Send messages with a subject tag: With this option, you can specify any string that must appear at the beginning of a subject line in order for a message to be automatically encrypted. For example, if your subject line tag is “Secure:”, any email that starts with that tag in the subject will be encrypted. However, there is no distinction between upper and lower case.
- Addresses and domains: In order not to have to work with the subject tag every time to encrypt an e-mail, there is another more comfortable variant. You can create a list of addresses and domains to which only encrypted messages are sent out.
Email Encryption in Practice
For encryption to work at all, you must not forget to have Sophos Email scan incoming and outgoing traffic during domain configuration. Of course, if outgoing email is not routed through Sophos Email, encryption cannot take place.
I used Microsoft Office 365 as the outbound gateway in my tests.
Send e-mails
If everything has been configured correctly, sending encrypted emails is really a breeze! This solution from Sophos does not require a special email client or software to be installed first. Nothing really changes in the way you have been sending emails until now. Only with the solution with the subject tag you have to remember to name the subject accordingly, so that the message is not accidentally sent out unencrypted. Even on mobile operating systems, such as iOS or Android, this worked wonderfully in my tests.
For all Office 365 users among you, Sophos also offers an Outlook plugin. This will give you a button in the menu bar to encrypt the message with one click before sending it. By the way, in my tests it worked in the latest Outlook on Windows and Mac, as well as in the browser version.
In order to avoid the solution with the subject line and to increase the comfort even more, you should simply create a list of domains and addresses in the settings of Email Encryption right at the beginning, to which encryption is always sent.
As you may have already read in the settings options described above, Sophos Email wraps your message in a PDF container encrypted with AES-256. You can also send attachments such as PDFs, images, Word and Excel documents, etc. with your message.
Receive emails
The recipient first receives an email from Sophos informing them that an encrypted message is waiting for them. The recipient must then first define a password via a link, with which he can decrypt all messages from Sophos Email Encryption in the future. Subsequently, the message is delivered to him, which looks like this at the current time:
Since I have defined in the settings that both my email message and all attachments should be encrypted, my text is now hiding in the attached message.pdf, which can only be opened with the appropriate password.
Even though Sophos recommends using Adobe Acrobat, I was able to open the message.pdf even in the web version of Outlook.
In my tests, images, text files and Open Office documents were packed into a separate PDF called attachments.pdf. I was then able to view and export these with Acrobat. This should theoretically work in any PDF viewer that supports viewing attachments in PDF documents.
With PDFs, Word or Excel documents (.docx, .xlsx) I could see that they are only encrypted and still kept individually in the attachment. Only the older Microsoft formats, such as .doc or .xls were placed in the separate attachments.pdf with the images and text files.
Reply to emails
To reply to an encrypted message, the recipient simply clicks on a link in the message.pdf.
An input mask then opens in the browser, which offers enough functions to compose a decent e-mail. Attachments can also be uploaded.
Password forgotten?
Should the password for decrypting a message ever be forgotten, which even happened to me during my tests 😅, Sophos sends along a link in every message to reset its password.
What surprised me positively about this process is the fact that it is not mandatory to assign a new password right away. The password recovery page is also used to view the previous password and reuse it. A list shows which password has been used in which time period so far. This is very helpful when you want to look at a previous message again, but it was encrypted with a previous password.
Conclusion
The topic of email encryption has been a recurring one for many years. Although everyone would like to use a secure email solution, ultimately it always fails to penetrate the comfort zone. Sending emails needs to be simple and because most people have been doing this for many years, it definitely cannot get more complicated.
With Sophos Central Email Encryption, I think Sophos has found a very good solution for sending encrypted emails super easily, without changing anything in the usual process. This process works with any email client and on any operating system without having to install anything first. The configuration is done completely independently via Sophos Central.
Where I’m not bursting into raptures just yet, however, is in the way the recipient gets this encrypted message. Apart from the very aggressive Sophos branding at the moment, I wonder if in the future we can get used to opening an encrypted PDF every time we want to read an email? Will this be a solution that proves suitable for the masses in terms of comfort? On this point, I’m really not so sure yet.
But what I really like about Sophos Central Email Encryption is the attachment processing. For those who frequently send around Word documents or PDFs with sensitive content, Email Encryption provides an automated solution that takes care of encrypting such attachments. I don’t see any major infringement of the recipient’s comfort zone, since the decryption of such documents can be done with simple on-board tools. As written in my test report, I was even able to decrypt and open an encrypted PDF in Outlook Webmail.
Even though we are still in the EAP here, Central Email Encryption already leaves a very complete impression on me. In my tests, everything worked flawlessly, at least from a technical point of view. The only thing I hope is that Sophos will give us a bit more leeway in the future with regard to branding. For example, so far I haven’t found a way to use my own company logo in the emails. Let’s be surprised what else is planned here for the future.
