How to use Email Encryption with PGP Desktop and Outlook
search cancel

How to use Email Encryption with PGP Desktop and Outlook

book

Article ID: 155681

calendar_today

Updated On:

Products

Desktop Email Encryption Drive Encryption Encryption Management Server Endpoint Encryption File Share Encryption Gateway Email Encryption PGP Command Line PGP Key Management Server PGP Key Mgmt Client Access and CLI API PGP SDK

Issue/Introduction

Symantec Encryption Desktop, or PGP Desktop has the capability to automatically encrypt and decrypt emails using the PGP Messaging service.  

This messaging service will process mail in one of two ways:

Method 1: Proxy of POP/IMAP/SMTP (PGPlsp.dll)
When using Method 1, the proxy should automatically detect the email account configured in the mail client, such as Outlook or Thunderbird.  This is done via a Proxy, which means that as mail is downloaded to the mail client, the PGP Messaging service will detect encrypted content and decrypt it on the fly.  The result is a decrypted email that will remain decrypted on the mail client.  IMAP is typically recommended for using the proxy.

 

Method 2: MAPI Hook (PGPMapih.dll)
When using Method 2 listed above, we actually have DLL that handles encryption/decryption operations automatically.  This method supports only Exchange with Outlook as our driver is hard coded to "hook" in to the Outlook operations to "render" emails decrypted.  If PGP Desktop is not available, the emails remain encrypted until it is then decrypted, at which time it is "rendered" decrypted so you can see the message automatically. For encryption, the message is actually encrypted before the message is sent.

 

 

Resolution

Table of Contents

When you first install PGP Desktop (Symantec Encryption Desktop), upon reboot, when you launch the Email client, two things can happen depending on the method being used as mentioned in the Introduction of this article.  

 

If you are using Method 1, for POP/IMAP/SMTP, our Proxy service will automatically detect your email account.  For this to work, SSL/TLS must be disabled in the Email Client.  Before doing anything, confirm that without PGP Desktop installed, the Emails are sending just fine.  Once this is done, then install PGP Desktop.  Then disable SSL/TLS for the accounts in Outlook.  PGP Desktop will actually "Proxy" TLS for the emails automatically.

Use the following steps to troubleshoot PGP Messaging:

  1. Check the existing policies for conflicts. To back existing policies, take screen shots to restore the policies later.
  2. Delete the existing policies.
  3. Close Outlook. 
  4. Stop PGP services by right-clicking the PGP Tray icon in the Windows System Tray and then click Exit PGP Services.
  5. Restart PGP Services by clicking Start > Programs > Startup > PGPtray.exe.
  6. Restart Outlook.
  7. Send a test email message to yourself.
  8. The PGP Desktop Assistant should automatically detect the email account(s) in Outlook. Account settings will get configured automatically like the following message:



    Select "Next" and follow the prompts.  


  9. The next screen will show you the PGP Keys associated to the email address.  Click the key that matches and click Next.
  10. On the last screen, choose Finish:



    Important Tip: If you are prompted to allow PGP Desktop to protect the account, confirm this selection and then select the PGP key for the account.  You may see this prompt numerous times depending on how many mail servers there are.  Best practice is to allow each one to be proxies.  

  11. Verify the settings from Outlook in PGP Desktop > PGP Messaging
  12. Check for a verification email from PGP keyserver  and click the link to verify the key and then download the verification key. 
  13. Try sending an email message according to the policy set.
 

 

If you are using Method 2, or MAPI, this means you are using Outlook with Microsoft Exchange.  In this method, our DLL should automatically be invoked, so that when you send a new email, the driver should then automatically encrypt the message. 

 

Troubleshooting

 

Troubleshooting Scenario 1: Proxy Services, or Encryption/Decryption does not appear to show up at all

 

If you have any security software that could block any of the above two DLLs for messaging, allow them so that our automatic email encryption and decryption can work properly.

For both of these files, add the following exclusions:

C:\Windows\System32\PGPlsp.dll

C:\Windows\System32\PGPmapih.dll

In addition to the above DLLs that are used specifically for messaging, see the following article for other exclusions you may need to add to ensure security software does not block the encryption services:

200696 - Symantec Encryption Services - Add Symantec Encryption programs to safe list or exclusions in security software

 

 

Troubleshooting Scenario 2: Messaging Service shows up over and over again

For this scenario, we typically recommend approving each pop-up and eventually these will stop.  This pop-up happens for POP/IMAP configurations and will happen for each mailserver the PGP proxy service detects.  For example, the mailserver FQDN may be "mail.example.com", but the DNS records may point to three different mailservers.  You may get three different popups for this.  

For Gmail, there are infinite mailservers, so you may just need to keep approving.  Check the Additional Information section of this article for information on how to configure Gmail with PGP.

For more information on how to configure Gmail with the PGP messaging service, see the following article:
191087 - How to configure Symantec Encryption Desktop to automatically encrypt Gmail in Outlook

 

 

Troubleshooting Scenario 3: I Got a popup, but I didn't know what to do so I closed it, and now I don't see the popups and now email encryption is not working

 


For this scenario, quit the PGP services, and then delete the "PGPprefs.xml" and "PGPpolicy.xml" files in %appdata%\PGP Corporation\PGP  

Relaunch the software and go through the setup again.  For further assistance on this, contact Symantec Encryption Support.

 

Scenario 4: Message Appears: Unable to Secure Messages
A Pop Up appears stating the "Encryption Desktop is unable to secure your messages because PGP Services are not running.":

It is best to choose "Secure Messages" to be able to send encrypted email.  Choose the Allow Unsecured messages if you don't want to encrypt any emails. 

If you want to block emails, you can choose the "Prohibit" option.

 

 

Disabling the PGP Plug-ins for Outlook

If you would like to disable the PGP Plug-ins in Outlook, click the padlock icon by the time, then go to Options:

Once you're in Options, click on Messaging, and then uncheck the box "Enable PGP encrypt and sign buttons in Outlook"

Sometimes plug-ins is a good troubleshooting step to see if there are any conflicts going on. 

If you have a PGP Server, you can go into the Consumer Policy, and uncheck the option for plug-ins:

In addition to these, if you open Outlook, click on the Add-ins, you can see the plug-ins that are loaded and once you uncheck, ensure they are no longer loaded:

 

 

 

 

Troubleshooting Scenario 4: Using GPG Email Encryption and PGP Desktop is not decrypting

If you have a sender using GPG and PGP Desktop Email Encryption is not decrypting these messages, check Outlook to see which file types are received.

You may receive .txt attachments that are not being recognized by the PGP Desktop software:

Item 1: Exit the PGP Services, close Outlook and re-open Outlook (don't re-open PGP Desktop) and click on the encrypted message to see which file attachments you are seeing:

If you see a .dat file, make note of it, this may mean the encoding is using TNEF, which may be part of this issue.

 

If you are seeing the above attachment, it is likely the PGP Desktop is not recognizing the encryption content. 

Check with the Sender and see if it is possible to switch the "Rich Text" format to "Convert to HTML format":

(Open Outlook, go to Options, and click on the Mail category)

 

Once the setting to "Convert to HTML format" is selected, and Outlook is re-launched, then re-launch PGP Desktop and re-test.

 

Item 2: If that is still not working, and you have an Exchange Server, check on the mailserver system to see if "TNEFEnabled" is Enabled. 

If it is, see if it is a possibility to disable and have the sender resend the encrypted message:

 


Ensure the "TNEFEnabled" is set to blank or false:

This will allow for better compatibility between the two applications. If this is enabled, you may end up with a "winmail.dat" file or "Untitled attachment 00001.dat" or similar and this may be causing some decryption issues. 

TNEF may reduce some Exchange functionality such as "Voting" buttons or other, so discuss with the mail team about this setting.   The above setting is related only for email within the same domain.
TNEFEnabled should not be used when sending outside of the domain--this can cause other interoperability issues, not just with PGP.
Evidence of this is the winmail.dat, which contains information that only Outlook understands. Not all outside entities use Outlook, so disabling it will prevent these types of issues.

At a very minimum, test disabling this to ensure the recipient does not end up with a .dat file, which appears to cause these issues. 

The following knowledge base article from Microsoft details how to verify your Outlook and Exchange configuration to prevent this from happening:

 

How to Prevent the Winmail.dat File from Being Sent to Internet Users

How to Configure Message Format Settings for a Remote Domain​

 

If you are still having issues after adjusting the settings when sending from GPG to PGP, check the settings within GPG for the following option:

Make sure to not attach any files to the email, and send only text within the email to confirm decryption is working.

Then reach out to Symantec Encryption Support with the results of the above tests to help improve interoperability between the two products. 

Additional Information

180267 - HOW TO: Encrypt/Decrypt Text Using the Current Window feature with Symantec Encryption Desktop (PGP Desktop) for Windows

153463 - Using PGP Viewer to decrypt email messages encrypted with PGP content

191087 - How to configure Symantec Encryption Desktop to automatically encrypt Gmail in Outlook

153934 - Encryption Desktop does not automatically decrypt messages in Outlook

156303 - Symantec Encryption Products Current Version Available

155681 - How to use Email Encryption with PGP Desktop and Outlook (Symantec Encryption Desktop)

163281 - PGP Server cannot decrypt an attachment attached to a Rich Text Format message (Symantec Encryption Management Server)

155940 - Unable to Decrypt with PGP Desktop - Email messages and attachments are converted to winmail.dat files

 

Powered by Wolken Software