If you have a scenario where you have been running a dedicated Pretty Good Privacy (PGP) type server for the decryption of emails from business partners but would like the decryption to be done in the cloud you can achieve this using the Advanced Policy Based Encryption (PBE Advanced) service.
The PBE Advanced service is primarily documented to provide you with the ability to encrypt emails outbound from your organization to third parties based on a policy that matches certain key words or an entry in the email header (added using an outlook plugin).
The PBE Advanced service can be used to decrypt emails inbound to your organization that are either S/MIME encoded or contain PGP encrypted attachments.
In order to configure the PBE Advanced service for inbound decryption you will need to perform the following tasks:
Upload your private key to the online 'Credentials Management' site. (this may have already been done if you make use of the PBE advanced outbound functionality).
Create a number of inbound Data Protection Policies within the Symantec.cloud customer portal to detect and redirect encrypted inbound email for decryption.
Please see below for these steps in detail.
Step 1 - Uploading certificates to the Credential Management site.
In order to achieve this please contact Symantec.cloud Support (Here) who will put you in contact with the third party provider of the PBE Advanced product. Once in contact they will help you gain access to the 'Credential Manager' site and guide you through all the steps you need to follow in order to achieve the uploads. Here is a link outlining the steps needed once you gain access to this site.
Step 2 - Creating inbound Policies within the Data Protection.cloud service.
You will need to create three Data Protection Policies in order to achieve inbound decryption. These policies must be placed in order from top to bottom:
PBE – Unable to decrypt inbound policy
PBE – S/MIME decryption inbound policy
PBE – PGP attachment decryption policy
Create the first policy
Data Protection Location: Access the Clientnet portal > Services > Data Protection
Start a new Data Protection policy
Name the policy, PBE - Unable to decrypt inbound policy
Apply to: Set to “Inbound mail only”
Execute if: pick “All rules are met”
Action: set it to “Log Only”
Check the ‘Stop evaluation of lower priority policies’ box
Set Notifications to ‘None’
Add a rule into this Policy.
Name the rule, Header Check
Set it to ‘All Conditions are Met’
Add Condition and select ‘Content Keyword List’ from the drop down.
Select the ‘Create new content key word list’ link
Give this list a name of ‘Headers Inbound - Fail to Decrypt’
You can add a description of you wish.
Set the category of ‘Encryption’
Add the following to the list: x-echoworx-action: failed-to-decrypt
Click save. If you now go back into this list if should look like this:
You will then need to configure the attributes to for the key word list please see the screen below:
Once this is done click ‘Save’ at the bottom right of the policy edit screen. This will save the policy but it will not be active until you make it so. Wait until all policies are created until you activate them.
Creating the Second Policy
You will need to create a new ‘user group’ before setting up the next policy. If you already have a user group for outbound PBE you can skip this section