If you have a scenario where you have been running a dedicated Pretty Good Privacy (PGP) type server for the decryption of emails from business partners but would like the decryption to be done in the cloud you can achieve this using the Advanced Policy Based Encryption (PBE Advanced) service.

The PBE Advanced service is primarily documented to provide you with the ability to encrypt emails outbound from your organization to third parties based on a policy that matches certain key words or an entry in the email header (added using an outlook plugin).

The PBE Advanced service can be used to decrypt emails inbound to your organization that are either S/MIME encoded or contain PGP encrypted attachments.

In order to configure the PBE Advanced service for inbound decryption you will need to perform the following tasks:

1. Upload your private key to the online 'Credentials Management' site. (this may have already been done if you make use of the PBE advanced outbound functionality).
2. Create a number of inbound Data Protection Policies within the Symantec.cloud customer portal to detect and redirect encrypted inbound email for decryption.

Please see below for these steps in detail.

Step 1 - Uploading certificates to the Credential Management site.

In order to achieve this please contact Symantec.cloud Support (Here) who will put you in contact with the third party provider of the PBE Advanced product. Once in contact they will help you gain access to the 'Credential Manager' site and guide you through all the steps you need to follow in order to achieve the uploads. Here is a link outlining the steps needed once you gain access to this site.

Step 2 - Creating inbound Policies within the Data Protection.cloud service.

You will need to create three Data Protection Policies in order to achieve inbound decryption. These policies must be placed in order from top to bottom:

1. PBE – Unable to decrypt inbound policy
2. PBE – S/MIME decryption inbound policy
3. PBE – PGP attachment decryption policy

Create the first policy

Data Protection Location: Access the Clientnet portal > Services > Data Protection

Start a new Data Protection policy

• Name the policy, PBE - Unable to decrypt inbound policy
• Apply to: Set to “Inbound mail only”
• Execute if: pick “All rules are met”
• Action: set it to “Log Only”
• Check the ‘Stop evaluation of lower priority policies’ box
• Set Notifications to ‘None’

Add a rule into this Policy.

• Name the rule, Header Check
• Set it to ‘All Conditions are Met’
• Add Condition and select ‘Content Keyword List’ from the drop down.
• Select the ‘Create new content key word list’ link
• Give this list a name of ‘Headers Inbound - Fail to Decrypt’
• You can add a description of you wish.
• Set the category of ‘Encryption’
• Add the following to the list: x-echoworx-action: failed-to-decrypt

Click save. If you now go back into this list if should look like this:

You will then need to configure the attributes to for the key word list please see the screen below:

Once this is done click ‘Save’ at the bottom right of the policy edit screen. This will save the policy but it will not be active until you make it so. Wait until all policies are created until you activate them.

Creating the Second Policy

You will need to create a new ‘user group’ before setting up the next policy. If you already have a user group for outbound PBE you can skip this section

• Go to the Users and Groups tab
• Select User Groups
• Select Create New Group
• Add a title of PBE Dummy group
• Add a dummy email address into the New Users box bottom right eg [email protected]
• Click the Add>> button
• Click Save & Exit

Start a new Data Protection policy

• Name the policy, PBE – S/MIME decryption inbound policy
• Apply to: Set to “Inbound mail only”
• Execute if: pick “All rules are met”
• Action: set it to “Redirect to Administrator”
• Check the ‘Stop evaluation of lower priority policies’ box
• Administrator email: Your PBE admin email address used in the outbound PBE rules
• Set Notifications to ‘None’

Add a rule into this Policy.

• Name the rule, Decrypt S/MIME
• Set it to ‘All Conditions are Met’
• Add Condition and select ‘Email is Encrypted’ from the drop down.
• Add another new Rule using the button at the bottom call this one Recipient Exclusion
• Set it to ‘All Conditions are Met’
• Add the condition ‘Recipient Groups’
• Browse to the user group you created earlier and select it. Or use current PBE user group you have configured for the outbound policies.
• Set the logic to be ‘is in none of the selected groups’. (see screenshot below)
• Save the Policy using the bottom button

Creating the Third Policy

Start a new Data Protection policy

• Name the policy, PBE – PGP attachment decryption policy
• Apply to: Set to “Inbound mail only”
• Execute if: pick “All rules are met”
• Action: set it to “Redirect to Administrator”
• Check the ‘Stop evaluation of lower priority policies’ box
• Administrator email: Your PBE admin email address used in the outbound PBE rules
• Set Notifications to ‘None’

Add a rule into this Policy.

• Name the rule, Decrypt S/MIME
• Set it to ‘All Conditions are Met’
• Add Condition and select ‘Email is Encrypted’ from the drop down.
• Add another new Rule using the button at the bottom call this one Recipient Exclusion
• Set it to ‘All Conditions are Met’
• Add the condition ‘Recipient Groups’
• Browse to the user group you created earlier and select it. Or use current default PBE user group you have configured for the outbound policies.
• Set the logic to be ‘is in none of the selected groups’.
• Add another condition selecting Attachment file name list
• Click Create a new filename list
• Name the list PGP Encrypted
• Add the category of Encrypted from the dropdown
• You will them need to add the following two file extensions
• *.pgp
• PGPexch.htm.pgp
• Once added Save this new list.
• Set the logic to matches any of the filenames in the selected lists.
• Save the Policy using the bottom button

Now you have created all three policies you will then need to make them active by clicking the Activate button to the right of them in your policy list.

Once all three are showing green they will be fully live within an hour.