Exchanging S/MIME encrypted email with users managed by Encryption Management Server using CipherMail for Android

book

Article ID: 171286

calendar_today

Updated On:

Products

Encryption Management Server Gateway Email Encryption

Issue/Introduction

The Mail app on Apple iOS devices has built-in S/MIME capabilities and can therefore be used to exchange S/MIME encrypted mail with users managed by Encryption Management Server.

However, email apps with S/MIME support on Android are far more rare. This makes it difficult for Android users to exchange S/MIME encrypted messages with users managed by Encryption Management Server.

Environment

  • Encryption Management Server 3.3 and above with an Organization Certificate installed.
  • The Keyserver service enabled and accessible by remote hosts over the Internet using the LDAP protocol.

Resolution

The CipherMail Email Encryption app for Android works in conjunction with Android email apps such as the Gmail app and allows users to send S/MIME encrypted messages and decrypt S/MIME encrypted attachments. It cannot be used to receive email and it does not replace or modify the email app with which you are familiar.

Before you can use CipherMail you will need to have already done the following:

  1. Imported all the certificates in the certificate chain of your S/MIME certificate into CipherMail.
  2. Imported your private S/MIME certificate into CipherMail
  3. Configured SMTP settings for sending mail using CipherMail.
  4. Configured a password for the CipherMail Key store.

Downloading the Encryption Management Server Organization Certificate

CipherMail will need to trust the Organization Certificate from the Encryption Management Server. First, the Organization Certificate needs to be downloaded to the Android device. There are several ways to do this:

  1. Request that the organization with which you are exchanging encrypted email publishes their Organization Certificate on a web site so that you can download it using a web browser.
  2. Login to the Encryption Management Server Web Email Protection portal and upload your public certificate. After uploading your public certificate, Encryption Management Server will prompt you to download the Organization Certificate. If you login to the Web Email Protection portal from your Android device, you can download the Organization Certificate to the device.
  3. Ask for the Organization Certificate to be attached to an unencrypted email message and sent to you. Ensure that the sender saves the Organization Certificate with a *.pem file extension because *.pem files have a greater chance of not being blocked as potentially dangerous attachments. Save the attachment to the Android device.

Importing the Organization Certificate as a Root Certificate

Whichever method you use to obtain the Organization Certificate, it will be stored in the Downloads folder on the Android device. To import it into CipherMail:

  1. Open CipherMail.
  2. Tap on Root certificates.
  3. Tap on the menu.
  4. Tap on Import certificates.
  5. Tap on the Browse button to browse for a certificate. You should view the Download folder by default.
  6. Tap on the Organization Certificate to select it.
  7. Tap on the Import Certificates button.
  8. Tap on the back button and you will see the Organization Certificate is one of the CipherMail Root certificates.

Adding Encryption Management Server as an LDAP Keyserver

CipherMail can be configured to find internal user S/MIME certificates from a remote Encryption Management Server running the Keyserver service using LDAP. To configure the LDAP connection on CipherMail, do the following:

  1. Open CipherMail.
  2. Tap on Settings.
  3. Tap on LDAP servers.
  4. Tap on the menu and choose Add LDAP server.
  5. In the Name field, enter a suitable name of your choice.
  6. Ensure the Enabled option is active.
  7. In the Host field, enter the FQDN of the Encryption Management Server Keyserver service. For example, keys.example.com.
  8. Leave the Port at its default setting of 389.
  9. In the Base DN field, enter: o=users
  10. Use the default settings for all other fields.
  11. Click on the Add button.

Finding and Importing User Certificates from the Encryption Management Server Keyserver

To find and import the S/MIME certificate of a user managed by Encryption Management Server, do the following:

  1. Open CipherMail.
  2. Tap on Search certificates.
  3. For the most accurate results, tap on the Email field and enter the user's full email address. For example, [email protected]
  4. Tap on the Search button.
  5. CipherMail will search all active LDAP servers.
  6. If a match is found, S/MIME certificates will be downloaded from the LDAP Server(s) and the number of matches will appear to the right of each LDAP Server name.
  7. Tap on the LDAP Server name to open the Certificates downloaded screen and view the names of the certificates.
  8. For SKM (Server Key Mode) users in Encryption Management Server there will be two certificates for each user. One certificate will be the signing certificate. This cannot be used to send encrypted mail to the user. The other certificate will be the encryption certificate. Tap on each certificate name to view the Certificate details. The encryption certificate will have a Key usage attribute that includes dataEncipherment. Tap on the back button to return to the Certificate details page.
  9. Press and hold on the certificate name to reveal a menu with the option Add to certificate store. Tap on this option to add the certificate.
  10. You can view all certificates stored by CipherMail by tapping on Certificates & Keys.

Sending an Encrypted Message

To send an encrypted message do the following:

  1. Open CipherMail.
  2. Tap on Compose message.
  3. Ensure the Encrypt option is enabled and, optionally, the Sign option.
  4. Enter the recipient's email address in full.
  5. When you have composed your message, tap on the send icon. You will be prompted for the password for the key store.
  6. The message will be encrypted and sent.

Decrypting an Encrypted Message

To decrypt a message do the following:

  1. Open the message in your email app. There will be an attachment called Message.p7m. This is the encrypted message body including any attachments.
  2. Double tap on the attachment.
  3. CipherMail will decrypt the attachment after you have entered the key store password and you can then view it. Note that any HTML formatting is lost; only plain text is displayed.