Export (0) Print
Expand All

Enable Encryption and Decryption

Exchange 2013
 

Applies to: Exchange Online Protection, Exchange Online

Topic Last Modified: 2013-06-05

You can configure your Microsoft Office 365 or Exchange Online Protection service to have outgoing email encrypted and to decrypt incoming encrypted mail. In order to do this, you have to be an existing subscriber for Exchange Hosted Encryption (EHE) and then set up a transport rule in the Exchange Administration Center that will engage your encryption service.

CautionCaution:
If you add the transport rule described here without an EHE subscription, your messages can be delivered, but they will not be encrypted or decrypted.

For additional management tasks related to Transport Rules, see Transport Rules.

  • Estimated time to complete: 15 minutes
  • You need to be assigned permissions before you can perform this procedure or procedures. To see what permissions you need, see the "Transport Rules" entry in the Messaging Policy and Compliance Permissions topic.
  • You must establish an Office 365 or Exchange Online Protection tenant with a custom domain.
    • If you send an encrypted message using a name@contoso.onmicrosoft.com address, you will not be able to receive an encrypted reply. In order to receive encrypted replies, you must send your message using your custom domain, such as user@contoso.com. For more information about managing your custom domains in Office 365, go to your Office 365 Admin center at Admin > Office 365 > Setup for step-by-step instructions.
  • You must already have an existing, active EHE subscription and connect it with your Office 365 or Exchange Online Protection tenant.
    • EHE can only be purchased through a volume licensing agreement.
    • EHE must be activated and connected to your account by following the instructions of your volume licensing program. During activation, be sure to review and respond to the email messages you receive about the service. For more information about volume licensing, contact your Microsoft account manager or preferred reseller.
  • The shell cmdlets described here are only available for user subscription mailboxes that are part of an Exchange Online service subscription plan and not Exchange Online Protection subscribers in a standalone scenario.
  • For information about keyboard shortcuts that may apply to the procedures in this topic, see Keyboard Shortcuts in the Exchange Admin Center.
tipTip:
Having problems? Ask for help in the Exchange forums. Visit the forums at: Exchange Server, Exchange Online, or Exchange Online Protection.

As an example for the procedure here, only the message being sent to one person (trish@fabrikam.com) will be encrypted. You don’t have to set up your rules this way. You can use any conditions available in the rules and not just one person.

To allow users to encrypt outgoing messages:

  1. In the EAC, navigate to Mail flow > Rules, and click New to create a new rule.
  2. In New rule, give a name to the rule. For example, Encrypt mail for trish@fabrikam.com.
  3. Select the condition you want from the list of available conditions listed in the *Apply this rule if… dropdown. Some of the conditions will require you to specify values. For example, if you want to encrypt messages going to trish@fabrikam.com, do the following:
    1. In the *Apply this rule if… dropdown select The recipient is…
    2. In the check names box, type trish@fabrikam.com and then click check names and click ok.
  4. In New rule click More options.
  5. For the second condition, we want to apply encryption only if trish@fabrikam.com is outside the organization, do the following.
    1. Click add condition.
    2. In the drop down select The recipient is… and then select is external/internal.
    3. Select Outside the organization and click ok.
  6. Under Do the following… select Modify the message properties… > set a message header.
  7. For message header, click *Enter text… and type x-voltage-encrypt and click ok.
  8. For header value, click the second *Enter text… and type encrypt and click ok.
  9. Under Except if... select A message header… > includes any of these words…
    1. For header name, click *Enter text… and type X-Voltage-Encrypted and click ok.
    2. For the words the header should include, click the second *Enter text… and type Encrypted in the text box, click Add, and click ok.
  10. Click Save to finish creating the rule.

This example creates a new transport rule that encrypts messages sent only to one person and only if your company subscribes to Exchange hosted encryption.

new-transportrule -name "Encrypted mail for trish@contoso.com" -SentTo "trish@fabrikam.com" -SentTo Scope "NotInOrganization" -SetHeaderName "x-voltage-encrypt" -SetHeaderValue "Encrypt" -exceptifHeaderContainsMessageHeader "X-Voltage-Encrypted" -exceptifHeaderContainsWords "Encrypted"

The rule parameters and action used in the above PowerShell procedure are for illustration only. Review all the available transport rule conditions and actions to determine which ones meet your requirements.

To verify that you have successfully created a rule to encrypt outgoing messages, do the following:

  1. Login to a mailbox for your organization and send a message to the recipient noted in your encryption transport rule.
  2. Login to the mailbox of the message recipient and open the message.
  3. The recipient should be required to follow decryption instructions in order to read the message. If the message can be read immediately in the recipient’s inbox, it is not encrypted.

As an example for the procedure here, only the messages received by one person (anatoly@contoso.com) will be decrypted. You don’t have to set up your rules this way. You can use any conditions available in the rules and not just one person.

To allow users to decrypt incoming messages:

  1. In the EAC, navigate to Mail flow > Rules, and click New to create a new rule.
  2. In New rule, give a name to the rule. For example, Decrypted mail for anatoly@contoso.com.
  3. In *Apply this rule if… select the conditions and that you want to apply before messages are decrypted.
  4. In New rule click More options.
  5. Add another condition by selecting A message header > includes any of these words.
    1. For header name, click *Enter text… and type X-Voltage-Encrypted and click ok.
    2. For the words the header should include, click the second *Enter text… and type Encrypted in the text box, click Add, and click ok.
  6. Under Do the following… select Modify the message properties… and select set a message header.
    1. For message header, click *Enter text… and type x-voltage-decrypt and click ok.
    2. For value, click the second *Enter text… and type decrypt and click ok.
  7. Under Except if..., click add exception then select A message header > includes any of these words…
  8. For header name, click *Enter text… and type X-Voltage-Decrypted and click ok.
  9. For the words the header should include, click the second *Enter text… and type Decrypted in the text box, click Add, and click ok.
  10. Click Save to finish creating the rule.

This example creates a new transport rule that decrypts messages received by only one person and only if your company subscribes to Exchange hosted encryption.

new-transportrule -name "Decrypted mail for anatoly@contoso.com" -SentTo "anatoly@contoso.com" -HeaderContainsMessageHeader "X-Voltage-Encrypted" -HeaderContainswords  "Encrypted"  -SetHeaderName "x-voltage-decrypt" -SetHeaderValue "decrypt" -exceptifHeaderContainsMessageHeader "X-Voltage-Decrypted" -exceptifHeaderContainsWords "Decrypted"

The rule parameters and action used in the above PowerShell procedure are for illustration only. Review all the available transport rule conditions and actions to determine which ones meet your requirements.

To verify that you have successfully created a rule to decrypt incoming messages, do the following:

  1. Send an encrypted message to a user in your organization for whom you have configured a decrypt rule.
  2. Login to the mailbox of the message recipient and open the message.
  3. The recipient should be able to read the message immediately in the inbox. If they cannot, then the message was not decrypted.
 
Was this page helpful?
(1500 characters remaining)
Thank you for your feedback
Show:
© 2014 Microsoft