Exchange Hosted Encryption - Quick Reference for Exchange Administrators

ATTENTION: OBSOLETE CONTENT. (FOR EDUCATION ONLY)

EXCHANGE HOSTED ENCRYPTION HAS BEEN PHASED OUT.

THE NEW SERVICE THAT HAS TAKEN ITS PLACE IS CALLED "OFFICE 365 MESSAGE ENCRYPTION".

PLEASE NOTE THAT BY THE END OF 30 SEPTEMBER 2014, 100% OF OUR EHE CUSTOMERS WILL BE ON THE NEW OFFICE 365 MESSAGE ENCRYPTION.

FOR THE NEW SETUP PROCESS, CLICK HERE.

 

___

During our engagements, we come across questions from our Partners and Clients on Exchange Hosted Encryption. I had compiled a blog detailing the steps to configure this service on Exchange Online, along with screenshots. You can find the same below.

My previous blog - Exchange Hosted Encryption - Steps for Configuration and Use

 

This article is a quick reference for Exchange Administrators.

Exchange Hosted Encryption

What does it do?

Exchange Hosted Encryption helps you to deliver confidential business communications safely, letting users send and receive encrypted email directly from their desktops as easily as regular email. Email can be encrypted without complex hardware and software to purchase, configure, or maintain, which helps to minimize capital investment, free up IT resources, and mitigate messaging risks.

You can configure your Microsoft Office 365 or Exchange Online Protection service to have outgoing email encrypted and to decrypt incoming encrypted mail. In order to do this, you have to be an existing subscriber for Exchange Hosted Encryption (EHE) and then set up a transport rule in the Exchange Administration Center that will engage your encryption service.

 

How to purchase this service?

To acquire this service, please call our licensing team on +1 800 426 9400 and if you are a member of the Microsoft Partner Network, call +1 800 676 7658 

You can purchase Exchange Hosted Encryption through Microsoft partners. There are different options for purchasing, with the following licensing programs:

  • Enterprise Agreement
  • Enterprise Agreement Subscription
  • Select
  • Select Academic
  • Select U.S. Government
  • Open Value
  • Open Value Subscription
  • Campus (Higher Education)
  • School (K-12)
  • Service Provider License Agreement (SPLA)
  • Exchange Hosted Encryption is not available through Microsoft Open License Program.

 

How to Configure EHE on Exchange Online?

For Reference - To enable encryption and decryption

<Excerpt>

Use the EAC to create a transport rule that uses EHE to encrypt outgoing messages

As an example for the procedure here, only the message being sent to one person (trish@fabrikam.com) will be encrypted. You don’t have to set up your rules this way. You can use any conditions available in the rules and not just one person.

To allow users to encrypt outgoing messages:

  1. In the EAC, navigate to Mail flow > Rules, and click New to create a new rule.
  2. In New rule, give a name to the rule. For example, Encrypt mail for trish@fabrikam.com.
  3. Select the condition you want from the list of available conditions listed in the *Apply this rule if… dropdown. Some of the conditions will require you to specify values. For example, if you want to encrypt messages going to trish@fabrikam.com, do the following: 
    1. In the *Apply this rule if… dropdown select The recipient is…
    2. In the check names box, type trish@fabrikam.com and then click check names and clickok.
  4. In New rule click More options.
  5. For the second condition, we want to apply encryption only if trish@fabrikam.com is outside the organization, do the following.
    1. Click add condition.
    2. In the drop down select The recipient is… and then select is external/internal.
    3. Select Outside the organization and click ok.
  6. Under Do the following… select Modify the message properties… > set a message header.
  7. For message header, click *Enter text… and type x-voltage-encrypt and click ok.
  8. For header value, click the second *Enter text… and type encrypt and click ok.
  9. Under Except if... select A message header… > includes any of these words…
    1. For header name, click *Enter text… and type X-Voltage-Encrypted and click ok.
    2. For the words the header should include, click the second *Enter text… and type Encryptedin the text box, click Add, and click ok.
  10. Click Save to finish creating the rule.

Use the EAC to create a transport rule that uses EHE to decrypt incoming messages

As an example for the procedure here, only the messages received by one person (anatoly@contoso.com) will be decrypted. You don’t have to set up your rules this way. You can use any conditions available in the rules and not just one person.

To allow users to decrypt incoming messages:

  1. In the EAC, navigate to Mail flow > Rules, and click New to create a new rule.
  2. In New rule, give a name to the rule. For example, Decrypted mail for anatoly@contoso.com
  3. In *Apply this rule if… select the conditions and that you want to apply before messages are decrypted.
  4. In New rule click More options.
  5. Add another condition by selecting A message header > includes any of these words.
    1. For header name, click *Enter text… and type X-Voltage-Encrypted and click ok.
    2. For the words the header should include, click the second *Enter text… and type Encryptedin the text box, click Add, and click ok.
  6. Under Do the following… select Modify the message properties… and select set a message header.
    1. For message header, click *Enter text… and type x-voltage-decrypt and click ok.
    2. For value, click the second *Enter text… and type decrypt and click ok.
  7. Under Except if... , click add exception then select A message header > includes any of these words…
  8. For header name, click *Enter text… and type X-Voltage-Decrypted and click ok.
  9. For the words the header should include, click the second *Enter text… and type Decrypted in the text box, click Add, and click ok.
  10. Click Save to finish creating the rule.

<End of Excerpt>

 

A series of easy steps to configure and use EHE. The screenshots are from my lab.

 

1. Go To Exchange Admin Center

 

2. Go To Mailflow > Rules > Create a new Rule. In this screenshot, I already have a few rules created.

 

3. Complete necessary configurations as mentioned earlier in this article. Note that the settings in this screenshot will trigger encryption, when a message is going out of the organization.

 

4. Save and Close

 

5. Now that the rules are ready - Let us send a mail! - Note that the mail is going to someone (me), who is outside the organization. So that will trigger encryption based on the transport rule that we created.

 

 

 

6. When the recipient receives the email, it looks like this. But note that there is an attachment to the email.

 

 

 

7. Click on the attachment

 

 

8. Double click on the attachment to open it in the browser

 

 

 

9. Now when it is the first encounter with an encrypted message from EHE - the recipient will be asked to create a credential.

 

 

 

10. A verification email is sent to the recipient's email address.

 

 

11. Verification process has to be followed.

 

 

12. Go back to the encrypted email and double click on the attachment - Enter your credentials.

 

 

13. View the message. Note that once a secure email is sent - all the subsequent emails which are part of the same conversation thread are encrypted - provided that the responses are sent by the recipient, from the web based EHE client. As in the screenshot below, the reply to this encrypted email can be sent from this browser based application - And the same is secure.

And for this, the recipient does not require an EHE Subscription.

 

The EHE Service also lets the recipient include attachments as part of the encrypted response.

 

 

Above is a basic description of the way to configure EHE. For a detailed post, please refer to my blog - Exchange Hosted Encryption - Steps for Configuration and Use

Comments

  • Anonymous
    January 01, 2003
    thanks
  • Anonymous
    July 15, 2014
    Do you have an updated version of this for the new office 365 encryption?