Step 1
| In the Email
Encryption Profiles section, click
Add
Encryption Profile.
|
Step 2
| Enter a name
for the Encryption Profile.
|
Step 3
| Click the
Used By
(Roles) link, select the custom user role you want to have access
to the encryption profile, and click
OK.
Delegated
administrators assigned to this custom role can use the encryption profile for
any DLP policies and content filters for which they are responsible.
|
Step 4
| In the Key
Server Settings section, select from the following key servers:
|
Step 5
| If you select
the Cisco Encryption appliance (local key service), enter the following
settings:
-
Internal URL.
This URL is used by the Cisco Email Security appliance to contact the
in-network Cisco Encryption appliance.
-
External URL.
This URL is used when the recipient’s message accesses keys and other services
on the Cisco Encryption appliance. The recipient uses this URL to make inbound
HTTP or HTTPS requests.
|
Step 6
| If you select
the Cisco Registered Envelope Service, enter the URL for the hosted key
service. The key service URL is https://res.cisco.com .
|
Step 7
| Click
Advanced under Key Server Settings to specify
whether to use HTTP or HTTPS for transferring the envelope’s encrypted payload
when the recipient opens the envelope. Choose from one of the following:
-
Use the Key Service with
HTTP. Transfers the encrypted payload from the key service using
HTTP when the recipient opens the envelope. If you are using Cisco Registered
Envelope Service, this is the URL you specified in Step 6. If you are using the
Cisco Encryption appliance, this is the external URL you specified in Step 5.
-
Since the
payload is already encrypted, transporting it over HTTP is safe and faster than
sending over HTTPS. This provides better performance than sending image
requests over HTTPS.
-
Use the Key Service with
HTTPS. Transfers the encrypted payload from the key service using
HTTPS when the recipient opens the envelope. If you are using Cisco Registered
Envelope Service, this is the URL you specified in Step 6. If you are using the
Cisco Encryption appliance, this is the external URL you specified in Step 5.
-
Specify a separate URL for
payload transport. If you don’t want to use the key server for your
encrypted payload, you can use another URL and specify whether to use HTTP or
HTTPS for the payload transfer.
|
Step 8
| In the Envelope
Settings section, select the level of message security:
-
High Security.
The recipient must always enter a passphrase to open encrypted messages.
-
Medium Security.
The recipient does not need to enter credentials to open the encrypted message
if the recipient credentials are cached.
-
No Passphrase
Required. This is the lowest level of encrypted message security.
The recipient does not need to enter a passphrase to open the encrypted
message. You can still enable the read receipts, Secure Reply All, and Secure
Message Forwarding features for envelopes that are not passphrase-protected.
|
Step 9
| To enable users
to open your organization’s URL by clicking its logo, you can add a link to the
logo. Choose from the following options:
|
Step 10
| (Optional)
Enable read receipts. If you enable this option, the sender receives a receipt
when recipients open the secure envelope.
|
Step 11
| (Optional)
Click
Advanced under Envelope Settings to configure the
following settings:
-
Enter the
length of time (in seconds) that a message can be in the encryption queue
before timing out. Once a message times out, the appliance bounces the message
and sends a notification to the sender.
-
Select an
encryption algorithm:
-
ARC4. ARC4 is the most common choice, providing
strong encryption with minimal decryption delays for message recipients.
-
AES. AES provides stronger encryption but also takes
longer to decrypt, introducing delays for recipients. AES is typically used in
government and banking applications.
-
Enable or
disable the decryption applet. Enabling this option causes the message
attachment to be opened in the browser environment. Disabling this option
causes message attachments to be decrypted at the key server. If you disable
this option, messages may take longer to open, but are not dependent on the
browser environment.
|
Step 12
| In the
Message Settings section, do the following:
-
To enable
secure reply all feature, check the
Enable Secure Reply All check box.
-
To enable
secure message forwarding feature, check the
Enable Secure Message Forwarding check box.
|
Step 13
| (Optional) If
you have selected Cisco Registered Envelope Service and this service supports
localization of envelopes, enable localization of envelopes. In Notification
Settings section, check the
Use
Localized Envelope check box.
Note
| If you
enable localization of envelopes, you cannot select encrypted message HTML or
text notification.
|
If you want
to set the default locale of the envelope, see
Configuring the Default Locale of the Envelope.
|
Step 14
| Select the
HTML and text notification templates.
Note
| The key
server uses an HTML or text notification based on the recipient’s email
application. You must configure notifications for both.
|
Do the
following:
- Select an
HTML notification template. Choose from HTML notifications you configured in
text resources. If you did not configure a template, the system uses the
default template.
- Select a
text notification template. Choose from text notifications you configured in
text resources. If you did not configure a template, the system uses the
default template.
Note
| These
options are unavailable if you use localized envelopes.
|
|
Step 15
| Enter a
subject header for encryption failure notifications. The appliance sends a
notification if the encryption process times out.
|
Step 16
| Select an
encryption failure notification template for the message body. Choose from an
encryption failure notification template you configured in text resources. If
you did not configure a template, the system uses the default template.
|
Step 17
| Submit and
commit your changes.
|
Step 18
| If you use
Cisco Registered Envelope Service, you must take the additional step of
provisioning your appliance. Provisioning the appliance registers the
encryption profile with the hosted key service. To provision the appliance,
click the
Provision button for the encryption profile you want
to register.
|