Skip to content
Avanet
Sophos Central Email Encryption - Experience Report

Sophos Central Email Encryption - Experience Report

25. FEBRUARY 2019

To keep you up to date on Sophos Central, I recently signed up for the EAP (Early Access Program) for Email Encryption and took a closer look at the new functions and, of course, tested them.

In this article, I share my experiences so far and want to show you what you can expect from this new feature.

Prerequisites

To participate in the EAP for Email Encryption and to use this feature even after this test phase, a Sophos Central Email Gateway Advanced license is required.

Setting up Email Encryption

Anyone who has signed up for the EAP for Email Encryption will find the Encryption Settings item in the Central Email Gateway settings. As soon as this function is activated, you can still define a few rules for message encryption.

Email Gateway Encryption Settings
  • Entire message or only attachments: By default, the complete message is encrypted as a PDF. However, it is also possible to only encrypt attachments and send the message as plain text.
  • Send messages with a subject line tag: With this option, you define any string that must then appear at the beginning of a subject so that a message is automatically encrypted. For example, if your subject line tag is “Secure:”, any email that begins with this tag in the subject will be encrypted. However, it does not distinguish between upper and lower case.
  • Addresses and domains: To avoid working with the subject line tag every time you want to encrypt an email, there is a more convenient option. You can create a list of addresses and domains to which only encrypted messages will be sent.

Email Encryption in Practice

For encryption to work at all, you must not forget to have Sophos Email scan the incoming and outgoing traffic in the domain configuration. If outgoing emails are not routed via Sophos Email, no encryption can take place.

As an outbound gateway, I used Microsoft Office 365 in my tests.

Email Encryption Domain Settings

Sending emails

If everything has been configured correctly, sending encrypted emails is really child’s play! This solution from Sophos does not require a special email client or special software that still needs to be installed first. The way you have sent emails so far actually changes nothing. Only with the solution with the subject line tag do you have to remember to name the subject accordingly so that the message is not accidentally sent unencrypted. Even on mobile operating systems, such as iOS or Android, this worked wonderfully in my tests.

For all Office 365 users among you, Sophos also offers an Outlook plugin. This gives you a button in the menu bar to encrypt the message with one click before sending. By the way, it worked in my tests both in the latest Outlook on Windows and Mac, as well as in the browser version.

Email Encryption Office 365 Outlook Plugin

To largely circumvent the subject line solution and further increase convenience, you should simply create a list of domains and addresses in the Email Encryption settings right from the start, to which messages are always sent encrypted.

As you may have already read in the setting options described above, Sophos Email packages your message in an AES-256 encrypted PDF container. You can also send attachments, such as PDFs, images, Word and Excel documents, etc., with your message.

Receiving emails

The recipient first receives an email from Sophos informing them that an encrypted message is waiting for them. The recipient must then first define a password via a link, with which they can decrypt all future messages from Sophos Email Encryption. The message is then delivered to them, which currently looks like this:

Email Encryption Notification

Since I defined in the settings that both my email message and all attachments should be encrypted, my text is now hidden in the attached message.pdf, which can only be opened with the appropriate password.

Even if Sophos recommends using Adobe Acrobat, I was even able to open the message.pdf in the web version of Outlook.

In my tests, images, text files and Open Office documents were packed into a separate PDF with the designation attachments.pdf. I could then view and export these with Acrobat. This should theoretically work in any PDF viewer that supports displaying attachments in PDF documents.

Email Encryption PDF Attachments

For some file types, I found that they were only encrypted and still listed individually as attachments. Only the older Microsoft formats, such as .doc or .xls, were placed with the images and text files in the separate attachments.pdf.

Replying to emails

To reply to an encrypted message, the recipient simply clicks on a link in the message.pdf.

Email Encryption - Reply Link in PDF

A input mask then opens in the browser, which offers enough functions to compose a decent email. Attachments can also be uploaded.

Email Encryption - Reply Input Mask

Forgot password?

If the password for decrypting a message is ever forgotten, which even happened to me during my tests 😅, Sophos sends a link with every message to reset the password.

What positively surprised me about this process is the fact that it is not absolutely necessary to immediately assign a new password. The password recovery page also serves to view the previous password and reuse it. A list shows which password was used in which period. This is very helpful if you want to view an earlier message again that was encrypted with an earlier password.

Email Encryption - PDF Password forgotten

Conclusion

The topic of email encryption has been present for many years. Although everyone would like to use a secure email solution, it ultimately always fails when it comes to entering the comfort zone. Sending emails must be easy, and because most people have been doing this for many years, it must not become more complicated.

In my opinion, with Sophos Central Email Encryption, Sophos has found a very good solution for how encrypted emails can be sent super easily without changing the usual process. This process works with any email client and on any operating system, without having to install anything beforehand. The configuration is done completely independently via Sophos Central.

Where I am not yet ecstatic, however, is the way the recipient receives this encrypted message. Apart from the currently very aggressive Sophos branding, I wonder if we will be able to get used to opening an encrypted PDF every time to read an email in the future? Will this be a solution that proves to be mass-marketable in terms of convenience? At this point, I’m really not so sure.

What I find really well done about Sophos Central Email Encryption, however, is the processing of attachments. Anyone who frequently sends Word documents or PDFs with sensitive content receives an automated solution with Email Encryption that takes care of the encryption of such attachments. I also don’t see any major violation of the recipient’s comfort zone here, as the decryption of such documents can be done with simple on-board tools. As written in my test report, I was even able to decrypt and open an encrypted PDF in Outlook Webmail.

Even though we are still in the EAP here, Central Email Encryption already leaves a very complete impression on me. In my tests, at least technically, everything worked perfectly. Only with regard to branding do I hope that Sophos will give us a little more leeway in the future. For example, I have not yet found a way to use my own company logo in the emails. Let’s wait and see what else is planned for the future.

David

David

David is responsible for content, structure, and digital implementation at Avanet. His focus is on making complex technical topics clear, precise, and search-friendly.