Sophos Central Email Encryption: Review
To keep you up to date on Sophos Central, I recently signed up to the EAP (Early Access Program) for Email Encryption and took a closer look at the new features and of course tested them.
In this article I share my experiences so far and would like to show you what you can expect from this new feature.
The EAP for Email Encryption will run until April 15, 2019, when changes may be made that are not mentioned in this report. However, I will keep myself informed about all changes and keep this article as up to date as possible.
To participate in the EAP for Email Encryption and continue to use this feature after this trial period, a Sophos Central Email Gateway Advanced license is required.
Set up Email Encryption
If you have logged in to the EAP for Email Encryption, you will find the new item Encryption settings in the Central Email Gateway settings. As soon as this feature is activated, you can define some rules for message encryption.
- Complete message or just attachments: By default, the entire message is encrypted as a PDF file. However, it is also possible to encrypt only attachments and continue to send the message as plain text.
- Send messages with a subject tag: With this option you can specify any character string that must be at the beginning of a subject to automatically encrypt a message. For example, if your subject tag is “Secure:”, any email that begins with that tag in the subject will be encrypted. However, no distinction is made between upper and lower case.
- Addresses and domains: In order not to work with the subject line tag every time to encrypt an email, there is a more convenient variant. You can create a list of addresses and domains to which only encrypted messages are sent.
Email Encryption in practice
For encryption to work, it is important to remember to scan incoming and outgoing traffic from Sophos email during domain configuration. Of course, if outgoing email is not routed through Sophos Email, encryption will not work.
I used Microsoft Office 365 as the outbound gateway in my tests.
If everything is configured correctly, sending encrypted emails is really a piece of cake! This Sophos solution does not require a special email client or software to be installed first. The way you’ve been sending emails so far hasn’t really changed. Only with the subject tag solution you have to remember to name the subject so that the message does not accidentally go out unencrypted. Even on mobile operating systems like iOS or Android, it worked wonderfully in my tests.
For all Office 365 users among you, Sophos also offers an Outlook plugin. This will give you a button on the menu bar to encrypt the message with a single click before it is sent. By the way, in my tests it worked in the latest Outlook on Windows and Mac as well as in the browser version.
To get around the solution with the subject line as far as possible and to increase the comfort even further, you should simply create a list with domains and addresses in the settings of Email Encryption right at the beginning, to which you always send encrypted.
As you may have read in the settings described above, Sophos Email packs your message in a PDF container encrypted with AES-256. You can also send attachments such as PDFs, images, Word and Excel documents, etc. with your message.
The recipient will first receive an email from Sophos informing them that an encrypted message is waiting for them. The recipient will then need to set a password using a link to decrypt all messages from Sophos Email Encryption in the future. The message will then be delivered to him, which looks like this at the moment:
Since I have defined in the settings that both my email message and all attachments should be encrypted, my text is now hidden in the attached message.pdf, which can only be opened with the appropriate password.
Although Sophos recommends using Adobe Acrobat, I was even able to open message.pdf in the web version of Outlook.
In my tests, images, text files and Open Office documents were packed into a separate PDF called attachments.pdf. I could then view and export them with Acrobat. This should theoretically work in any PDF viewer that supports viewing attachments in PDF documents.
With PDFs, Word or Excel documents (.docx, .xlsx) I noticed that these are only encrypted and are still listed individually in the attachment. Only the older Microsoft formats like .doc or .xls were put into the separate attachments.pdf.
Reply to emails
To reply to an encrypted message, the recipient simply clicks on a link in message.pdf.
The browser then opens an input mask that offers enough functionality to write a decent email. Attachments can also be uploaded.
Forgot your password?
If I forget the password used to decrypt a message, which even happened to me during my tests 😅, Sophos will send a link in each message to reset my password.
What positively surprised me about this process was the fact that it is not absolutely necessary to assign a new password. The password recovery page is also used to view the previous password and reuse it. A list shows which password has been used in which period. This is very helpful if you want to look at an earlier message again, but it was encrypted with an earlier password.
The subject of email encryption has been a recurring topic for many years. Although everyone would like to use a secure email solution, it ultimately always fails when entering the comfort zone. Sending emails must be easy and because most people have been doing this for many years, it must not become more complicated.
With Sophos Central Email Encryption, I think Sophos has found a very good solution for sending encrypted emails in a very easy way, without changing the usual procedure. This process works with any email client and on any operating system, without having to install anything first. Configuration is done completely independently via Sophos Central.
But where I’m not yet breaking into storms of enthusiasm is the way the recipient gets this encrypted message. Apart from the very aggressive Sophos branding at the moment, I wonder if we can get used to opening an encrypted PDF to read an email every time in the future? Will this be a solution that proves to be mass-ready in terms of convenience? I’m really not so sure about that yet.
But what I really like about Sophos Central Email Encryption is the processing of the attachments. If you frequently send Word documents or PDFs with sensitive content around, Email Encryption is an automated solution that takes care of the encryption of such attachments. I don’t see any big violation of the recipient’s comfort zone, since the decryption of such documents can be done with simple on-board tools. As written in my test report, I was even able to decrypt and open an encrypted PDF in Outlook Webmail.
Even though we are still in EAP here, Central Email Encryption already leaves me with a very complete impression. In my tests at least technically everything worked fine. Only as far as branding is concerned, I hope Sophos will give us a little more freedom in the future. So far, for example, I haven’t found a way to use my own company logo in emails. Let’s see what’s still planned for the future.