Encrypting Messages

You can encrypt messages to prevent them from being read by unauthorized persons. It is, of course, true that with significant amounts of computing power and time any encryption scheme can probably be broken. However, the chances of someone investing those resources in your e-mail are pretty remote. So you can be assured that the e-mail encryption Outlook 2007 provides offers a relatively safe means of protecting sensitive messages against interception.

Before you can encrypt messages, you must have a certificate for that purpose installed on your computer. Typically, certificates issued for digital signing can also be used for encrypting e-mail messages.

For detailed information on obtaining a personal certificate from a commercial CA or from an enterprise or stand-alone CA on your network, see “Obtaining a Digital Certificate,” on page 690.

Getting Ready for Encryption

After you’ve obtained a certificate and installed it on your system, encrypting messages is a simple task. Getting to that point, however, depends in part on whether you’re sending messages to an Exchange Server recipient on your network or to an Internet recipient.

Swapping Certificates

Before you can send an encrypted message to an Internet recipient, you must have a copy of the recipient’s public key certificate. To read the message, the recipient must have a copy of your public key certificate, which means you first need to swap public certificates.

The easiest way to swap certificates is to send a digitally signed message to the recipient and have the recipient send you a signed message in return, as outlined here:

1. In Outlook 2007, choose Tools, Trust Center, and then click the E-Mail Security page.

2. Click Settings to display the Change Security Settings dialog box.

3. Verify that you’ve selected S/MIME in the Cryptography Format drop-down list.

4. Select the Send These Certificates With Signed Messages option and click OK.

5. Click OK to close the Trust Center dialog box.

6. Compose the message and digitally sign it. Outlook 2007 will include the certificates with the message.

When you receive a signed message from someone with whom you’re exchanging certificates, you must add the person to your Contacts folder to add the certificate by following these steps:

1. Open the message, right-click the sender’s name, and then choose Add To Outlook Contacts. If the Reading Pane is displayed, you can right-click the sender’s name in the pane and choose Add To Outlook Contacts.

2. Outlook 2007 displays the Contact tab of the contact form (see Figure 24–26). Fill in additional information for the contact as needed.

   
   Figure 24–26: Use the contact form to add the sender’s certificate to your system.

3. Click the Certificates button (in the Show group). You should see the sender’s certificate listed (see Figure 24–27), and you can view the certificate’s properties by selecting it and clicking Properties. If no certificate is listed, contact the sender and ask for another digitally signed message.

   
   Figure 24–27: The Certificates button on the contact form displays the sender’s certificate.

4. Click Save & Close to save the contact item and the certificate.

Obtaining a Recipient’s Public Key from a Public CA

As an alternative to receiving a signed message with a certificate from another person, you might be able to obtain the person’s certificate from the issuing CA. For example, if you know that the person has a certificate from VeriSign, you can download that individual’s public key from the VeriSign Web site. Other public CAs offer similar services. To search for and download public keys from VeriSign (see Figure 24–28), connect to https://digitalid.verisign.com/services/client/index.html Check the sites of other public CAs for similar links that enable you to download public keys from their servers.

Figure 24–28: VeriSign, like other public CAs, provides a form you can use to search for and obtain public keys for certificate subscribers.

The process for downloading a public key varies by CA. In general, however, you enter the person’s e-mail address in a form to locate the certificate, and the form provides instructions for downloading the certificate. You should have no trouble obtaining the public key after you locate the certificate on the CA (there is a link to download the public key certificate from the CA to a file on your computer).

Save the public key to disk, and then follow these steps to install the key:

1. Open the Contacts folder in Outlook 2007.

2. Locate the contact for whom you downloaded the public key.

3. Open the contact item, and then click the Certificates button.

4. Click Import. Browse to and select the certificate file obtained from the CA and click Open.

5. Click Save & Close to save the contact changes.

Sending Encrypted Messages

When you have everything set up for sending and receiving encrypted messages, it’s a simple matter to send one:

1. Open Outlook 2007 and compose the message.

2. In the message form, click the Encrypt icon in the Options group (on the Message tab).

Alternatively, do the following:

1. On the Message tab, click the Message Options Dialog Box Launcher in the Options group that displays the Message Options dialog box, and then click Security Settings.

2. Select Encrypt Message Contents And Attachments, and then click OK.

3. Click Close, and then send the message as you normally would.

4. If the message is protected by Exchange Server security, you can send it in one of three ways, depending on your system’s security level:

   • If the security level is set to Medium (the default), Outlook 2007 displays a message informing you of your security setting. Click OK to send the message.

   • If the security level is set to Low, Outlook 2007 sends the message immediately, without any special action on your part.

   • If the security level is set to High, type your password to send the message.

Reading Encrypted Messages

When you receive an encrypted message, you can read it as you would read any other message, assuming that you have the sender’s certificate. Double-click the message to open it. Note that Outlook 2007 uses an icon with a lock instead of the standard envelope icon to identify encrypted messages.

Importing Certificates from Outlook Express

If you have used Microsoft Windows Mail or Microsoft Outlook Express to send and receive secure messages, your Windows Mail Contacts (or Outlook Express address book) contains the public keys of the recipients. You can import those certificates to use in Outlook 2007 if they are not already included in the Contacts folder. Unfortunately, Windows Mail/Outlook Express doesn’t export the certificates when you export its address book; instead, you must export the certificates one at a time.

Follow these steps to move certificates from Windows Mail or Outlook Express to Outlook 2007:

1. Open Windows Mail and select Tools, Windows Contacts (or, if using Outlook Express, choose Tools, Address Book).

2. In Windows Contacts (for Windows Mail) or the Address book (for Outlook Express), double-click the name of the person whose certificate you want to export.

3. Click the IDs tab in Windows Mail (or the Digital IDs tab in Outlook Express).

4. Select the certificate to export and click Export.

5. Save the certificate to a file. (Windows Mail and Outlook Express use the CER file extension.)

6. Open Outlook 2007, open the Contacts folder, and open the contact item for the person who owns the certificate you’re importing.

7. Click the Certificates button, click Import, select the file created in step 5, and click Open.

8. Save and close the contact form.