Choosing an SPX Password Method

There are three methods of password management that you can use with SPX-encrypted email messages. These are selected on the Password Settings page of the SPX Template wizard.

Two or three of the password methods can be used at the same time: you just have to create different templates and policy rules to support the different models. Regardless of the password model, after the password is established, each of the password models provides a similar experience for senders and recipients.

Note
Password data is not preserved as part of system backups on an Email Appliance. Backing up confidential data of this type would pose a substantial security risk. Running two or more appliances in a clustered deployment creates data redundancy as protection against hardware failure. For more information, contact your Sophos representative.
  • User registration password management

    The first method is user registration. When this option is selected, and a message is sent to a recipient for the first time, it triggers a policy rule that requires it to be encrypted, then:

    1. The message will be held by the Email Appliance.
    2. The appliance will send the recipient a registration email containing a link, and a request to set a password.
    3. After the recipient clicks on the link and enters the password, the original email is encrypted using the new password and relayed to the recipient, who can use the password to decrypt and read the email. All subsequent email messages to that recipient will then be encrypted using the password created during registration.
  • Sender-communicated password management

    The second method is sender-communicated passwords. There are two variants of this method. The first variant uses a generated password, while the second variant uses a sender-specified password. With the first variant (generated password), when a message is sent to a recipient for the first time, it triggers a policy rule that requires it to be encrypted, then:

    1. The message will be encrypted using a password generated by the Email Appliance and relayed to the recipient.
    2. An email message containing the generated password will be delivered to the sender.
    3. The sender must then communicate the password to recipient in a secure fashion (for example, by telephone). The recipient uses the password to decrypt and read the email. The generated password is used to encrypt all subsequent email messages to that recipient.

    With the second variant (sender-specified password), when a message is sent to a recipient, the sender first chooses a password and adds it to the subject line enclosed in brackets, and using a specified tag. Both the tag and brackets are selected by the admin when configuring this password method. The brackets and tag trigger a policy rule that requires the email to be encrypted, then:

    1. The sender-specified password, the tag, and the brackets are removed from the subject line.
    2. The message will be encrypted using the sender-specified password and relayed to the recipient.
    3. Optionally, a copy of the email message will be delivered to the sender.
    4. The sender must communicate the chosen passwrold to the recipient in a secure fashion (for example, by telephone). The recipient uses the password to decrypt and read the email.
    Note
    If a message is sent to a recipient who is not in a group that triggers the policy for sender-specified passwords, the message will not be encrypted, and the password will not be removed from the subject line before the email is delivered to the recipient.
  • Custom web service password management

    The third method is to use a custom remote authentication service to assign passwords. This enables the appliance to retrieve passwords from your own existing authentication infrastructure. This password is then used to encrypt messages sent to the recipient. To use this method, a web service must have been created within your environment, and it must integrate with your existing authentication infrastructure. Visit the Sophos Support Knowledgebase for an example of how to configure the web service, or contact Sophos Professional Services for assistance.