Hi,

We've just migrated to Exchange 2013 and I've been asked to investigate "this free end-to-end encryption you can turn on with PowerShell, that doesn't require individual certificates" feature.

Sounds vague? It is! If anyone can help I'd be grateful. Our Exchange is on-prem exclusively, from what I've found online there's something called EHE which may be what this is about, but if that's the case then it's useless because it's part of Office 265 (I think).

Sorry I can't provide any more detail- this request came via the sort of "a friend of a friend" (or a colleague of a colleague) and sounds like magic- a simple bit of PowerShell will enable us to encrypt all our messages end-to-end for ever, without any sort of PKI. Forgive me for sounding sceptical! I don't even have any pointer as to what this PowerShell code might be- it's just PowerShell, that's all I know.

I just can't see how this would work, but I'd be very interested if anyone can decipher what this might be and point me in the right direction.

"End-to-end" requires a client component because that's the end.  You would have to install client software, and the recipients would have to have the same software as well.  As far as I know there is nothing that does what you describe.

Hi,

As far as I know, each offering from Exchange server is accessed through 128-bit Secure Sockets Layer (SSL) or Transport Layer Security (TLS) encryption. Client connections to Exchange Online use the following encryption methods to enhance security: SSL is used for securing Outlook, Outlook Web App, Exchange ActiveSync, and Exchange Web Services traffic, using TCP port 443.  SSL is also used for POP3 and IMAP, using TCP port 995.

Please refer to below link to get more details about How SSL/TLS works: https://technet.microsoft.com/en-us/library/cc783349(v=ws.10).aspx

To end-to-end encryption, we need encrypt message within client as Ed mentioned. For your reference:
https://support.office.com/en-in/article/Encrypt-email-messages-373339cb-bf1a-4509-b296-802a39d801dc

Thanks

Hi both, thank you for your comprehensive replies and I've marked both as the answer- I honestly couldn't see how this would work without a PKI but was asked to investigate.

My next step is to get in touch with this person to try and pull out more details! It may be that this message encryption was internal only, relying on the internal certificates or something.

I appreciate the time you've put in to this and hopefully I'll find out soon enough what this was all about...

hi both, finally got to the bottom of it. The facility was "Office 365 Message Encryption"- which from what I can see, is (a) not strictly message encryption in the traditional PKI sense and (b) not relevant anyway because our Exchange is purely on-prem, and we don't have an EOP subscription.

Thanks again for all your help and hope you have a good day.

• Marked as answer by Allen_WangJFMicrosoft contingent staff, Moderator 6 hours 11 minutes ago