Configuring IBE Encryption

Configuring IBE encryption

The System > Encryption > IBE Encryption submenu lets you configure the Identity Based Encryption (IBE) service. With IBE, you can send secured email through the FortiMail unit.

This section contains the following topics:

  • About IBE
  • About FortiMail IBE
  • FortiMail IBE configuration workflow
  • Configuring IBE services

About IBE

IBE is a type of public-key encryption. IBE uses identities (such as email addresses) to calculate encryption keys that can be used for encrypting and decrypting electronic messages. Compared with traditional public-key cryptography, IBE greatly simplifies the encryption process for both users and administrators. Another advantage is that a message recipient does not need any certificate or key pre-enrollment or specialized software to access the email.

About FortiMail IBE

The FortiMail unit encrypts an email message using the public key generated with the recipient’s email address. The email recipient does not need to install any software or generate a pair of keys in order to access the email.

What happens is that when an email reaches the FortiMail unit, the FortiMail unit applies its IP-based policies and recipient-based policies containing IBE-related content profiles as well as the message delivery rules to the email. If a policy or rule match is found, the FortiMail unit encrypts the email using the public key before sending a notification to the recipient. Figure 148 shows a sample notification.

The notification email contains an HTML attachment, which contains instructions and links telling the recipient how to access the encrypted email.

If this is the first time the recipient receives such a notification, the recipient must follow the instructions and links to register on the FortiMail unit before reading email.

If this is not the first time the recipient receives such a notification and the recipient has already registered on the FortiMail unit, the recipient only needs to log in to the FortiMail unit to read email.

When the recipient opens the mail on the FortiMail unit, the email is decrypted automatically. Figure  shows how FortiMail IBE works:

Figure 147:How FortiMail works with IBE

  1. The FortiMail unit applies its IBE-related IP-based policies ,

Figure 148:Sample secure message notification

FortiMail IBE configuration workflow

Follow the general steps below to use the FortiMail IBE function:

  • Configure and enable the IBE service. See “Configuring IBE services” on page 359.
  • Manage IBE users. See “Configuring IBE users” on page 447.
  • Configure an IBE encryption profile. See “Configuring encryption profiles” on page 594.

If you want to encrypt email based on the email contents:

  • Add the IBE encryption profile to the content action profile. See “Configuring content action profiles” on page 535.
  • Add the content action profile to the content profile and configure the scan criteria in the content profile, such as attachment filtering, file type filtering, and content monitor and filtering including the dictionary and action profiles. See “Configuring content profiles” on page 526.
  • Add the content profile to the IP-based and recipient-based policies to determine email that needs to be encrypted with IBE. See “Controlling email based on recipient addresses” on page 468, and “Controlling email based on IP addresses” on page 475.

For example, on the FortiMail unit, you have:

  • configured a dictionary profile that contains a pattern called “Confidential”, and enabled Search header (see “Configuring dictionary profiles” on page 586)
  • added the dictionary profile to a content profile which also includes a content action profile that has an encryption profile in it
  • included the content profile to IP and recipient policies

You then notify your email users on how to mark the email subject line and header if they want to send encrypted email.

For example, Alice wants to send an encrypted email to Bob through the FortiMail unit. She can add “Confidential” in the email subject line, or “Confidential” in the header (in MS Outlook, when compiling a new mail, go to Options > Message settings > Sensitivity, and select Confidential in the list). The FortiMail unit will apply the policies you configured to the email by checking the email’s subject line and header. If one of them matches the patterns defined in the dictionary profile, the email will be encrypted.

  • Configure IBE email storage. See “Selecting the mail data storage location” on page 376.
  • Configure log settings for IBE encryption. See “Configuring logging” on page 671.
  • View logs of IBE encryption. See “Viewing log messages” on page 206.

If you want to encrypt email using message delivery rules:

  • Configure message delivery rules using encryption profiles to determine email that need to be encrypted with IBE. See “Configuring delivery rules” on page 464.
  • Configure IBE email storage. See “Selecting the mail data storage location” on page 376.
  • Configure log settings for IBE encryption. See “Configuring logging” on page 671.
  • View logs of IBE encryption. See “Viewing log messages” on page 206.

Configuring IBE services

You can configure, enable, or disable IBE services which control how secured mail recipients use the FortiMail IBE function. For details about how to use IBE service, see “FortiMail IBE configuration workflow” on page 358.

To configure IBE service

  1. Go to System > Encryption > IBE Encryption.

Figure 149:IBE encryption tab

  1. Configure the following:

GUI item                   Description

Enable IBE service Select to enable the IBE service you configured.

IBE service name Enter the name for the IBE service. This is the name the secure mail recipients will see once they access the FortiMail unit to view the mail.
User registration expiry time (days) Enter the number of days that the secure mail recipient has to register on the FortiMail unit to view the mail before the registration expires. The starting date is the date when the FortiMail unit sends out the first notification to a mail recipient.
User inactivity expiry time (days) Enter the number of days the secure mail recipient can access the FortiMail unit without registration.

For example, if you set the value to 30 days and if the mail recipient did not access the FortiMail unit for 30 days after the user registers on the unit, the recipient will need to register again if another secure mail is sent to the user. If the recipient accessed the FortiMail unit on the 15th days, the 30-day limit will be recalculated from the 15th day onwards.

Encrypted email    Enter the number of days that the secured mail will be saved on the storage expiry time FortiMail unit. (days)

Password reset     Enter the password reset expiry time in hours. expiry time (hours)

This is for the recipients who have forgotten their login passwords and request for new ones. The secured mail recipient must reset the password within this time limit to access the FortiMail unit.

 

GUI item Description
Allow secure replying Select to allow the secure mail recipient to reply the email with encryption.
Allow secure forwarding Select to allow the secure mail recipient to forward the email with encryption.
Allow secure composing Select to allow the secure mail recipient to compose an email. The FortiMail unit will use policies and mail delivery rules to determine if this mail needs to be encrypted.

For encrypted email, the domain of the composed mail’s recipient must be a protected one, otherwise an error message will appear and the mail will not be delivered.

IBE base URL Enter the FortiMail unit URL, for example, https://192.168.100.20, on which a mail recipient can register or authenticate to access the secure mail.
“Help” content

URL

You can create a help file on how to access the FortiMail secure email and enter the URL for the file. The mail recipient can click the “Help” link from the secure mail notification to view the file.

If you leave this field empty, a default help file link will be added to the secure mail notification.

“About” content

URL

You can create a file about the FortiMail IBE encryption and enter the URL for the file. The mail recipient can click the “About” link from the secure mail notification to view the file.

If you leave this field empty, a link for a default file about the FortiMail IBE encryption will be added to the secure mail notification.

GUI item                   Description

Allow custom user control If your corporation has its own user authentication tools, enable this option and enter the URL.

“Custom user control” URL: This is the URL where you can check for user existence.

“Custom forgot password” URL: This is the URL where users get authenticated.

Notification Settings You can choose to send notification to the sender or recipient when the secure email is read or remains unread for a specified period of time.

Click the Edit link to modify the email template. For details, see “Customizing email templates” on page 288.

Depending on the IBE email access method (either PUSH or PULL) you defined in “Configuring encryption profiles” on page 594, the notification settings behave differently.

•      If the IBE message is stored on FortiMail PULL access method), the “read” notification will only be sent the first time the message is read.

•      If the IBE message is not stored on FortiMail (PUSH access method), the “read” notification will be sent every time the message is read, that is, after the user pushes the message to FortiMail and FortiMail decrypts the message.

•      There is no “unread” notification for IBE PUSH messages.


Having trouble configuring your Fortinet hardware or have some questions you need answered? Check Out The Fortinet Guru Youtube Channel! Want someone else to deal with it for you? Get some consulting from Fortinet GURU!

2 thoughts on “Configuring IBE Encryption

  1. Paul van Wijck

    I wonder how IBE behaves in a HA active/active (config only) setup. Can I point the same url with a load balancer to both units? Is the encrypted mail, and user with private key available on both units?

    Reply
    1. Mike Post author

      Great question Paul,

      When FML is deployed in config only HA, the data store information, which include the IBE data, is not shared between the two devices – only the configuration settings are synced.

      There are a couple of ways of dealing with the data store limitation in config-only HA. FML GUI: Mail Settings > Settings > Storage
      1.Add a Central Quarantine device (or two setup in active/passive HA) to store the IBE data separately from the two FML units that are processing the mail. Requirement for Centralized IBE unit: FML 1000D or higher physical appliance | FML VM04 or higher virtual appliance

      2.Set the two FML units to store data to the same remote data store mounted via NAS

      The first option will require an additional FML purchase
      The second option will require you have a common NAS mount point that both FML units can reliably communicate with.

      FML online help on this topic: http://help.fortinet.com/fmail/5-3-4/admin/index.html#page/FortiMail_Online_Help/mail_settings_07_13.html

      Please let me know if you have any additional questions on this topic.

      Reply

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.