NOTE: This article is written to be used independently, and refers to other articles for details.
SSProtect operates with a tiny software component that runs on your host computer, moving sensitive operations to the cloud as you protect and manage content. This isolates operations from host malware, complicating attacker's tasks while minimizing impact to you.
SSProtect :Email is an Add-In for Microsoft Outlook that applies protection to email message content. The Add-In does not carry out core security tasks since Outlook is not well-suited for such operation. Instead, the Add-In uses SSProtect :Expand to securely transfer data to/ from the locally installed :Foundation Client that coordinates operations with KODiAC Cloud Services.
Install the :Foundation Client
The :Foundation Client, often referred to as SSProtect, is the host-based application that runs in the background servicing data protection requests. It manages your Account and subsequent :Email configuration. To Install the :Foundation Client:
- Open a browser and navigate to https://definisec.com/downloads.html
- Download/ execute the (Primary*) package (you may be prompted for elevation)
- If you are prompted to reboot, you must do so before using the software
* Of the two available packages, the Primary Package includes a filesystem driver that enables :Shell and In-Place Encryption, required for seamless workflow integration when managing files. The Alternate Package does not include the filesystem driver, and is only suitable for those who intend to manage email message content without access to protected files. This is rare, and not recommended. Refer to related text at the end of this article for more information.
Create an SSProtect Account
SSProtect will automatically install the :Email Outlook Add-In when you login to a valid Account configured to use it. You can Create an Account with the following procedure:
- Double-click the SSProtect desktop shortcut to display the Login Prompt, -OR-
- From the notification tray, Right-click the, "D" SSProtect Icon, choose Refresh Login...
- Click the Profile dropdown and select, Create New... for the Create Account dialog:
- Enter the email address you wish to correlate to your new Account
- If you Installed with the Alternate Package, uncheck :Recover
- Check the :Email checkbox
- Choose Create... and wait for your Code to arrive in your Inbox
- Copy and paste the Code into the Code edit field, then choose Verify
- At the password prompt, choose a new password, twice, then Change
At this point, you should have a Login dialog that includes your email address embedded into a Profile alias, most likely in the following form:
Enter the password you created in step 6, above, then choose Login to proceed. This presents the 1st-Time Use (Startup) Wizard that guides you through common startup tasks.
Exporting Your Account Keys
The first prompt you see will ask you to Export your Account Keys. This is required: If you lose your Login Password, this Keyfile is the only way to regain access to your Account:
Choose Yes, Browse to the target location you want to use for the Keyfile, then enter a new password different from the one used to Login to SSProtect.
IMPORTANT: Do not lose this Keyfile and its' corresponding password. You should not store this file on your host computer - instead consider using a removable thumb drive that you can physically secure. Manage the Keyfile password so you can always get to it, else if you lose your SSProtect Login password, you will not be able to regain access to your Account.
Installing SSProtect :Email
Dismiss the confirmation prompt and you will then be asked to install :Email:
Choose Yes and the software will automatically download and install the Outlook Add-In. This process is relatively quick. Upon completion, you will be prompted to restart Outlook if is running.
:Email Ribbon Controls
Once you (re)start Outlook, you will in the Outlook Explorer view find a new program group with SSProtect:Email controls, shown at the right of this cutout:
If you do not see the control group, navigate through File, Options, Add-Ins in Outlook to manually enable the Add-In. Most often, choosing the Go button brings up the list of registered Add-Ins, and you can scroll down to SSProtect :Email and, if the checkbox is blank, check the item and return to the main display. For more information, see Installing :Email.
:Email provides an additional Explorer pane embedded in your Inbox email listing. This small window tells you which SSProtect Account the software is managing/ protecting. This is most useful when working with multiple SSProtect Profiles:
In order for SSProtect :Email to apply protections or access protected content, you must be working with the Outlook Email Account that matches your SSProtect Login Account. When this is the state of your system, the Explorer Inbox pane will display Protecting this account.
Sending a Protected Message
To author and send a protected message, use the following procedure:
- Be sure to Login to the SSProtect Profile that matches your Outlook Email Account
- Compose a new Outlook message - you can use any format you like
- Address one or more Authorized Recipients (see below)
- Author the Subject and Body of the message
- Check, Protect on Send in the SSProtect :Email ribbon control group
- Send the message
:Email Settings (Options) determine recipient validation logic that executes before sending managed (protected) content. See below for more details.
Protecting an Existing Outlook Message
You can also in-place protect existing messages stored in your Outlook folders:
- Make sure you are using the Outlook Account that matches your SSProtect Login
- Choose an existing message you wish to protect
- Double-click to open the message
- On the Ribbon, in the SSProtect :Email control group, choose Protect Now
Accessing a Protected Message
SSProtect'd email message include plaintext identifying information before encoded Ciphertext:
----Secured by SSProtect :Email----
---- https.//www.definisec.com ----
Ref #: C9-4B-D0-09-BE-A0-DD-62-D2-72-FB-28-2B-03-BA-91
To access decrypted content, double-click the message for the, "Pop Out" window. This initiates Authentication, Authorization, and Decryption to render natively-formatted Outlook message content. When you close the message, it returns to the prior form.
If you wish to removed managed protections, while the, "Pop Out" window is still open, choose Release Protection. On success, context-sensitive :Email Ribbon controls will switch state and content will retain its' original form when you close the window.
You can send protected content to any Recipient, though Policy Settings determine behavior if/ when a recipient isn't recognized as an authorized :Collaborate peer. By default, you will be notified for Recipients that aren't authorized then given an option to remove or retain them before sending protected content. If, at a later time, Policy is modified to permit access, associated Recipients will at that time be able to access content using the process outlined above.
Authorized Access to Protected Messages
SSProtect is designed to be non-intrusive. Sharing permissions are thus automatically managed for Organization Peers, i.e. the collective set of Accounts associated with a single Organization. For more information, refer to the article, Accounts, Identities, and Roles, also, Trusts, Profiles, and Server Sets, then refer to the articles in the :Collaborate section of these pages. SSProtect :Email access utilizes these constructs and stipulations.
Emailing Third Party Trusts
Third Party Trusts enable an Organization or Individual Account holder to share data with other Individual Accounts or Organization Users. This is a one-way association that permits recipients to access your protected content. For details, see, Managing Third Party Trusts.
If you've followed the steps at the start of this article, you are working as an Individual Account, which allows you to add a Third Party Trust the same way a Privileged Organization User would:
- Click the SSProtect Icon in the notification tray
- Navigate to the Sharing Policy menu item
- Choose the Add Trust submenu
- Enter the email address of an associate using SSProtect
- SSProtect will prompt you with results. Click OK, then the ESCape key to exit
After the Trust has been configured, the intended Recipient will have to Refresh Login... before message content will be accessible.
Automatic Third Party Trust Configuration
In some situations, an attempt to Send protected content an unauthorized Recipient results in a prompt to create a new Third Party Trust relationship. This is a UI helper that achieves the same result portrayed in the previous section's manual steps.
Do not confuse this with the common need of encryption software to specify individuals to whom encrypted data will be delivered. SSProtect is quite different, instead managing Access and Sharing permissions using Policy set by Policy Makers - in this case Privileged Organization Users and Individual Account holders. Though initially the UI and workflow may appear similar, you will find that subsequent operations quickly exhibit very different - and far less complicated - realities.
Caveat: Account Visibility (with respect to Authorized Recipients)
Your Account will not be, "visible" as an Authorized Recipient to other SSProtect Users until after you have been configured as a Third Party Trust and after you have performed a subsequent SSProtect Login operation. You can do this using the Refresh Login... menu option available from the notification tray icon (perhaps in response to the email notification you receive when added as a Third Party Trust to an Organization or Individual Account).
As such, if you configure a Third Party Trust and subsequently author and Send a protected message to that peer, depending on Policy Settings, you may be presented with notification that the associated User is not (yet) Trusted. This changes after they perform their next SSProtect Login.
Limitations when Using the Alternate Package (without the filesystem driver)
:Email is limited when you use SSProtect without the filesystem driver, i.e. when installing the Alternate Package. When this is the case, your Outlook email attachment, "cache" will not be protected. Thus, any plaintext attachments you save (from protected and/ or unprotected emails) may be left on your mass storage device, and as a result available to attackers. When using the software with the filesystem driver, this area is locked-down.
Else, even without the filesystem driver, you can continue working with protected Attachments, "manually", i.e. you can save the protected item then navigate to it in File Explorer and Release Protections (by holding the Shift key when you right-click the target file, then choosing SSProtect Release) to then work with the resulting plaintext file. This process is consistent with traditional encryption software that requires you to first decrypt content, then work with plaintext results, foregoing the extra value of In-Place Encryption offered by the full-featured package.
The :Foundation Client starts when you Login to Windows and also (if not running) when you start Outlook (if you have installed the :Email Add-In). If for some reason the :Foundation Client is terminated while using Outlook, you can click the resulting SSProtect Inactive button in the SSProtect :Email control group to restart it.