NOTE: This article is written to be used independently, and refers to other articles for details.
SSProtect operates with a tiny software component that runs on your host computer, moving sensitive operations to the cloud as you protect and manage content. This isolates operations from host malware, complicating attacker's tasks while minimizing impact to you.
SSProtect :Email is an Add-In for Microsoft Outlook that applies protection to email message content. The Add-In does not carry out core security tasks, since Outlook is not well-suited for such operation. Instead, the Add-In uses SSProtect :Expand to securely transfer data to/ from the :Foundation Client that in turn coordinates operations with the cloud - all with very little impact to you (and a lot to an attacker).
Install the :Foundation Client
The :Foundation Client, often referred to as SSProtect, is the host-based application that runs in the background servicing data protection requests. It manages your Account and subsequent :Email configuration. To Install the :Foundation Client:
- Open a browser and navigate to https://definisec.com/downloads.html
- Download and run the (Primary*) setup program (you may be prompted for elevation)
- If you are prompted to reboot, you must do so before using the software
* Of the two available packages, the Primary Package includes a filesystem driver that enables :Shell and In-Place Encryption, required for seamless workflow integration when managing files. The Alternate Package does not include the filesystem driver, and is only suitable for those who intend to manage email message content without access to protected files. This is rare, and not recommended. Refer to related text at the end of this article for more information.
Create an SSProtect Account
SSProtect will automatically install the :Email Outlook Add-In when you login to a valid Account configured to use it. You can Create an Account with the following procedure:
- Double-click the SSProtect desktop shortcut to display the Login Prompt, -OR-
- From the notification tray, Right-click the, "D" SSProtect Icon, choose Refresh Login...
- Click the Profile dropdown and select, Create New... for the Create Account dialog:
- Enter the email address you wish to correlate to your new Account
- If you Installed with the Alternate Package, uncheck :Recover
- Check the :Email checkbox
- Choose Create... and wait for your Code to arrive in your Inbox
- Copy and paste the Code into the Code edit field, then choose Verify
- At the password prompt, choose a new password, twice, then Change
At this point, you should have a Login dialog that includes your email address embedded into a Profile alias, most likely in the following form:
Enter the password you created in step 9, above, then choose Login to proceed. This presents the 1st-Time Use (Startup) Wizard that guides you through common startup tasks.
Exporting Your Account Keys
The first prompt you see will ask you to Export your Account Keys. This is required: If you lose your Login Password, this Keyfile is the only way to regain access to your Account:
Choose Yes, Browse to the target location you want to use for the Keyfile, then enter a new password different from the one used to Login to SSProtect.
IMPORTANT: Do not lose this Keyfile and its' corresponding password. You should not store this file on your host computer - instead consider using a removable thumb drive that you can physically secure. Manage the Keyfile password so you can always get to it, else if you lose your SSProtect Login password, you will not be able to regain access to your Account.
Installing SSProtect :Email
Dismiss the confirmation prompt and you will then be asked to install :Email:
Choose Yes and the software will automatically download and install the Outlook Add-In. This process is relatively quick, and upon completion if Outlook is open, you will be prompted to Restart Outlook in order to see the changes.
:Email Ribbon Controls
Once you (re)start Outlook, you will in the Outlook Explorer view find a new program group with SSProtect:Email controls, shown at the right of this cutout:
If you do not see the control group, navigate through File, Options, Add-Ins in Outlook to manually enable the Add-In. Most often, choosing the Go button brings up the list of registered Add-Ins, and you can scroll down to SSProtect :Email and, if the checkbox is blank, check the item and return to the main display. For more information, see Installing :Email.
:Email provides an Explorer pane embedded into your Inbox email listing that indicates which Account the software is managing/ protecting. This is useful when you are using multiple SSProtect Profiles and also managing multiple email addresses in Outlook:
In order for SSProtect :Email to apply protections or access protected content, you must be working with the Outlook Email Account that matches your SSProtect Login Account. In that case, the message will display, Protecting this account.
Floating Inbox Protection Indicator
If the Inbox Overlay is, "floating" and not docked in Outlook, it is probably due to very recent changes Outlook released for multi-monitor support. This will be fixed in an upcoming release of :Email, though in the meantime can be addressed by changing Outlook's method of managing the display:
- In Outlook, choose the File menu
- Choose Options on the left side of the display
- In the General pane, at the top, look for User Interface options
- Choose Optimize for Compatibility under When using multiple displays
- Choose OK to accept your changes. You may be prompted to Restart Outlook.
Protect an Existing Outlook Message
You can now proceed to protect an email message as follows:
- Make sure you are using the Outlook Account that matches your SSProtect Account
- Choose an existing email item; double click to open
- On the Ribbon, in the SSProtect :Email control group, choose Protect Now.*
Your message is now protected, as you can tell by the new format that obfuscates the original plaintext. To open your message, double-click. This will automatically decrypt content (among other things) and present it for you to view. If you close the message, it will return to encrypted (protected) form. Else, you can choose, Release Protection and the message will return to plaintext and remain that way when you close the item.
Preparing to Send Protected Messages
SSProtect is designed to be non-intrusive. Sharing protected content with teammates (Organization peers) is automatic, as noted by the, "Zero-Config Sharing" terminology throughout documentation.
However, as an Individual, you are not a member of an Organization - yet. You can transition to an Organization using the information provided in the article, Migrating to an Organization Account. Until that time, all recipients to whom you address messages must be configured as Third Party Trusts.
Emailing Third Party Trusts
Third Party Trusts enable an Organization or Individual Account holder to share data with other Individual Accounts or Organization Users. This is a one-way association that permits recipients to access your protected content. For details, see, Managing Third Party Trusts.
If you've followed the steps in this article, you are working as an Individual Account, which allows you to add a Third Party Trust the same way a Privileged Organization User would:
- Click the SSProtect Icon in the notification tray
- Navigate to the Sharing Policy menu item
- Choose the Add Trust submenu
- Enter the email address of an associate using SSProtect
- SSProtect will prompt you with results. Click OK, then the ESCape key to exit
Once the Trust has been added, you can author protected content to the configured address, though the recipient will have to Refresh Login... in order to pick up the change. When you added the Trust, he/ she received email notification to that effect.
You can send protected content to any recipient - Policy settings determine behavior if/ when a recipient isn't recognized. In fact, until the Trust you setup, above, performs a Refresh Login..., the :Email add-in will (likely, depending on Policy settings - at this point using default values) prompt you that the recipient isn't recognized. You can override this warning by choosing the button noted in the dialog text (No). This protects and sends the message - the recipient can, at any later time, once or when authorized via Third Party Trust configuration, open and access plaintext content.
Your Account is not visible to other SSProtect Users until you carry out a simple configuration task that is handled by the Add-In when required. You will see the dialog prompt and, once acknowledged, will then be visible as a viable sharing peer to those that have authorized you as a Third Party Trust.
Sending a Protected Message
To author and send a protected message, use the following procedure:
- Compose a new Outlook message - you can use any format you like
- Address a Third Party Trust (or Organization peer)
- Enter the Subject and Body of the message
- Make sure, Protect on Send is checked in the SSProtect :Email ribbon control group
- Send the message
As noted above, if you entered a recipient not (yet) authorized to view your protected content, default policy results in a prompt and a choice whether or not to continue. The software can in some cases remove unauthorized recipients for you before delivering the message. Adjust your Policy with the Settings icon in the Outlook Explorer view.
Limitations when Using the Alternate Package (without the filesystem driver)
:Email is limited when you use SSProtect without the filesystem driver, i.e. when installing the Alternate Package. When this is the case, your Outlook email attachment, "cache" will not be protected. Thus, any plaintext attachments you save (from protected and/ or unprotected emails) may be left on your mass storage device, and as a result available to attackers. When using the software with the filesystem driver, this area is locked-down.
Without the filesystem driver, you also will not be able to work with protected Attachments. When you have the filesystem driver, you can open protected attachments from directly within Outlook. If you save the Attachment then try to Release Protections from File Explorer (by holding the Shift key while right-clicking the target file to display the alternate context menu), you will find that, as a Third Party Trust, you do not have permission to carry out this task.
The :Foundation Client starts when you Login to Windows, and if when starting Outlook it is not running, it will be launched. However, if for some reason it has since been Exited, from within Outlook you can click the SSProtect Inactive button in the SSProtect :Email control group to restart it.