Zertificon Whitepaper End To End Email Encryption

End-to-End Email Encryption for Enterprises

How end-to-end encryption for email is defined and easily implemented
in enterprise infrastructures

Zertificon Solutions GmbH

Edward Snowden’s revelations about the NSA brought email encryption to the public’s attention
in 2014. Since 2018, the topic has received constant attention due to the EU General Data Protec-
tion Regulation (GDPR) and an increasing rate of digitalization. From 2014 until today, countless
articles have promoted end-to-end encryption for email exchange as a one-size-fits-all solution
for companies and private users – but almost always without considering the security and com-
pliance requirements in the business environment.

Businesses that already use email encryption are aware of the discrepancies between their
needs and the existing recommendations for private user solutions. It can be challenging for IT
departments without any experience in that area to realize what they actually need. We want to
help people in charge of confronting the secure communication challenge get acquainted with
the technical standards, implications, and possibilities of end-to-end encryption in a business

Definition: End-to-End Encryption Then there are also business use cases,
where protection against attacks over the
End-to-end email encryption (E2EE) implies
Internet is not enough. That is when emails
encryption at the sender’s device and
need to be protected on servers and cloud
decryption at the recipient’s device. The
environments. There are also many use
concept is based on the fundamental premise
cases in between, depending on email infra-
that only the recipient can access the keys
structure, individual business risks, and
necessary to decrypt a message intended
compliance regulations.
for them.
A rule of thumb at the start:
Some vendors who call their encryption
solutions end-to-end, define the business • End-to-end encryption for emails must
– rather than the individual employee consider the parties involved and the
sending or receiving the email – as one specific use cases.
“end” in the communication. From a
• The higher the security level you want, the
business point of view, that is easily under-
more skills are required at every user’s end,
standable. We call that “gateway encryption,”
and the less automation is offered from
which secures emails in transit on routes
encryption software.
over the Internet.

How private and business needs differ secure emails on an end2end basis with
for email security and compliance individuals or other companies who use
PGP keys.
Much like many other areas, a solution that
makes sense for individuals may only be Usually, with some effort, private users can
of limited use for corporations. This case manage communication partners’ keys on
definitely applies to email encryption. their devices. In the corporate environment,
encryption key management on a larger scale
Companies need insight into email traffic
cannot be left to the individual employee.
for compliance and IT security purposes.
Automation is the only way to scale efficiently
Business-critical security and compliance
and prevent human error in the process;
driving forces for documentation and privacy
for example, when checking the validity of
protection do not apply to personal use
a key. Also, compliance demands auditable
whatsoever. Data loss prevention and central
solutions. This is hard to establish when the
spam and virus checking are of great impor-
end user is responsible for key management
tance for corporations. On personal home
and encryption on their device.
applications, spam and virus checks are
performed locally on the machine before
any encryption and respectively after any Secure email gateways may represent
decryption takes place. one end in business communication

Unlike private individuals, companies do not

E2EE needs the sender and recipient to generally use end-to-end encryption from
use the same encryption technology the sender’s device to the recipient’s device.
In most cases, companies use secure email
OpenPGP, an open and free version of the
gateways as the company’s secure communi-
Pretty Good Privacy (PGP) standard, is very
cation “end.”
popular for private email communication.
However, in the corporate environment, A secure email gateway acts as a central
S/MIME, which uses paid X.509 certificates interface to the Internet. It assumes the
from certificate authorities as public keys, is responsibility to encrypt and decrypt
the established and preferred standard over incoming and outgoing messages for the
OpenPGP in most industries. entire staff and automated company systems.

Secure email gateways are equipped to

handle encryption with both X.509 certif-
icates and OpenPGP keys. They may even
incorporate encryption technologies that
OpenPGP work when the communication partner holds
neither X.509 certificates nor OpenPGP keys.
Fig. 1: In the private sector, email encryption is Keyless encryption uses passwords and is very
always end-to-end. convenient for confidential ad hoc communi-
cation with private individuals, like whenever
S/MIME and PGP standards are incom- GDPR compliance calls for it. Zertificon
patible. So it seems the private and the solutions come with an automated logic
business world are also incompatible. that makes this more secure than average
Companies need a proxy solution to exchange password protection.

Content Filter,
DLP, Archive

Mail server
Z1 SecureMail

Internal infrastructure Internet

Fig. 2: Email encryption with Secure Email Gateway. All emails are protected against attacks when sent
over the Internet.

However, a standard secure email gateway require encryption for threat protection
solution will not encrypt email inside the over the Internet and inside the company’s
company’s network. Companies use firewalls network also.
to prevent unauthorized access. So if your
The frequent use of mobile devices such as
goal is protection against cyberattacks, and
smartphones and notebooks for business
economic and industrial espionage over
communication without a VPN connection
the Internet, consider it achieved. A secure
can be a reason for E2EE. Mobile devices
email gateway is a safe and established
send emails over mobile and public WLAN
method. You can stop here and check out our
networks in plain text. And as we know, cyber-
Z1 SecureMail Gateway and even argue that
criminals can easily access email content when
this is indeed end-to-end encryption.
sent over unprotected networks.
When you choose Zertificon, not only do you
Another security motive behind E2EE is the
get email compliance enforcement through
storage of messages on company email
centrally configurable security policies.
servers. Companies that have their email infra-
You also get an unparalleled degree of
structures run as a service might especially
automation in the very complex, error-prone,
want to block administrator access to email
and challenging world of enterprise-level
certificate management. Your end in commu-
nication would be safe! When it comes to end-to-end encryption use
in a corporate environment, a solution should
Read on if you feel the need for end device
address the following challenges:
email encryption for your business.
• Will the solution ask you to enforce one
End-to-End encryption: Motivation and specific encryption standard for all your
challenges for companies communication contacts, or will you stay
flexible and able to communicate securely
So we learned that individuals can only use with any contact?
end-to-end encryption from the sender’s
• Is E2EE even possible when the recipients
device to the recipient’s device. What require-
do not have a certificate?
ments can possibly determine the need for
end-to-end encryption for emails on the • How can you decrypt incoming encrypted
device level in the corporate environment? emails locally on all the company’s
There are a few use cases when businesses end-user devices?

• How do data loss prevention systems email exchange over the Internet, the internal
access the messages? route is reserved for S/MIME encryption only.
Z1 SecureMail End2End takes charge of the
• How can you conduct a virus scan when
S/MIME certificate management for the
the message is encrypted?
internal devices. Internally, relying just on
• How can you implement central key S/MIME keeps things uncluttered and easy
management for the internal keys and since all the mail programs support S/MIME
those of external communication partners? out-of-the-box. For mobile use, Apps are
• When messages are only accessible by the provided.
employee, what happens in case of leave or
absence? How Organizational E2EE works
At Zertificon, we are familiar with these
Outgoing emails are encrypted on the
challenges. And we have overcome them all
client with an S/MIME gateway certificate.
with a new approach called Organizational
The secure email gateway can decrypt the
End2End encryption.
outgoing email and search for the actual
recipient’s certificate. It can be S/MIME or
Organizational end-to-end encryption OpenPGP. If nothing is found, the mail will be
with a gateway twist encrypted with a password.

Zertificon solves corporate E2EE encryption The gateway decrypts, re-encrypts, and
obstacles with an extension to the renowned delivers incoming messages to your staff
Z1 SecureMail Gateway: Z1 SecureMail or automated systems as S/MIME encrypted
End2End. Together, these solutions combine emails no matter what the original encryption
encryption on internal and external routes method.
and even in the cloud to make organizational
The gateway can allow access to third-party
end-to-end encryption possible.
tools such as Anti-virus/Anti-spam solutions,
The Gateway is the proxy between internal Data-Loss Prevention, or archiving solutions,
and external routes. And while the gateway whether inbound or outbound, between
deals with all possible encryption methods for encryption and re-encryption.

Content Filter,
DLP, Archive


Mail server
Z1 SecureMail

Internal infrastructure Internet

Fig. 3: When using mobile devices or when admins must not have access to emails at the server, email
encryption should also protect the internal route.

Content Filter,
DLP, Archive


Mail server
Z1 SecureMail
Gateway +
Z1 SecureMail
Internal infrastructure Internet

Fig. 4: Organizational End2End State-of-the-Art email encryption – Internal S/MIME, external encryption,
and decryption depending on communication partner technology.

What remains is the prerequisite to issuing eignty – no matter whether you have chosen
your own internal S/MIME keys and certifi- on-premises or cloud deployments. You will
cates for exclusive use on your internal routes. make digitalization secure and your workflows
Z1 SecureMail Solutions then do the trans- compliant.
lation between internal and external key
All possible encryption methods are
supported. Now, it is up to you to think
about your needs and use cases. Choosing
Personal End2End Encryption Z1 SecureMail Gateway is always the right
decision you can’t go wrong with for a start.
Z1 SecureMail End2End also supports
And, you can always take it from there at a
Personal E2EE encryption. You might
later point in your secure email journey.
not even want the re-encryption on the
gateway for some use cases. Hypersensitive Learn more:
communication between board members
might be a use case where you wish to Z1 SecureMail Gateway
encrypt from the sending device to the
Z1 SecureMail End2End
recipient’s device.
Or get in touch directly:
If you want to save the hassle of certif-
icate management and prevent human
error, Z1 SecureMail End2End is the appro-
priate solution. It provides E2EE analogous
How to proceed

Whatever your End2End encryption require-

ments are, Zertificon can fulfill them. With
Z1 Solutions, emails can be encrypted on
all routes, mail servers, and end devices,
efficiently guaranteeing corporate-wide
compliance, data protection, and data sover-

Zertificon Solutions GmbH

Zertificon is a leading software manufacturer in the IT security field based in Berlin. The company
is independent and founder-managed with its own in-house development, sales, and support
departments. Zertificon is about 120 employees strong and still growing.

IT Security made in Berlin

The Zertificon team pioneered the server-based email encryption market over 15 years ago with
the award-winning Z1 SecureMail Gateway. Today, the company is one of the driving forces in
IT security and data protection for electronic business communications with innovative, forward-
looking solutions.

Zertificon focuses on developing user-friendly and cost-effective comprehensive security

concepts for confidential email and data exchange. In addition to Z1 SecureMail Gateway, the
proven solution for email encryption and email signature, and Z1 CertServer for central certif-
icate management and validation, Zertificon’s portfolio includes Z1 SecureHub: a web-based
portal solution for secure file transfer of all formats and sizes. With Z1 MyCrypt BigAttach,
Z1 SecureHub is operated directly from the mail program.

Last but not least, Zertificon’s latest innovation, Z1 SecureMail End2End, offers enterprise-grade
end-to-end encryption as an extension of the Z1 SecureMail Gateway and defines state-of-
the-art Organizational or Personal End2End. Z1 MyCrypt Mail is available as an add-in for MS
Outlook and Lotus Notes or as iOS and Android apps for use on end devices. Zertificon developed
virtual Z1 Appliances for easy integration and efficient and smooth operation of Z1 solutions. As
an operating system, Zertificon has been deploying Linux based on Debian distribution, which is
highly regarded in the IT security community.

Zertificon’s support services are highly renowned and offer fast and expert help in case of
operational questions. Zertificon also enables your company to easily meet the highest security
and compliance requirements in secure business communications.

Contact us today. We are sure to have the right offer for you.

Zertificon Solutions GmbH Phone: +49 30 5900300-30

Berlin, Germany Email:


