S/MIME, or Secure/Multipurpose Internet Mail Extensions, is the industry standard for public key encryption for MIME-based (message-based) data and is becoming an increasingly popular option for organizations interested in encrypting internal communications.
While the ease of use for end users and native compatibility with enterprise email clients hold a lot of appeal, questions often arise around the reliance on private keys, namely - "what happens if I lose my private key?"
The importance of private keys
S/MIME uses public-key cryptography to encrypt and decrypt content. When someone wants to send you an encrypted message, they use your public key to encrypt it. Then you use your private key to decrypt. This means without your private key, you will not be able to read any encrypted emails you have received. It's easy to see why this could lead to trouble.
What is key recovery?
Private keys are generally stored in the software or operating system you use (or on cryptographic hardware, such as USB or HSM), but they can be exported and stored in a safe location as back-up. Using key archival and recovery helps protect encrypted data from permanent loss if, for example, an operating system needs to be reinstalled, the user account to which the encryption key was originally issued is no longer available, or the key is otherwise no longer accessible.
How to archive and recover keys
There is always a balance between security and practicality and key recovery is one example of that. Key archival and recovery are not enabled by default because storing private keys in multiple places can be a security vulnerability. At the same time, you don't want to run the risk of not being able to access your encrypted data should you lose access to the private key. It is important to take a step back and consider which certificates should be covered by key archival and recovery, and also designate who has access to recover the archived keys.
There are two main options for archiving private keys:
- Manual Key Archival
Users export their private keys manually and send them to a designated PKI or CA administrator who imports them into a protected CA database.
- Automatic Key Archival
If you are running a Windows environment with Microsoft CA or an integration to a third party CA, you can enable automatic key archival. By configuring the appropriate certificate template(s), the process is performed during certificate enrollment. For example, using our Active Directory integration, during the certificate enrollment process, the private key is securely sent to the designated server as part of the certificate request and is archived there. The archived keys never leave the organization's system and are protected.
If you're interested in learning more about the key archival process using our Active Directory integration, check out our solution guide Secure Email and Key Recovery Using GlobalSign's Auto Enrollment Gateway (AEG).
S/MIME can be a great option for encrypting emails, but like any security implementation, it's important to take the necessary steps to ensure your security measures aren't overriding practicality and functionality. If you're considering adopting S/MIME, or are already using it, we highly recommend you archive and securely store your private keys, or at least weigh the consequences of losing access to previously received encrypted emails just in case you lose access to the private keys in the future.