From what I can tell, encrypting Amazon SES emails has to be done from code. That's fine, but I'm obviously going to need a certificate of some kind. I know plenty about SSL, but it appears that SES only works with TLS? Can somebody point me in the right direction? Is it possible to use SSL with SES instead of TLS? Do I use a standard SSL certificate with the latest TLS software? How do I go about setting up a TLS certificate? Where do i purchase one? Is it basically the same as setting up an SSL certificate, except it's somehow routed through TLS instead of openSSL?
Any guidance in this area would be greatly appreciated.
Linux – How to encrypt Amazon SES emails
amazon-sesamazon-web-serviceslinuxssl
Best Answer
I think you're confused. Are you wondering about end-to-end encryption of email contents or encrypting the transport of your emails to SES?
If the former, you'll need to look into something like PGP or S/MIME. Either of those require cooperation from both the sender and the recipient to facilitate key exchange and subsequent encryption/decryption of the messages. SES doesn't care about this at all - you can send encrypted payloads through SES or you can choose not to. Your choice.
If the latter, all you need to do is ensure that your SMTP client or library is configured correctly to use STARTTLS. There is no need for you to purchase or otherwise manage certificates in this case, as you are a client of Amazon's service - they manage the certificates. Keep in mind that this option only encrypts a single SMTP hop - Amazon still has access to the cleartext version of the email, as to any other mail servers it may pass through. Additionally, one or more hops along the email's path from source to destination may not support STARTTLS, in which case the email is transiting the public internet unencrypted. If this is of concern to you, you'll need to implement either PGP or S/MIME.