To comply with Massachusetts's new personal information protection law, my company needs to (among other things) ensure that anytime personal information is sent via email, it's encrypted. What is the easiest way to do this? Basically, I'm looking for something that will require the least amount of effort on the part of the recipient. If at all possible, I really want to avoid them having to download a program or go through any steps to generate a key pair, etc. So command-line GPG-type stuff is not an option. We use Exchange Server and Outlook 2007 as our email system.
Is there a program that we can use to easily encrypt an email and then fax or call the recipient with a key? (Or maybe our email can include a link to our website containing our public key, that the recipient can download to decrypt the mail?) We won't have to send many of these encrypted emails, but the people who will be sending them will not be particularly technical, so I want it to be as easy as possible. Any recs for good programs would be great. Thanks.
Best Answer
We've had to go through something similar with our clients for PCI. The best way would be to use some version of PGP/GPG.
Now that being said, it really isn't as painful as you think. We have done this with hundreds of non technical users. What we did was choose two products - the free GPG (which Kronick states have GUI front-ends) as well as the pay for PGP software. We wrote up some really good documentation that could be sent to our clients instructing them how to use the software that they chose as well as trained our Account Managers on basic troubleshooting and how to use the software.
That has kept 95% of the issues that clients run into out of the IT queue. For the other 5% we made IT resources available to answer questions, as well as in the worst case get on a call to help the client out.
As an alternative we also bought some licenses of winzip so that we could use the built in AES encryption with a pass phrase. The commercial PGP software has the ability to create an encrypted file that is opened by passphrase only as well. Although honestly using PGP has worked out so well i think i only create these types of files 2 or 3 times a year.