Cisco Support Community
Showing results for 
Search instead for 
Did you mean: 
New Member

Decryption of Email - Public Records Requests

Here in the State of Florida we have a "Sunshine Law" requirement, and all email is achived for public reords requests and for legal proceedings if required.. When we receive such a request the email is reviewed by the County Attorney, and PHI and other protected info is redacted.

Now that we have deployed Ironport/Cisco Encryption (managed), outgoing email is still captured in its un-encrypted form, but email received that is encrypted (if the encrypted email originated by us, the recipient hit the embedded "reply" button to keep the entire conversation encrypted) can't be captured in it's decrypted form.

Can the received email be decrypted for review by the attorney or for a legal reason?


New Member

Re: Decryption of Email - Public Records Requests

Let me see if I understand the situation correctly. Let me break it into two parts.

Part 1: When your domain/IronPort C-series sends mail out to the Internet and you want to encrypt it, it arrives on the C-series in a non-encrypted format. You archive the message in a non-encrypted format per the "Sunshine Law" requirement of your state. You then call on the encrypt action and leverage the CRES server(Cisco Registered Envelope Service) to encrypt the data and then the encrypted mail is sent out to the Internet.


Part 2: If recipient on the Internet replies back, it will be encrypted by the CRES server on the Internet and come back to your domain/MX records in an encrypted format. At this point, the message doesn't become decrypted until the user supplies their password and decrypts the message. The C-series only has this message in an encrypted format, thus not abiding by the Sunshine Law if called upon.

Let me know if this is a correct assessment of both parts.

Now here is the solution. Part 1 is fine. Everything is working great. You're able to archive non-encrypted messages per the Sunshine Law.

For Part 2, the solution would be that if the connection between the CRES service and your domain/MX records could be conducted over a TLS secure connection, the CRES server can be adjusted so that it can send to your domain non-encrypted CRES replies. This has been done for numerous C-series owner who use the encrypt function. They don't all have the Sunshine Law. Most do it for ease-of-use for the company end users.

Let me know if the solution for Part 2 would meet your needs. If you think it does, then you can proceed with following this KB below and then move towards establishing a secure connection between CRES and your domain/C-series. Once that is verified, CRES will start to send over non-encrypted replies over TLS. At that point, you can start archiving those replies, to meet the requirements of the Sunshine law.

How to use TLS to secure unencrypted CRES replies