How do I sign and encrypt emails on an Apple iPhone?
With the release of iOS 5, the iPhone and iPad devices have the ability to use S/MIME to digitally sign and encrypt email. This article will explain the process of setting this up.
Below is a list of the requirements that need to be in place before you can set up S/MIME for your device:
- Your iPhone or iPad must be updated to iOS 5 or above.
You must have an email account configured and working within your device.
- You must have a certificate installed as a profile on the device where either the DN Email field or the RFC 822 field contains the email address that you want to sign/encrypt with. This email address must match the email account that is configured and working.
If you have not yet installed a certificate as a profile on the device, please refer to the Knowledge Base article found here
All screenshots are shown using iOS7. The steps for previous versions of iOS are generally the same.
Setting up S/MIME
If you have completed all the prerequisites, you are now ready to configure S/MIME.
- First, open up Settings.
- Next, open up Mail, Contacts, Calendars.
- Click on the type of Account where your email address is. In the example below, we will use the firstname.lastname@example.org account. This is a Microsoft Exchange account.
- On the Exchange Account screen, select the Account that you wish to configure S/MIME.
- When you are at the Account screen, scroll to the bottom and select Advanced Settings.
- In the S/MIME sections, use your finger to turn S/MIME from OFF to ON. The Sign and Encrypt options will become available.
- S/MIME is now active. Now you must select whether you want to enable signing and/or encryption for every message.
Note: Currently, there is no way to toggle signing and encryption on a per-message basis. The settings to sign or encrypt are either always enabled or disabled.
Enabling Sign in the S/MIME section will digitally sign every email that you send out on your device.
- In the S/MIME section, you must click on the Sign field to turn on signing. This will take you to the Sign screen.
- On the Sign screen, toggle the switch for Sign from OFF to ON. A check mark will be placed next to the certificate when this is active which displays which certificate is being used to digitally sign your emails.
Enabling Encrypt in the S/MIME section will attempt to encrypt every email that you send out on your device providing that you have a copy of the recipient's certificate either saved on your device or from GAL (Global Access List).
- In the S/MIME section, you must click on the Encrypt field to turn on encryption. This will take you to the Encrypt screen.
- On the Encrypt screen, toggle the switch for Encrypt from OFF to ON. A check mark will be placed next to the certificate when this is active which displays which certificate is being used to encrypt your emails.
Note: If you enable encryption, it is recommended to enable signing as well so that new recipients can easily obtain your public key so that they can encrypt back to you.
Installing a Recipient’s Certificate
IOS 5 does not automatically remember certificates. Simply replying to an email that is signed when Encrypt
is set to Yes
will not send the message through encrypted. There may be more than one way to install a recipient's certificate, however the easiest way is to save the recipient’s certificate to your device from one of their digitally signed messages (unless the recipient’s certificate has been published to GAL in which case you can ignore this section). These steps will guide you through installing a recipient’s certificate into your phone from a digitally signed message.
- Open up a digitally signed message from the intended recipient you want to encrypt a message to. Press on the recipient's name in the From: field.
Note: The blue check mark next to this name indicates that this message is digitally signed.
- You will be shown a screen named Sender that summarizes the intended recipient's details. On this screen, press the View Certificate button.
You will now see the intended recipient's digital certificate that they signed the message with. On this screen, you can also tell if the digital certificate is trusted by your iPhone or iPad. This trust is based on the Root Certificates approved by Apple.
- Press the Install button on this Certificate screen to install the certificate.
The certificate will install and the Install button will turn into a Remove button. If you need to remove this certificate at a later date, pressing this button will remove the certificate.
Once this certificate has been successfully installed, email communications between you and this intended recipient will be encrypted as long as Encrypt in the S/MIME section is enabled.
Important Things to Consider
- If the iPhone or iPad is connected to an Exchange environment where digital certificates have been pushed to GAL (Global Access List), then the device does not require a copy of the recipient’s certificate to send an encrypted message as long as that recipient is part of the same Exchange environment and their certificate is published to GAL.
- The iPhone/iPad device will attempt to send all messages digitally signed and encrypted when Sign and Encrypt are both set to Yes in the S/MIME section of Account. If you do not possess a copy of a user’s certificate or if their certificate is not pushed to GAL in your Exchange environment, then the message will only be signed and it will not be encrypted, even if Encrypt is set to Yes.