Securing your email
You can digitally sign or encrypt messages if you use a work email account that supports S/MIME or
PGP protected messages or IBM Notes email encryption on your BlackBerry device. Digitally signing or
encrypting messages adds another level of security to email messages that you send from your device.
Digital signatures are designed to help recipients verify the authenticity and integrity of messages that
you send. With S/MIME-protected messages, when you digitally sign a message using your private key,
recipients use your public key to verify that the message is from you and that the message hasn't been
changed.
Encryption is designed to keep messages confidential. With S/MIME-protected messages, when you
encrypt a message, your device uses the recipient’s public key to encrypt the message. Recipients use
their private key to decrypt the message.
Even if your email account isn't supported by an EMM solution from BlackBerry, if it's supported by
Microsoft Exchange ActiveSync and your organization uses an LDAP directory, you can encrypt your
messages using S/MIME.
If you use a work account that supports PGP protected messages, you can digitally sign, encrypt, or
sign and encrypt messages using PGP protection. You need to store the recipient's public key on your
BlackBerry device to send encrypted email messages. You need to store your private key on your device
to send digitally signed email messages.
If your device is associated with a CRL or an OCSP server, when you add recipients to an encrypted
message, your device tries to retrieve a certificate status for each recipient. You are unable to send the
BlackBerry Hub and email
User Guide
73
message until certificate statuses are received for all recipients. If certificates can't be found or are
invalid, the recipients' names appear as red.
Set up S/MIME-protected messaging
You need to store a private key and certificate on your BlackBerry device to send digitally signed or
encrypted email messages using S/MIME-protected messaging. You can store a key and certificate by
importing the files from a work email message or a media card.
If you have a work email account that is supported by an EMM solution from BlackBerry and a personal
Microsoft Exchange ActiveSync account, when you import a certificate from the personal space on your
device, you can store it in the keystore in your work or personal space.
Your BlackBerry device supports keys and certificates in the following file formats and file name
extensions:
• PEM (.pem, .cer)
• DER (.der, .cer)
• PFX (.pfx, .p12)
1. Open a work email message with a certificate attachment.
2. Tap .
3. If necessary, enter the password.
4. Tap Import or Import All.
5. Tap .
6. In the BlackBerry Hub, tap > > Email Accounts.
7. Tap an account.
8. Tap Secure Email Settings.
9. If necessary, tap the S/MIME tab.
10.Turn on the S/MIME switch.
11.Under Signing Certificate, in the drop-down list, tap the certificate that you imported.
12.Under Encryption Certificate, in the drop-down list, tap the certificate that you imported.
Set up PGP protected messaging
If you use a work account that supports PGP protected messages, you can digitally sign, encrypt, or
sign and encrypt messages using PGP protection. You need to store the recipient's public key on your
BlackBerry device to send encrypted email messages. You need to store your private key on your device
to send digitally signed email messages.
Your device supports keys in the following formats and file name extensions:
• PEM (.pem, .cer)
• ASC (.asc)
BlackBerry Hub and email
User Guide
74
1. Open a work email message with a PGP key attachment.
2. Tap .
3. Tap Import or Import All.
4. If necessary, enter the password.
5. Tap .
6. In the BlackBerry Hub, tap > > Email Accounts.
7. Tap an account.
8. Tap Secure Email Settings.
9. If necessary, tap the PGP tab.
10.Turn on the PGP switch.
11.Under PGP Signing Key, in the drop-down list, tap the key that you imported.
12.Under PGP Encryption Key, in the drop-down list, tap the key that you imported.
Turn on IBM Notes email encryption
A work account that supports IBM Notes email encryption must be added to your device.
1. In the BlackBerry Hub, tap > > Email Accounts.
2. Tap an account.
3. Tap Secure Email Settings.
4. If necessary, tap the NNE tab.
5. Turn on the NNE switch.
Sign or encrypt a message
You must use a work email account that supports IBM Notes mail encryption to send an encrypted email
message, or an email account that supports S/MIME or PGP protected messages to send a signed or
encrypted email message.
1. When you compose a message, slide your finger down on the screen.
2. In the drop-down list, tap a signing or an encryption option.
Note: If your BlackBerry device is associated with a CRL or an OCSP server, when you add recipients to
an encrypted message, your device tries to retrieve a certificate status for each recipient. You are unable
to send the message until certificate statuses are received for all recipients. If certificates can't be found
or are invalid, the recipients' names appear as red.