From what I can tell, encrypting Amazon SES emails has to be done from code. That's fine, but I'm obviously going to need a certificate of some kind. I know plenty about SSL, but it appears that SES only works with TLS? Can somebody point me in the right direction? Is it possible to use SSL with SES instead of TLS? Do I use a standard SSL certificate with the latest TLS software? How do I go about setting up a TLS certificate? Where do i purchase one? Is it basically the same as setting up an SSL certificate, except it's somehow routed through TLS instead of openSSL? Any guidance in this area would be greatly appreciated.
Asked
Active
Viewed 2,876 times
1 Answers
4
I think you're confused. Are you wondering about end-to-end encryption of email contents or encrypting the transport of your emails to SES?
If the former, you'll need to look into something like PGP or S/MIME. Either of those require cooperation from both the sender and the recipient to facilitate key exchange and subsequent encryption/decryption of the messages. SES doesn't care about this at all - you can send encrypted payloads through SES or you can choose not to. Your choice.
If the latter, all you need to do is ensure that your SMTP client or library is configured correctly to use STARTTLS. There is no need for you to purchase or otherwise manage certificates in this case, as you are a client of Amazon's service - they manage the certificates. Keep in mind that this option only encrypts a single SMTP hop - Amazon still has access to the cleartext version of the email, as to any other mail servers it may pass through. Additionally, one or more hops along the email's path from source to destination may not support STARTTLS, in which case the email is transiting the public internet unencrypted. If this is of concern to you, you'll need to implement either PGP or S/MIME.
EEAA
- 108,414
- 18
- 172
- 242
-
there has been question as to whether or not the emails need to be encrypted because the emails are receipts that might contain private health information. think hospitals. so the emails are ultimately going to an end user that made a payment. probably cant guarantee it arrives there encrypted. so ill at least want to encrypt it to SES. its just a legal protection more than anything. – Katushai Dec 01 '16 at 02:40
-
thank you for the information, i appreciate it greatly. hopefully my last comment can provide more information that might give you a better idea of what i'm looking for – Katushai Dec 01 '16 at 02:42
-
4Well, I'm not sure what regulatory jurisdiction you're under but speaking of US HIPAA regulations (which I'm quite familiar with), emailing any kind of PHI is strictly forbidden. If you want to get PHI-laden data into a patient's hands, you need to email them a notification email with a link that they can click, and then sign in with username/password to retrieve the data. – EEAA Dec 01 '16 at 02:46
-
1To put a sharper point on it - if you email PHI to a patient, regardless of whether or not it's encrypted in transit, you are blatantly violating HIPAA privacy and security rules. – EEAA Dec 01 '16 at 03:15
-
i'm in the US, so yes, HIPAA is what i'm dealing with. very good. thank you so much for the information. it's been very useful – Katushai Dec 01 '16 at 03:34
-
2You're welcome. With all due respect, you really ought to hire someone who is well-versed in the nuances of HIPAA regs. You *really* don't want to get hit with a HIPAA breach fine, nor do you want to be responsible for your customer getting one either. – EEAA Dec 01 '16 at 03:36
-
well I'm just the tech guy for a bigger company. they have a lawyer that works out all the details and he asked if i could find a way around it. since you've made it pretty clear that there really isnt a way around it, i've already told my boss he's going to have to set up a link to a password and everything – Katushai Dec 01 '16 at 07:17
-
@EEAA haha totally saved their butt :) – Wills Manley Mar 26 '20 at 01:10