The core reason why MeSign APP can automate the email encryption is that MeSign completely solve the certificate application and key management issues, so that users do not need to spend time and effort on certificate management and they can send encrypted emails automatically as easy as sending cleartext emails. In a word, MeSign provides free key management service for the public by adopting the cloud key management model.
If your organization want to manage encryption keys locally and independently, you can purchase the MeSign Enterprise Key Management System (EKMS) and deploy it in the organization's Intranet on premises (not connect to the Internet), all employees will retrieve the key from EKMS, to realize the localization and self-control on employees’ key management.
According to NIST SP 800-177 “Trustworthy Email” Security Consideration 7-2: Enterprises should establish a cryptographic key management system (CKMS) for keys associated with protecting email sessions with end users. For federal agencies, this means compliance with all relevant policy and best practice for the protection of key material [SP800-57pt1]. MeSign recommend all government agencies, middle and large enterprise purchase MeSign EKMS to establish key management system for compliant with SP 800-177, the keys can be used for email encryption and PDF document encryption for email and document security.
Users only need to deploy the MeSign Enterprise Key Management System (EKMS) in the organization’s Intranet, and log into the organization’s MeSign account to set the Intranet IP address of the EKMS. When employees setup their enterprise email account in MeSign APP, MeSign APP will search the access address of the EKMS according to the domain name of the employee’s email address, and then it can be connected to the EKMS to retrieve the encryption key, instead of connecting to the MeSign Cloud KMS to retrieve the encryption key. Once the private key of the encrypting certificate is successfully retrieved, employees can get the encrypting certificate and the signing certificate issued by MeSign default CA system automatically, and then employees can use the email encryption and signature function normally. The employees who works remotely must be able to connect to the EKMS via VpN. Please note: The EKMS cannot connect the Internet, it is only limited to be accessed in Intranet by employees’ computers and mobile devices, to ensure the security of the EKMS system and the Keys.
The MeSign EKMS is a plug-and-play hardware product. If it is not regulated to deploy external hardware in the user's Internal network, the user can use their own server and purchase the MeSign EMKS software and purchase HSM to securely generate keys. In order to assure the high reliable requirements of key management, we strongly recommend users to purchase at least two EKMS hardware or configure two highly reliable servers to deploy the EKMS software to realize hot backup operation, to ensure that the EKMS can provide key management services for their employees reliably.
The MeSign Enterprise Key Management System is charged per hardware appliance or per set of software. In addition to hardware appliance or software system fees, users also need to purchase customized service fees that are charged based on the number of email account of employees in the organization. At the same time, user can purchase the Pro Edition service, and automatically configure the Organization Email Certificate for all employees for free, including organization name information, and the number of employees is not limited. There are also 10 employee emails that automatically configure an Organization Employee Certificate (including employee name and organization name) and automatically configure a publicly trusted Vp Email Certificate. MeSign App automatically sets the Vp Email Certificate as the default signing certificate, so that other email clients can trust the MeSign App signed email.
Yes, users can purchase key management systems produced by other manufacturers. However, other manufacturers' products need to be modified to support the MeSign APP to automatically retrieve the encryption keys. We will provide MeSign Certification services and will list the manufacturers’ product models that have passed MeSign Certification on MeSign website.
If you cannot find the answer to your questions, welcome to submit your questions online, we will reply to you as soon as possible.