This article presents three ways to encrypt email in Office 365. If you want to learn more about all security features in Office 365, visit the Office 365 Trust Center.
Microsoft 365 delivers multiple encryption options to help you meet your business needs for email security.
- Office Message Encryption (OME)
Central encryption with internal and/or external recipients. The recipient needs a Microsoft account or a one-time password.
- Secure/Multipurpose Internet Mail Extensions (S/MIME)
Local encryption with internal and/or external recipients. The recipient needs an S/MIME certificate.
- Information Rights Management (IRM)
Central encryption within the organisation.
What is it about ?
Encryption is the process by which information is encoded so that only an authorized recipient can decode and consume the information. Microsoft 365 uses encryption in two ways: in the service, and as a customer control. In the service, encryption is used in Microsoft 365 by default; you don't have to configure anything. For example, Microsoft 365 uses Transport Layer Security (TLS) to encrypt the connection, or session, between two servers.
Here's how email encryption typically works:
- A message is encrypted, or transformed from plain text into unreadable ciphertext, either on the sender's machine, or by a central server while the message is in transit.
- The message remains in ciphertext while it's in transit in order to protect it from being read in case the message is intercepted.
- Once the message is received by the recipient, the message is transformed back into readable plain text in one of two ways:
- The recipient's machine uses a key to decrypt the message, or
- A central server decrypts the message on behalf of the recipient, after validating the recipient's identity.
Watch this video for an introduction to Encryption in Office 365.
What about encryption for local data?
"Data at rest" refers to data that isn't actively in transit. In Microsoft 365, email data at rest is encrypted using BitLocker Drive Encryption. BitLocker encrypts the hard drives in Microsoft datacenters to provide enhanced protection against unauthorized access.
To learn more, see BitLocker Overview.