Please note that we've decided to move our support portal to help.savignano.net to to further improve the services for our customers.

The updated version of this page can be found at https://help.savignano.net/snotify-email-encryption/common-user-scenarios

Abstract

This document describes a few common user scenarios and how to configure S/Notify for them.

Installation Test Setup

Scenario

After the installation, you want your users to test S/Notify, but you do not want to break notifications for those users who do not participate in the test or who do not have certificates or keys for encryption available.

Setup

S/Notify Configuration

On the administrative configuration pages of S/Notify

Leave the Key store file (for S/MIME) or HKP key server (for PGP) location empty
Leave the Encryption Fallback set to Allow unencrypted notifications

In Jira

Select Manage apps from the Jira Administration menu
From the S/Notify section on the left, select User Key Management for the Key store file and HKP key server settings
From the S/Notify section on the left, select Encryption Settings for the Encryption Fallback settings

In Confluence

Select Manage apps from the Administrator menu
Scroll down to the S/Notify section on the left, then select User Key Management for the Key store file and HKP key server settings
Scroll down to the S/Notify section on the left, select Encryption Settings for the Encryption Fallback settings

In Bitbucket

Go to the administration page by clicking on the cog wheel in the right upper area
Scroll down to the S/Notify section, from there select User Key Management for the Key store file and HKP key server settings
Scroll down to the S/Notify section, from there select Encryption Settings for the Encryption Fallback settings

User Profile

Users who want to participate in the test can upload their public certificate

In Jira

Select Profile from the user menu on the top right
Scroll down to section Email Security
Hit the edit symbol
Select which type to upload (S/MIME or PGP), the select the file and upload it

In Confluence

Select Settings from the user menu on the top right
From the S/Notify section on the left, select Email Security
Select which type to upload (S/MIME or PGP), the select the file and upload it

In Bitbucket

Select Manage Account from the user menu on the top right
On the left, select Email Security
Select which type to upload (S/MIME or PGP), the select the file and upload it

Results

S/Notify will immediately start encrypting the notification emails of each user who has provided a valid S/MIME certificate or PGP key. However, users who have not provided a valid S/MIME certificate or PGP key will still receive their notification emails unencrypted due to the Encryption Fallback setting.

Central Key Management Setup

Scenario

You want to enforce encryption of all notification emails, and the S/MIME certificates or PGP keys for all users are centrally available.

Settings

S/Notify Configuration

S/Notify supports several options for centrally managed S/MIME certificates and PGP keys. Choose whichever fits best in your environment.

S/MIME

User S/MIME certificates can be centrally provided

from a Key store file
from an LDAP that is configured as the User directory in Jira, Confluence, or Bitbucket
from any other External LDAP server (not currently available in Bitbucket)

PGP

User PGP keys can be centrally provided

from a Key store file
from a Key server – both HKP and LDAP based servers are supported

Both

Only if you do not want users to be able to provide their own S/MIME certificates or PGP keys, uncheck Allow user certificates and Allow user keys, respectively.
Set the Encryption Fallback to Do not allow unencrypted notifications - send problem report instead

In Jira

Select Manage apps from the Jira Administration menu
From the S/Notify section on the left, select User Key Management to set up the central S/MIME certificate or PGP key management
From the S/Notify section on the left, select Encryption Settings for the Encryption Fallback settings

In Confluence

Select Manage apps from the Administrator menu
Scroll down to the S/Notify section on the left, then select User Key Management to set up the central S/MIME certificate or PGP key management
Scroll down to the S/Notify section on the left, select Encryption Settings for the Encryption Fallback settings

In Bitbucket

Go to the administration page by clicking on the cog wheel in the right upper area
Scroll down to the S/Notify section, then select User Key Management to set up the central S/MIME certificate or PGP key management
Scroll down to the S/Notify section on the left, select Encryption Settings for the Encryption Fallback settings

User Profile

Users need not configure anything

Results

S/Notify will immediately start encrypting the notification emails of each user for whom a valid certificate is present in the global keystore. If, for some users, a valid certificate cannot be found, these users will receive an unencrypted email instead, telling them that their original notification message has been discarded for security reasons, because the email could not be encrypted, and asking them to get in contact with their Jira or Confluence administrator.

User Responsibility Setup

Scenario

You want to enforce encryption of all notification emails, but the users should manage their certificates on their own, and/or not all certificates are available in central keystore. You want the users to provide their certificates, but you do not want to allow unencrypted emails for users who have not provided their certificate.

Settings

S/Notify Configuration

On the administrative configuration pages of S/Notify

Leave the Global Keystore and Global Keyserver locations empty
Check Allow user uploads
Set the Encryption Fallback to Do not allow unencrypted notifications - send problem report instead

In Jira

Select Manage apps from the Jira Administration menu
From the S/Notify section on the left, select User Key Management for the Global Keystore and Global Keyserver settings, as well as User override
From the S/Notify section on the left, select Encryption Settings for the Encryption Fallback settings

In Confluence

Select Manage apps from the Administrator menu
Scroll down to the S/Notify section on the left, then select User Key Management for the Global Keystore and Global Keyserver settings, as well as User override
Scroll down to the S/Notify section on the left, select Encryption Settings for the Encryption Fallback settings

In Bibucket

Go to the administration page by clicking on the cog wheel in the right upper area
Scroll down to the S/Notify section, then from there select User Key Management for the Global Keystore and Global Keyserver settings, as well as User override
Scroll down to the S/Notify section, then from select Encryption Settings for the Encryption Fallback settings

User Profile

Users can now upload their public certificate

In Jira

Select Profile from the user menu on the top right
Scroll down to section Email Security
Hit the edit symbol
Select which type to upload (S/MIME or PGP), the select the file and upload it

In Confluence

Select Settings from the user menu on the top right
From the S/Notify section on the left, select Email Security
Select which type to upload (S/MIME or PGP), the select the file and upload it

In Bitbucket

Select Manage Account from the user menu on the top right
On the left, select Email Security
Select which type to upload (S/MIME or PGP), the select the file and upload it

Results

S/Notify will immediately start encrypting the notification emails of each user who has provided a valid certificate. Users who have not provided a valid certificate will receive an unencrypted email instead, telling them that their original notification message has been discarded for security reasons, because the email could not be encrypted, and asking them to get in contact with their Jira, Confluence or Bitbucket administrator.

Per Project or Per Space Encryption Setup

Scenario

You want encryption only for specific Jira projects or Confluence spaces, or you want to exclude specific Jira projects or Confluence spaces from encryption.

This feature is not yet available in Bitbucket. Please let us know if you are interested in seeing support for per-project encryption in Bitbucket.

Settings

S/Notify Configuration

On the administrative configuration pages of S/Notify

switch on Allow project / space configuration
if you want encryption for all but some projects / spaces, switch on Encrypt by default
if you encryption for only some projects / spaces and not for all, switch off Encrypt by default
select if ambiguous emails should be encrypted
select if other emails should be encrypted

In Jira

Select Manage apps from the Jira Administration menu
From the S/Notify section on the left, select Encryption Settings
Scroll down to Per Project Encryption
Select Allow project configuration
Select Encrypt by default if you want encryption for all but some projects, or deselect if you want encryption for only some projects
Select Encrypt ambiguous, if you want emails that refer to more than one project to be encrypted, or deselect if you want such emails to be left unencrypted
Select Encrypt other, if you want emails that do not refer to any project to be encrypted, or deselect if you want such emails to be left unencrypted

In Confluence

Select Manage apps (or Add-ons in earlier versions of Confluence) from the Administrator menu
From the S/Notify section on the left, select Encryption Settings
Scroll down to Per Space Encryption
Select Allow space configuration
Select Encrypt by default if you want encryption for all but some spaces, or deselect if you want encryption for only some spaces
Select Encrypt ambiguous, if you want emails that refer to more than one space to be encrypted, or deselect if you want such emails to be left unencrypted
Select Encrypt other, if you want emails that do not refer to any space to be encrypted, or deselect if you want such emails to be left unencrypted

Project or Space Configuration

On the project or space configuration pages

Switch encryption on or off as desired

In Jira

Select Projects from the Jira Administration menu
Select the project you want to configure by clicking on its name
From the Project Settings menu on the left, select Email Security
Depending on the required setup, select or deselect Encrypt emails for this projects
Repeat for additional projects that need to be set up different from your default setting

In Confluence

Select Space directory from the Spaces menu at the top
Select the space you want to configure by clicking on the info symbol on the right of the space name
From Space Tools tabs, select Apps
Depending on the required setup, under Email Security, select or deselect Encrypt emails for this space
Repeat for additional spaces that need to be set up different from your default setting

Results

S/Notify will check all outgoing emails for references to Jira projects or Confluence spaces. According to the settings for project or space identified, S/Notify encrypts the email or leaves it unencrypted.

When an email does not refer to a Jira project or a Confluence space, or refers to multiple Jira projects or Confluence spaces with different encryption settings, the email in handled according to the setting for ambiguous emails.

Installation Test Setup

Scenario

Setup

S/Notify Configuration

User Profile

Results

Central Key Management Setup

Scenario

Settings

S/Notify Configuration

S/MIME

PGP

Both

User Profile

Results

User Responsibility Setup

Scenario

Settings

S/Notify Configuration

User Profile

Results

Per Project or Per Space Encryption Setup

Scenario

Settings

S/Notify Configuration

Project or Space Configuration

Results

Related articles