|
Upcoming Changes to Entrust Encryption
Attention Entrust users,
Recently, it was announced that DOE would no longer support the use of Entrust for the encryption of CUI and business sensitive emails, effective Dec. 31, 2023. Instead, we will use the certificates found on HSPD-12 badges. Existing email must be converted to use the new certificates prior to your Entrust certificate’s expiration. Temporary PIV badges will not work, they must be HSPD-12s. After Dec. 31, Entrust passwords cannot be changed or recovered, so it is the goal to address the required changes prior to leaving for winter break.
What do you need to do:
- If you do not have an HSPD-12 badge, you may have or will soon receive an email from the Cyber office to begin the process of receiving one. We will follow up with you individually. Please don’t hesitate in responding to the request.
- If you are currently in the clearance process, you may be able to receive a temporary HSPD-12. We will be reaching out to you individually to confirm the state.
- Starting next week, a member of the AET/NTNS IT staff will reach out to you to begin the process of decrypting and re-encrypting email with the HSPD-12 certs. These new certs will also be added to the address book, such that new signed and encrypted email will be sent and received using the HSPD-12 certificates.
- Please start giving thought to how far back you want to go with respect to decryption. Outlook caches 1 year by default. If you want to modify older email, we will either need to update the caching timeframe (which will take up hard drive space) or temporarily turn off caching to capture all encrypted email.
- Turning off caching will affect performance, especially if you are offsite with a slower network connection. It may be beneficial to come onsite during your encryption day, if possible.
- If you are using local archives (PSTs), we will need to search those separately from your primary mailbox.
- If you are using online archiving, this email will be searched as part of the standard process.
- We are unable to tell you how long this process will take, but in ideal worlds, 30-60 minutes, depending on how much email you have. In training, the Entrust server required to update certificates was extremely sluggish. We have reported this and are hoping DOE updates this server so it’s usable. We will be doing more testing this week before starting the migrations.
- Processes are in place for Mac and Windows systems, and we are exploring options for Linux. We can also work with you on updating digital signatures in Acrobat.
- Please visit https://anl.box.com/v/AET-NTNS-Entrustfaqs for documentation and FAQs. This will soon be updated to include processes for encryption on phones and tablets, as well as sending email to non-DOE organizations.
For questions, please reach out to aethelp@anl.gov.
Thanks for your cooperation and patience in this matter,
AET/NTNS IT
|
