Search code examples
exchangewebservicesmicrosoft-information-protection

Decrypting an encrypted office 365 email using MIP SDK

I am following the forum thread: Azure Information Protection | How to decrypt .EMLs coming from EWS API?

I am interested in knowing the steps to decrypt an encrypted office 365 email. Can you please comment on the following:

  1. As you mentioned that one has to convert the email to .msg file, so my question is, after writing the email (i think Mime stream) to msg file, would the file persists the encryption?

  2. What is the role of .rpmsg file in decryption, which is the attachment inside the encrypted emails, when we read the email using EWS api?

  3. I have explored MIP Protection and File Api. So to encrypt a file using SetLabel ,we need a Sensitivity Label (from Office 365 Compliance), I think we would have to use the same label to decrypt an email, using which, the email was encrypted. Again, would it be possible to get the label from converted .msg file?

  4. I could not find Inspect method\function in FileHandler object, which you mentioned in above mentioned forum link. Can you please suggest how to find that out?

So in summary, just wanted to know the steps to decrypt an encrypted email, using FileHandler.RemoveProtection() followed by FileHandler.CommitAsync().

Thanks

Solution

  • There's a step that it's the sample application that ships with the SDK bins (https://aka.ms/mipsdkbins). We have a draft about ready to publish in docs, but I don't expect that to be available for a week or two.

    If you're using C#, you can use this to enable the feature flag.

    var customSettings = new List<KeyValuePair<string, string>>();
customSettings.Add(new KeyValuePair<string, string>("enable_msg_file_type", "true"));

// Create a FileEngineSettings object, then use that to add an engine to the profile.
var engineSettings = new FileEngineSettings("[email protected]", "", "en-US");
engineSettings.Identity = new Identity("[email protected]");

//set custom settings for the engine
engineSettings.CustomSettings = customSettings;

    That will enable your application to decrypt MSG files and to use the Inspect functionality to decrypt message.rpmsg files to byte streams.

    It's important to note that we don't directly support decryption of EML (MIME compliant) messages. You'd need to convert to MSG or decrypt the message.rpsmg file extracted from the MIME message.

    To answer your questions:

    1. Yes. Convert EML to MSG and the encryption remains. You should be able to decrypt.
    2. Message.rpmsg is an encryption envelope that contains the plaintext mail body and all attachments. You can use the Inspect function to get the decrypted bytes and attachments. Keep in mind that attachments might also be encrypted and that you'll need to recursively decrypt on your own.
    3. You don't need the label information to decrypt the message. If you're referring to MSG files, you can use the FileHandler.RemoveProtection() function or GetDecryptedTemporaryFileAsync() (or the stream option).
    4. If you're using .NET, we didn't expose it in 1.5 (C++ only). We plan to release MIP SDK 1.6 in the next week and it will be available there.