p≡p for Outlook¶
This section explains several concepts that are important to understanding the general functionality of p≡p for Outlook. Subsequent sections will assume the reader is familiar with this information.
There are three major components of p≡p for Outlook.
- p≡p Engine
- COM Server Adapter
- p≡p for Outlook
The p≡p Engine is the main component that implements all the cryptographic and messaging functions that are used by all implementations of p≡p. It’s here that functions such as decrypt and encrypt exist. The COM Server Adapter connects p≡p for Outlook with p≡p Engine. p≡p for Outlook is the implementation of p≡p that integrates with Microsoft Outlook as an add-on. p≡p for Outlook currently uses the standard Outlook API for add-ins.
Following configurations are supported exclusively for p≡p for Outlook:
Windows 7 - Windows 10, all service packs
Both 32-bit and 64-bit versions
|Outlook||Outlook 2010 through Outlook 2016 (latest service pack is recommended to fix some known issues)Both 32-bit and 64-bit versions|
|Mail Protocols||ActiveSync; Exchange; IMAP; SMTP;|
|.Net Framework 4.0||Required for add-on to work|
The POP protocol is not supported.
A user can specify any number of accounts which each representing a single email address. These accounts may be on any combination of one or more servers.
Outlook then downloads the messages from the server (if specified in the case of Exchange) and saves them locally in a message data store (.pst or .ost file).
Importantly, Outlook automatically synchronizes the contents of the mail server with the local data store a given account is linked to.
Due to this synchronization, it’s important to be careful when decrypting or saving sensitive data about a message. If you don’t use option to store messages securely, Outlook will automatically synchronize this data with the mail server. It’s at this point server trust becomes important.
In Outlook, and other email clients, there is no real ability to specify trust on a per-server basis. Therefore, the user must specify ‘server trust’ on a per-account basis. For this reason, even though it’s a property of the server itself, trust should generally be referred to as ‘account trust’.
- Trusted server
Generally, if a user trusts a server, the data can be saved unencrypted on it. By default, servers with an IP listed in RFC1918 and Unique Local Addresses, are configured as “Trusted”. If a server is configured by using a DNS name (DNS A, AAAA and CNAME RRs), which ONLY resolves to RFC1918 and/or Unique Local Addresses, it is configured as Trusted. All others are Untrusted by default. Drafts are saved unencrypted to the draft folder of the mailbox. “Store Protected” messages are saved encrypted in the draft folder.
Private IPv6 addresses are defined as having a FC00::/7 prefix. This block is divided into the two blocks fc00::/8 and fd00::/8.
Private IPv4 addresses are the following:
The Internet Assigned Numbers Authority (IANA) has reserved the following three blocks of the IP address space for private internets:
10.0.0.0 10.255.255.255 (10/8 prefix) 172.16.0.0 172.31.255.255 (172.16/12 prefix) 192.168.0.0 192.168.255.255 (192.168/16 prefix)
All servers with IP addresses defined by RFC 1918 for IPv4 and RFC 4193 for IPv6 are therefore trusted.
Trusted server is supported for mailboxes that are connected through Exchange and IMAP. It is not supported for EAS.
- Untrusted server
If a user does not trust a server, encrypted messages will not be saved unencrypted on the server. By default, servers with an IP address NOT mentioned in previous section, are “Untrusted”. Drafts are saved encrypted in the draft folder of the mailbox and synced between devices.
Account trust is set in p≡p Options -> Accounts.
p≡p for Outlook has three main locations where files are stored after installation. These locations are:
C:\ProgramData\pEp : Currently, this location only stores the ‘system.db’ file. The system.db file is used by the engine and contains databases for localized phrases, trustword database, etc. This database does not change during program execution and is intended to be shared by all instances of the p≡p engine.
C:\Users\<user>\AppData\Local\pEp : This contains files that change during execution of the program. Files located here include:
log.txt : These files contain the logged text generated during the current or last run of p≡p for Outlook. This file is being archived to a file “log_yyyyMMddHHmmss.txt” in one of two circumstances: a) Outlook is shut down b) The log file reaches 20000 lines. Additionally, we only maintain max. 10 files of type “log_yyyyMMddHHmmss.txt”. Every time, an eleventh file is added, the oldest of those files is being deleted.
management.db : This file contains the database of all identities known by the p≡p engine, their corresponding keys, and user trust. It is unique for each instance/user of p≡p for Outlook.
pEp.db : SQLite database, which contains information about forcefully protected messages as well as p≡p ratings that have been calculated in p≡p for Outlook. Those ratings are used to be displayed provisionally in the UI until we get the actual calculated rating.
pEp.pst : This file is a personal Outlook storage file created by p≡p for Outlook and used to store unencrypted mail items. This is necessary for untrusted servers where the encrypted mail item is never decrypted to the default Outlook store.
C:\Program Files (x86)\pEp for Outlook This is the main installation directory for p≡p for Outlook and contains the executables and dependencies.
C:\Users\<user>\AppData\Roaming\gnupg : This directory is used by GNUpg to store all the public and private keys.
p≡p will install Gpg4Win or update it as required. The installation directory is
C:\Program Files (x86)\GNU\GnuPG. If an older version of Gpg4win is found, p≡p replaces the older version and stores a backup of the old config files to
C:\Users\<user_name>\AppData\Local\GNU\GnuPG\share. For more information please see Advanced Installation.
- Encrypt/decrypt emails and their subjects
- Untrusted server (save emails encrypted on the server)
- Trusted server (save decrypted emails on the server)
- Encrypted BCC support
- Compatibility with OpenPGP (key server lookup, blacklist and other), S/MIME
- Passive Mode (public key only attached if key received from partner)
- Automated decentral key management
- Automated public key import
Before you install p≡p for Outlook on your computer, we strongly recommend to encrypt your hard disk. On Windows, you can for example use BitLocker Device Encryption or VeraCrypt. If you do not want to encrypt the whole disk, we suggest to at least encrypt
C:\Users\<user_name>\AppData\Roaming\gnupg (Note: AppData is a hidden folder). This is the directory that contains the keys needed to decrypt messages.
The installation is straight forward, asks no questions and requests no information. Everything is installed by five clicks and within 10 seconds p≡p for Outlook is active. After installation of p≡p, restart of Outlook is necessary.
Step 1: Run the installation file by double clicking or pressing Enter after the file is selected.
Step 2: The first p≡p for Outlook installation screen will appear as shown below. During this time, the installer checks system compatibility and verifies that you have a supported version of Outlook installed.
Step 3: The p≡p for Outlook licensing agreement will be shown as below. Please read through this agreement in its entirety. . After you have read and agree to the p≡p for Outlook licensing agreement, please mark the I accept the terms in the License Agreement checkbox and click on Install.
Step 3.5 (Optional): Optionally you will be able to choose installation scope by clicking on button “Advanced”. When you selected Advanced installation, you would be able to choose between installation fo current user and installation for all users. By default pEp for Outlook is installed for all users. Local Administration privileges are needed for installation for all users.
Step 4: The installer will now need your permission to continue. This is a security feature of Windows. When the below dialog appears, please introduce the administrator password (if required) and click Yes.
Step 5: p≡p for Outlook will now be installed. During installation the progress bar may pause momentarily before it finishes.
Step 6: Installation is now complete! Please click Finish as shown below to close the installer. Now you can start Outlook and begin using p≡p!
p≡p for Outlook is currently packaged in an .msi (Microsoft/Windows Installer) using the WIX Toolset. In general, the installer will complete the following actions automatically:
- Extract all files to their folders (see Storage Locations)
- Register COM components
- Add registry entries for Outlook integration
- Register the program in Microsoft Add/Remove Program entries
In order to do this successfully, the installer needs local administrator privileges on the machine. This should be automatically requested during the installation process.
During setup, the .msi takes some additional steps that may require advanced user interaction. This is primarily when determining when to overwrite an existing Gpg4win installation.
As p≡p for Outlook depends on Gpg4win, any existing Gpg4win installation will be detected and used by p≡p for Outlook as long as it isn’t out of date. If an older Gpg4win version is detected,
p≡p for Outlook asks the user whether they wish to overwrite their current Gpg4win installation.
If they choose to do so, a backup of their current Gpg4win configuration will be stored in
C:\Users\<user_name>\AppData\Local\GNU\GnuPG\share. If the user declines, p≡p for Outlook will try to use the current Gpg4win installation.
This is not recommended and might result in incompatibilities.
If Gpg4win hasn’t been installed, p≡p for Outlook will install Gpg4win by itself to the following path:
C:\Program Files (x86)\GNU\GnuPG
There is possibility to install p≡p for Outlook in silent mode. Simply run following command in the console with administration rights:
msiexec /qn /i C:\pEp_for_Outlook.msi /l C:\pEp_install.log
Once Outlook restarts after the p≡p plug-in is installed, it is fully operational right away without any additional user input. The users do not need to change any Outlook settings for p≡p to function.
p≡p for Outlook users will now see ‘Privacy Status’ bar displayed within each selected/opened message. To manage the privacy status for a message simply click on the rating button in the privacy status form. At the top of the form, the message rating is visible along with both an explanation of the rating and a suggestion, if available, for how to increase the rating.
p≡p uses a trafﬁc light metaphor, extended by the fallback to gray, to indicate the Privacy Status, along with statements which are directly linked to how secure the available communication channel is or how it used to be. The full set of Privacy Status:
- Gray/Unknown/Unsecure/Unreliable Security:
Unknown is commonly for outgoing messages where no contact or address has yet been added to the To, Cc or Bcc fields of an email or message.Unsecure or Unsecure for Some means that p≡p cannot find a way of sending or receiving the communication with any form of encryption (to all recipients if Unsecure for Some). This represents the default situation today which, in the case of email, usually must be considered as “secure” as sending a physical post card. Unreliable means that p≡p cannot find a way of sending or receiving the communication reliably. So, for example, the communication could have been sent using S/MIME. With S/MIME it’s known that if one public Certificate Authority (CA) is subverted then the security of the entire system is lost — potentially subverting all the entities that trust the compromised CA.
The communication is encrypted using state-of-the-art technology. However, your communication partner still needs to be trusted by completing a handshake.
- Green/Secure & Trusted:
The communication is encrypted using state-of-the-art technology and your communication partner is trusted. Trust is confirmed with a handshake where, using a side-channel (e. g. by phone call or in-person), communication partners verify they are each who they say they are and the communication can be fully trusted by all reasonable means expected from a regular user.
- Red/Mistrusted, Under Attack:
Mistrusted means that you have previously failed a handshake. You cannot trust that your communication partner is who they say they are. Under Attack means that either a man-in-the-middle (MITM) attack has to be assumed or another (serious) cryptographic error occurred. The communication channel must be considered unsecure and any exchanged information not private.
Sending Secure Emails
p≡p analyzes locally (no data is sent anywhere) the incoming and outgoing e-mails on your device. Once p≡p recognizes that it can secure communication in a technically perfect way with the communication partner, it will do so automatically. The workflow below shows how p≡p works conceptually. It outlines p≡p’s fully automatic and easy to use design & function between p≡p users as well as p≡p and PGP users. The users will never have to handle the keys.
After a message from another p≡p user is received, the Privacy Status at the bottom of the incoming message is automatically upgraded from Gray/Unknown/Unsecure/Unreliable to Yellow/Secure without any user interference or manipulation. The same applies if a user enters an email address for which p≡p automatically finds a public key on the public PGP key server (optional setting). This runs in the background and it is invisible to the users.
Now the user has the option to send the message with Privacy Status Yellow/Secure (technically perfect encryption with one remaining risk: Man in the Middle Attack). This is already a big improvement over trust level Gray and all user needs to do for sending the message with this level of protection, is to press the SEND button. Eliminating this final risk (a Man in the Middle Attack) necessitates a manual step, either in-person or by phone. The user initiates the ‘Handshake’ by clicking on the Privacy Status which displays Yellow/Secure color indicator revealing the following pop-up window:
The user will see the Trustwords on the screen as shown above. Next step is for the user to contact the communication partner (either in person or by phone) and ask to confirm the Trustwords. Trustwords should be displayed in the same order for both communication partners in their native languages. The PGP fingerprint is also listed for those who would like to confirm by the fingerprint itself.
Then the user clicks on one of the three buttons displayed:
- ‘Confirm Trustwords’ button: If the communication partner has the same Trustwords, then the user presses the ‘Confirm Trustwords’ button to confirm them and from then on all the email exchanges with this communication partner will be Green/Secure & Trusted and there will be no known attack on that communication anymore. This step is done once with each communication partner and any future communication remains Green/Secure & Trusted.
- ‘Wrong Trustwords’ button: The user would press this option, if the Trustwords given by the communication partner do not match those shown on the screen. As a result, the rating for the communication partner is downgraded from reliable (secure) to mistrusted.
- ‘Cancel Handshake’ button: This option is selected if the user cannot reach the communication partner to compare the Trustwords and thus has to retry at a later time. The Privacy Status remains Yellow/Secure.
You can always verify the trustwords by clicking on privacy status. When you communication partner is using p≡p client you will see:
Sending a message to multiple people with different Privacy Statuses
When sending a message to more than one person, the user simply adds the recipients to the message and clicks on the Privacy Status revealing the following pop-up window:
This dialog shows that one Handshake is pending. The user can click on the email address to perform the Handshake with the communication partner as explained above. After all the Trustwords are confirmed by the users, the communication will be upgraded to Secure & Trusted/Green.
Disabling Protection when the communication partner’s Privacy Status is Yellow/Secure or Green/Secure & Trusted
When the communication partner’s Privacy Status is Yellow/Secure or Green/Secure & Trusted, the e-mail will then automatically be sent encrypted when the user clicks ‘Send’. If the user would like to disable protection on a case by case basis, then he/she can do so by selecting the ‘Disable Protection’ button in the ribbon of the message.
The Privacy Status as well as the rating for a communication partner will change from Yellow/Secure (or Green/Secure & Trusted) to Gray/Unknown/Unsecure/Unreliable and the message will be sent unencrypted when the user presses ‘Send’. There is no option to attach his/her public key to the email.
Receiving encrypted messages When the user receives an encrypted message on the mail server while the Outlook is not yet connected, then these messages will remain encrypted in the Inbox (until the user clicks on them).
Outlook specific options¶
When the user clicks on the File menu then he/she will see p≡p.
The first option is Accounts.
When you enable Advanced at the bottom of the popup window you will see following options:
- Account Security
If the user does not trust his/her mail server (e.g. if the user has a cloud mail provider), then the user can enable p≡p to store his/her messages securely on the server. On the other hand, if the user trusts his/her server (e.g. when the mail server is hosted on premise), then the user may opt to store his/her messages unsecurely on that server. In that case, p≡p will decrypt all the encrypted messages and save them unencrypted on the server. The user can either select single accounts or “Select all” option for all accounts to store messages securely on the server.
- Show ‘p≡p’ data store in navigation panel
p≡p saves some messages in a local pEp.pst file in Outlook. The user can choose, if he/she wants to see this file in the navigation pane of Outlook.
Show a warning when a message loses security through reply or forward. This option is enabled by default.
- Show store protected option
This option will hide Store protected button from user interface.
- Pick language for trustwords
This option will allow you to select different language for trustwords.
The second option is Compatibility and represents Compatibility with OpenPGP
- Enable unprotected message subjects
The user can choose, if the subject of a message should be protected/encrypted. If the subject is encrypted, the users of other OpenPGP clients will then only see the subject “pEp” instead of the original subject. The actual subject is displayed in the first line of the body for plain text messages. For HTML messages, the subject is not visible. Subject Encryption is enabled by default.
- Look up keys on key server
If Checked: p≡p will look up keys of the communication partners on a PGP key server. This ensures full compliance with PGP protocols, but it has privacy downside as the key server knows the users’ requests. Therefore, it is switched off by default in p≡p. If Unchecked: p≡p will not look up any key on the public PGP key server. p≡p does not rely on keyservers, because it attaches the public key to each message.
- Key Blacklist
If the user does not wish to use a key of a communication partner anymore, then he/she can enter the fingerprint of the key and add it to the blacklist.
- Open Key Manager
Leads to the GNU Privacy Assistant. Please refer to the GnuPG documentation for details (https://www.gnupg.org/related_software/gpa/).
About provides extra information about the p≡p version:
The last screen provide information about Credits.
Advanced User Options¶
Disclaimers are often added by the mail server to the bottom of the message (e.g. https://technet.microsoft.com/en-us/library/dn600323(v=exchg.150).aspx in Office 365). For encrypted emails this is causing issues, because the disclaimer cannot just be added to the encrypted part of the message by the mail server.
You have a possibility to add disclaimers to the messages in pEp directly.
There are 3 options:
- feature switched off - no disclaimers are added to the end of emails.
- feature switched on for encrypted emails - add disclaimer only to the end of encrypted emails (unencrypted emails won’t contain disclaimer)
- feature switched on for all emails - disclaimer will be added to all emails (encrypted and also unencrypted)
These options are accessible only through registry and are fully optional.
Following registry values have to be set manually for each account that needs to have a disclaimer attached to its outgoing mails. Values are in HKCU\Software\pEp\Outlook\AccountSettingsList[smtp_address]
AddDisclaimer: Whether to add a disclaimer to outgoing mails for this account. Value can be a string value of “0” (No disclaimer - default setting), “1” (add only to encrypted messages) and “2” (add to all messages). DisclaimerText: The text of the disclaimer to add to outgoing mails for this account. Will only be applied if AddDisclaimer is set to “1” or “2”.
Search on unstrusted server¶
Generally it’s not technically feasible to search emails on untrusted servers, since all emails are stored encrypted. However we implemented following workaround, we are saving decrypted emails locally in a Outlook message data store, which is not synced back to the server.
This way you’ll be able to search in your unencrypted emails. Option to allow search on untrusted servers is accessible through registry values and it’s not enabled by default.
The registry value DefaultSearchScope=1 are set during installation and startup of the app in case there is no previous value set. If a value is found, we do nothing (probably a user setting).
- The Registry value that defines the scope in which Outlook performs searches is named DefaultSearchScope and can have values of:
- 0 => Default behavior
- 1 => Search in all mailboxes
- 2 => Search in current folder
- 3 => Search in current mailbox
This value is stored in HKCU\SOFTWARE\Microsoft\Office[version_no]\Outlook\Search
There is a small caveat that right after installation and during the first startup, the selection “Search in all mailboxes” isn’t reflected in the quick search field until the users switches to another folder (or restarts the app). From this point on, the selection is persistent.
In p≡p for Outlook it is possible to blacklist PGP keys. This is useful, if you have a key in your key ring, that you don’t want to use anymore (e.g. because your communication partner lost the private key).
This is how you black list a key:
- Go to File -> p≡p -> Compatibility and click advanced
- Click “Open Key Manager” and click the key you want to block
- Copy the Fingerprint of they key (it looks somehow like this: 33B1 25E9 CAA9 23F1 14BA 6F42 2787 B7C0 C3CA 9534) and close GNU Privacy Assistant
- Back in the p≡p Compatibility options, paste the fingerprint in the field on the very bottom and click the “+” to add key
- Click OK to close options.
After a key is added to the blacklist, p≡p won’t use it anymore to encrypted messages. To remove a key from the blacklist, just select it, and click the “-” button. Please note this affects only PGP contacts, p≡p users won’t be affected by this blacklist.
This feature will change behavior of p≡p for Outlook. By default p≡p for Outlook attaches your public key to every outgoing email. After passive mode is activated, p≡p doesn’t attach a public key to a message unless it received a public key from the communication partner who uses p≡p. If you already have a public key from your communication partner, p≡p will encrypt your emails by default.
This option is only available through the Windows registry. You can download following script to enable this function: https://pep.security/docs/scripts/IsPassiveModeEnabled.reg Simply download the script and click to run it. After confirmation it will activate the feature in the registry.
How to Upgrade p≡p for Outlook¶
p≡p for Outlook is checking for new updates automatically by default randomly in interval between 10 mins and 4 hours. Once there is new update available, it’s downloaded and installator will pop-up on the screen for user to install it.
Disable automatic upgrades for p≡p for Outlook¶
It’s possible to disable auto-update function in p≡p for Outlook. Please follow the guide bellow in order to disable it.
We recommend to keep auto-update function enabled due security risks which comes with out-dated software.
First open File menu in Outlook:
Then select p≡p menu, select Compatibility or Accounts:
In new screen of p≡p Options select p≡p About and on the bottom of the screen uncheck the field Automatically download and install updates. You will be asked to confirm the action:
After confirming you will see red warning message that Auto-updates were disabled:
This function will be available in pEp for Outlook 1.2 or newer.
In order to have your private key synchronized between your multiple devices each needs to have p≡p client: p≡p for Outlook or p≡p for Android.
p≡p sync between Outlook/Outlook¶
Once you add your account to another MS Outlook with p≡p client installed, following screen will be shown on all your devices within few minutes:
Simply check and confirm on both devices if the trustwords are the same on both screens. Once done, private keys of both devices will be shared between them and you will be able to read all encrypted messages on both devices.
In case you didn’t add your account on another device with MS Outlook with p≡p client installed and you see device group dialog OR the trustwords are not the same on both devices, select Wrong Trustwords. That would mean that someone is trying to steal your private key, impersonating you or there are other technical issues. You should take your time and immediately investigate and secure your email account.
In case you can’t see Device Group dialog after several minutes, you can try to force it by sending any email to yourself from any of the pEp clients. That will force device group dialog to show up.
Using Distribution lists¶
At the moment p≡p doesn’t support distribution lists without manual intervention. You can however create one private key for the email address of the distribution list with GnuPG tools installed during installation of p≡p for Outlook and manually distribute it to all p≡p clients with accounts allowed to send/receive emails to Distribution list.
Once all participants of the distribution list have private key for the same email address as distribution list, each of them will be able to send and read encrypted messages to the distribution list.
How to Uninstall p≡p for Outlook¶
- Open the Control Panel. You can access the Control Panel from the Start menu. The Start menu can be opened by clicking the Windows logo in the bottom-left corner of the display, or by pressing the Windows key on your keyboard.
2. Open Programs and Features. The Control Panel is typically displayed in one of two different ways: either a Category View or an Icon view. Category view will have 8 or 9 icons with a few options under each one, while Icon view will be a large list of icons. In Category view, click the “Uninstall a program” link under the “Programs” category In Icon view, click the “Programs and Features” icon.
3. Select p≡p for Outlook in the list and Click the Uninstall button. This will appear in the top toolbar when a program is selected in the list. You can also right-click on the program to find Uninstallation in the menu that appears. Click it to begin the uninstallation process. You will be asked if you want to continue.
- Follow the prompts and p≡p for Outlook will be removed.
in case you’re planning to re-install p≡p for Outlook, please restart your OS, because GnuPG will still be active and you won’t be able to re-install p≡p for Outlook.
- Right-click in the screen’s bottom-left corner and choose the Control Panel from the pop-up menu.
- When the Control Panel appears, choose Uninstall a Program from the Programs category.
- Click on p≡p for Outlook and then click on Uninstall, Change, or Repair button.
- When Windows asks whether you’re sure, click Yes.
in case you’re planning to install p≡p for Outlook again you need to restart your OS, because GnuPG will be still active after removal and you won’t be able to install p≡p for Outlook.
1: Take your mouse pointer to either the icon or search of Cortana placed at the taskbar. Click on the Search field and type Control Panel. Choose Control Panel from the results shown.
2. Windows 10 Control Panel is now in front of you. Look for the Programs and Features. Click on the Programs and Features option to open it on a new window.
3. Once opened, you can see the list of programs installed on your Windows 10. Click on p≡p for Outlook and then click on Uninstall/Change button.
- Follow the prompts and p≡p for Outlook will be removed.
in case you’re planning to install p≡p for Outlook again you need to restart your OS, because GnuPG will be still active after removal and you won’t be able to install p≡p for Outlook.
How to backup p≡p for Outlook¶
Simple backup following 2 directories:
These 2 directories includes everything needed for recovery of the installation.