Email encryption with the Bundesagentur für Arbeit
With email encryption, you can protect your company’s communications and prevent sensitive data from being illegally tapped. The General Data Protection Regulation (GDPR) requires companies to encrypt emails containing personal data. Encrypting the mails ensures the confidentiality of the data sent. Only the intended recipient of the mail may read the contents. Of course, this also applies to emails containing personal data that are exchanged with the Bundesagentur für Arbeit (BA, German Federal Employment Agency) or job centers (gE). In particular, public institutions such as municipalities, cities, and human resources departments from the free trade sector communicate regularly with the Bundesagentur für Arbeit. In this blog article, we describe how to automatically encrypt emails to the Bundesagentur.
What do I need for email encryption?
In addition to a certificate and the corresponding private key for your own mail address, you need the public key of your communication partner for encrypted sending to the BA. You can get your own certificate from a trust center such as D-Trust, DigiCert, GlobalSign or SwissSign. But how do you get the public key of the employee or the group mailbox of the Bundesagentur für Arbeit?
How do I get the S/MIME certificate of the recipient of the Bundesagentur für Arbeit?
There are two manual ways to obtain the certificate of your contact person or group mailbox. Each of these requires several steps to obtain the required certificate.
1. Use the certificate search of the Bundesagentur für Arbeit
The Bundesagentur für Arbeit offers a certificate search on its website at https://cert-download.arbeitsagentur.de. There you can manually enter the email address of the recipient and search for the certificate. You can then download and install the certificate and the corresponding issuer certificates in various formats. You must then ask the contact person at the BA to send you an invitation for email encryption so that the BA employee can send you encrypted mails. You will then receive a link and the option to enter your contact details as well as upload your own certificate.
2. Set up access to LDAP directory service
Another way to access the BA’s certificates is to set up access to the LDAP directory service. You have to request the access. Afterwards, the LDAP access data will be transmitted via encrypted mail. Before that, however, you must again request an invitation for email encryption. Detailed information on this can be found in the corresponding documentation on E-Mail-Verschlüsselung für externe Kommunikationspartner der BA (email encryption for external communication partners of the BA) under Automatisierter Abruf der Verschlüsselungszertifikate der Bundesagentur für Arbeit per LDAP.
Encrypting emails to the Bundesagentur, with automated certificate management
With Open Keys you can use the LDAP server of the Bundesagentur für Arbeit without additional steps. Open Keys is the central source for obtaining public certificates. Open Keys follows the open source approach and is directly integrated into NoSpamProxy Server and NoSpamProxy Cloud, if you have licensed NoSpamProxy Encryption. Open Keys establishes a connection to BA’s LDAP directory service and automatically retrieves the certificates for email encryption. You can communicate with your communication partner immediately in encrypted form without having to exchange signed emails beforehand.
How to enable Open Keys in NoSpamProxy Server
In the NoSpamProxy Command Center, under Identities > Public Key Servers, select the Use Open Keys (recommended) checkbox.
Non-NoSpamProxy customers can also use the free service and search for public keys automatically at www.openkeys.de via LDAP or Web API.
NoSpamProxy Cloud
In NoSpamProxy Cloud, the Open Keys service is also available and automatically enabled.
Automatically encrypt emails to the Bundesagentur für Arbeit
NoSpamProxy Server
In the other settings in the NoSpamProxy Server rule set, you can also configure a central security setting so that all emails sent to domains such as “arbeitsagentur.de” or domains of the regional job centers, for example, are automatically encrypted. This way you include all email addresses of the defined domain and ensure that no emails sent to this domain are sent unencrypted.
Non-NoSpamProxy customers can also use the free service and search for certificates automatically at www.openkeys.de via LDAP or Web API.
NoSpamProxy Cloud
Similar to NoSpamProxy Server, in NoSpamProxy Cloud you can also specify domains or recipient addresses in the rules to which emails are to be sent encrypted by default.
Advantages of the automated encryption of mails to the employment office
With the Open Keys feature enabled, your employees do not need to worry about email encryption or certificate management. They can concentrate fully on their core tasks. The automated encryption and signature of emails ensures data protection in email communication – and you meet the requirements of the General Data Protection Regulation (GDPR) in email communication.
Advantages at a glance:
Receiving encrypted emails from the Bundesagentur für Arbeit
Of course you can receive encrypted emails from the Bundesagentur with NoSpamProxy. Thereby NoSpamProxy checks the signatures and decrypts the emails.
NoSpamProxy Server
In your NoSpamProxy server installation you only need to add the intermediate and root certificates of the employment agency once for this, so that the certificate chain can be checked for validity. These are also offered in the results of the certificate search described above at https://cert-download.arbeitsagentur.de.
In addition, you must provide the BA with your own certificates in advance. On request, NoSpamProxy will automatically publish your certificates in Open Keys, from which the BA can retrieve the current status by using freely available interfaces. If a certificate is updated, it is immediately published in Open Keys in real time.
To enable the BA to set up the query to Open Keys for your email domain, please send an email to IT-Systemhaus.Vertrauensdienste@arbeitsagentur.de requesting the connection to Open Keys for
- Your domain(s) and
- your technical contacts.
Detailed information on this can be found in the corresponding documentation on E-Mail-Verschlüsselung für externe Kommunikationspartner der BA (email encryption for external communication partners of the BA) under LDAP-Verzeichnis.
If you want to use a domain certificate, please send the details to IT-Systemhaus.Vertrauensdienste@arbeitsagentur.de. Detailed information on this can be found in the corresponding documentation on E-Mail-Verschlüsselung für externe Kommunikationspartner der BA (email encryption for external communication partners of the BA) under Domänenzertifikat (Verschlüsselungsgateway).
NoSpamProxy Cloud
In NoSpamProxy Cloud, you do not need to manually add the Bundesagentur’s intermediate and root certificates. They are automatically included and immediately used for receiving emails.
NoSpamProxy Encryption & Open Keys: The perfect combination
With the encryption solution NoSpamProxy Encryption and the free service for obtaining certificates, Open Keys, you rely on a strong duo for secure email communication. Activate the Open Keys function in NoSpamProxy Server now or use the directly integrated service in NoSpamProxy Cloud to automatically receive public keys – for example from the Bundesagentur für Arbeit – and communicate in encrypted form. You do not have NoSpamProxy in use yet? Request your free trial version now!
