Posted: Jun 19, 2015

On Monday, July 6th, The IronPort Encryption Appliance (IEA), which is used by agencies to send encrypted email to external recipients, will be replaced with Cisco Registered Envelope Service (CRES).

Migrating existing accounts

As part of the migration, we will be transferring all of the existing user accounts and encryption keys from IEA to CRES. This will allow recipients to open emails encrypted by the IEA in addition to new emails encrypted via CRES. For users that have IEA accounts but not a CRES account, the passwords and security questions will be preserved from IEA when the CRES accounts are created. If an IEA account already exists in CRES, the passwords and security questions defined in CRES will be used and the IEA password and security questions will not be used. In both cases, the recipients will need to use their CRES credentials to open both new and old encrypted emails.

Managing accounts and forgotten passwords

ITD will no longer be able to manage recipient accounts. Recipients will be able to manage their account by logging in to the CRES website. The URL is  Once logged in, recipients can manage their account profile (password, security questions, etc.), manage an address book and compose email.

If a recipient has an account issue (locked account, forgotten password/security questions, etc.) they will need to contact CRES Customer Support for assistance. This can be done via email at or via Instant Messenger Chat Support.

Sending messages

The process of sending encrypted messages will not change with this transition. Users will still simply include one of the three following phrases in an outbound email to engage CRES encryption: securemail (case insensitive); secure mail (case insensitive); (case sensitive).

Receiving and opening messages

Currently, to open an encrypted email, the recipient must create and login to an account that resides on the IEA. When an encrypted email is sent, the recipient receives an email with an attachment named ndsecuredoc.html. This attachment is called the “secure envelope” and contains the encrypted message. When the “secure envelope” is opened, the user is prompted to register for an account on the IEA if they don’t currently have one, or they are prompted to enter the password for their existing account. Once they are authenticated, the decryption key is retrieved from the IEA and the message is opened. The process will be the same with CRES, except Cisco will be hosting the user accounts rather than the State. Additionally, the “secure envelope” will look a little different than what they currently receive.  Below are examples of the old and new envelopes for comparison.

IronPort Secure Envelope

IronPort Secure Envelope        

CRES Secure Envelope

  CRES Secure Envelope

Notifying recipients of the change from IEA to CRES

ITD is personally notifying agencies of this change; however, notifying recipients is being accomplished by editing the standard message recipients see when they receive an encrypted message. This message can be seen below.

CRES notification message


Additional Questions

If you have any questions that are not addressed in this guide, please contact the ITD Service Desk.