Decryption

To decrypt an email via S/MIME with your YubiKey and Yubico Authenticator for iOS/iPadOS, ensure that you have fulfilled the listed prerequisites and then complete the following steps.

Prerequisites

You have:

  • acquired a valid S/MIME certificate and private key associated with your email address
  • imported your certificate and key pair onto your YubiKey
  • provisioned the public certificate to your iOS Keychain
  • installed a compatible mail client
  • enabled encryption/decryption in your mail client and configured the app to decrypt messages using your S/MIME certificate and private key
  • received an email that was encrypted using your certificate’s public key

Note

In order for a contact to send you an encrypted message, they need to retrieve a copy of your certificate and its public key. See Enable a sender to encrypt messages using your S/MIME certificate for more information.

Decrypt a message

  1. In your mail client’s inbox, select an encrypted email you would like to decrypt and view.

    In ISEC7 Mail, encrypted messages in your inbox show a lock icon underneath the message timestamp.

    _images/isec7-encrypted.jpg

    In Outlook, encrypted messages in your inbox show the phrase “This message is encrypted” underneath the subject line.

    _images/outlook-encrypted.jpg

  2. A pop-up from Yubico Authenticator will appear at the top of the screen. Click on the pop-up to open the Yubico Authenticator app to begin the decryption process with your YubiKey.

    _images/authenticator-alert.png

  3. Insert your YubiKey into your iOS/iPadOS device or scan your NFC-enabled YubiKey when prompted.

    Note

    NFC wireless connections are natively supported on iOS but not on iPadOS (current iPads do not have built-in NFC readers). For a complete breakdown of Yubico Authenticator functionality by platform and connection type for each YubiKey model, see the Yubico Authenticator Functionality table.

  4. Enter your PIV application PIN. For NFC connections, scan your key again when prompted.

    The default PIV application PIN is 123456. If you do not know your PIN and your YubiKey is managed by your organization, reach out to your IT admin for assistance.

    Caution

    You only have three attempts to enter the correct PIN before your PIN becomes blocked. Once blocked, your PIN must be unblocked with the PUK before you can perform any PIV operations that require PIN authentication. PIN unblocking can be done via the desktop version of Yubico Authenticator or the ykman CLI tool.

    Note

    If connected over USB-C on iOS or iPadOS, you must disable Yubico OTP generation in order to access your on-screen keyboard. For instructions and additional information, see Disable Yubico OTPs.

    _images/enter-pin.png

  5. If you entered the correct PIN and the PIN authentication operation was successful, you will see a green check mark.

    _images/smartc-success-outlook.jpg

  6. Click on the name of your mail client in the upper left corner to return to your mail app and view your decrypted message.

    _images/outlook-decrypted.jpg

    Note

    If you selected the wrong certificate during mail client configuration, decryption operations will fail.