Encryption FAQs
What is Nightfall Data Encryption?
Nightfall Data Encryption offers a groundbreaking, Artifical Intelligence (AI) -powered approach to email encryption. Unlike legacy gateway-based encryption or tools that rely on cumbersome third-party portals, Nightfall’s innovative platform provides seamless, client-side protection that integrates directly into your existing email workflows. Nightfall’s Data Encryption solution leverages AI to automatically detect and secure sensitive information within your emails and attachments. This context-aware intelligence allows Nightfall to apply robust, military-grade encryption tailored to the specific data being shared - no manual intervention is required.
How does Nightfall Data Encryption work?
Nightfall provides best-in-class AI-driven data loss prevention (DLP) and automatic, context-aware email encryption, keeping Gmail messages and attachments private and compliant throughout collaboration workflows. Embedded directly within the native Gmail interface via a Chrome extension, Nightfall enables client-side encryption before emails reach Google's servers, preventing unauthorized access by Google or other parties.
With a simple toggle, senders can encrypt message bodies and attachments, set expiration dates, disable forwarding, and revoke access at any time. Persistent file protection ensures attachments remain secure even when shared beyond email, allowing recipients to download and collaborate on files across desktops, network drives, Google Drive, and other cloud platforms, while the sender maintains control.
Nightfall's seamless integration into Gmail reduces support costs for IT and security teams. Automated, context-aware encryption based on detection of sensitive data empowers security teams and eliminate reliance on end-users to do the right thing. IT and security teams can also provide end-users the control by allowing flexible, end-user self-management of outgoing emails via protection options in the Chrome plugin. External recipients can access secure emails without creating new accounts or managing additional passwords, simply authenticating with their existing accounts using a one-time login code. Admins and senders retain persistent visibility and control over protected messages and attachments, with encryption and sharing activity available natively in Gmail and within the Nightfall console. The sharing activity is available in logs which can be ingested in SIEM tools for enhanced threat response.
How are emails encrypted and protected at rest?
Nightfall uses AES with Galois/Counter Mode (AES-GCM) 256-bit encryption to encrypt data - email body and attachments. Data is encrypted using a dynamic, randomly generated cipher key. The encrypted content is then stored in a cloud object storage protected with IAM policies ensuring the principle of least privileges with AES 256 bit encryption enabled at rest. This ensures all customer emails are double encrypted by Nightfall.
Nightfall maintains a reference to the encrypted content, the tenant UUID, the S3 bucket and the randomly generated cipher key which is encrypted using AWS Key Management Service (KMS).
This ensures no one at Nightfall has access to the encrypted data and only the authorized recipients can decrypt and access data. Additionally, Nightfall supports bring your own key (BYOK) workflow with AWS KMS and customers can provide their own KMS key to encrypt this data.
How does Nightfall verify the intended recipients of the encrypted email and prevent unauthorized access?
Nightfall secure reader is a feature that ensures only the intended recipients who can authorize successfully can decrypt and view secure emails.
Secure reader verifies the identity of the intended recipients of a secure email by validating the recipients copied on the email. Nightfall prompts the recipient to verify their identity by authenticating into their Gmail account via OAuth or sending a login code to their email. The recipient can then enter the login code to access the encrypted email. Any user who was not copied on the original email cannot access the encrypted email. Recipients do not have the option to forward, copy, print, or download the secure email.
What protective mechanisms does Nightfall have in place to receive or send emails securely?
Nightfall sends emails to recipients in two instances - authenticate the intended recipients by sending a login code to the specified email address and allowing recipients to respond to encrypted emails from the secure reader. In both these instances, emails are sent from a no-response Nightfall AI email address to the respective users.
Nightfall utilizes a secure email service to send emails in these instances and has setup the below policies to protect against phishing or getting marked as spam.
Sender Policy Framework (SPF) authenticates the sender IP’s and verifies whether it is authorized to send emails on behalf of the identified domain.
DomainKeys Identified Mail (DKIM) protocol is used by Nightfall’s inline DLP solution to verify email content is unchanged with a signature and helps identify and thwart any spoofing attacks. With Nightfall’s Data Encryption solution, Nightfall signs the email content with dedicated domain keys for email service provider to verify the email’s authenticity.
A Domain-based Message Authentication, Reporting and Conformance (DMARC) record is a DNS TXT record published in a domain’s DNS database that tells receiving mail servers what to do with messages that don’t align or authenticate with SPF and DKIM. The DMARC record enables reports to be sent back to the domain owner about which messages are authenticating and why. Nightfall sets up a DMARC record on its email service to determine the steps to take in case of failures in DKIM or SPF.
How long is the login code sent to recipient mailboxes valid for?
By default, the temporary login code sent to recipient mailboxes is valid for a maximum of 15 minutes.
What happens if both Nightfall sensitive data protection for email and Data encryption is enabled. I have configured an automated block or quarantine action and the end-user chooses to encrypt the outgoing email. What will be the behaviour
In such cases, if sensitive data is found in the email and if you have enabled the Block automated action and the end-user chooses to encrypt the email, the email is blocked. The error message is displayed as shown in the following image.
My Nightfall DLP Chrome plugin is not working. What should I check?
Account Verification
Ensure that you are logged into the Chrome plugin using the same email account you use to send emails.
Confirm this email is associated with the Chrome profile you're currently using.
OAuth Permissions
Verify that you have granted the necessary OAuth permissions to your mailbox to use email encryption with Gmail.
Chrome Plugin Permissions
Check if sufficient permissions are granted to Nightfall's Chrome plugin: a. Navigate to the Google Admin Console. b. Go to: Security -> Access and data control -> API controls -> MANAGE THIRD-PARTY APP ACCESS. c. Click "Change Access" for Nightfall DLP. d. Under "Access to Google Data", select "Limited" or "Specific Google data". e. Save your changes. f. Please follow the above steps if there are two Nightfall DLP apps listed there. One app is used to login and authorize access to Gmail and the other app is authorized to send emails on your behalf.
Domain Configuration
If you are blocked on the compose window without any ability to send emails, it means encryption is likely not enabled in your account. Reach out to Nightfall Support or CS team to verify that your domain has been enabled for the encryption capabilities from Nightfall.
What if I'm still experiencing issues after checking these items? If you have verified all the above and are still encountering problems, please contact the Nightfall support team for further assistance.
Last updated