How about something in the order of a file upload script, rather than sending it through the email?

That's more secure in the long run.

I would normally but the data needs to go back the other way after being marked. Also sometimes it happens the other way round, I send, they mark and return.

I use PGP for encrypted communication. Recent commercial packages are a bit pricey, but there are still some older free versions around that work just as well.

Thanks Bill, How does it work, do you encrypt and then send the receiver a key/password - are they keys user freindly enough to speak down a phone?

Would both parties need the exact same product or would any software do thats uses the PGP standard?

PGP uses a technology called PKI - or Public Key Infrastructure. PKI doesn't require that you send a key through a seperate secure channel to communicate. It's an important innovation in secure communication that was invented in the 1970's. Secure communication today would be an incredible hassle without this technology.

PKI is widely-deployed, and you probably already use it without realizing it. In addition to protecting email, with products such as PGP, it is employed for secure web browsing (SSL), secure system administration (SSH), and secure remote connectivity (VPNs). All of these implement PKI at their core.

Each user has two keys, called the private key and the public key. The private key is just that, and not distributed to anyone. The public key is (in theory, at least) made available to the public. While the keys are mathematically-related, it is extremaly difficult or impossible to derive the private key given the public key, and/or public key and cipher text.

To send you a message, I encrypt it using your public key. The message can only be decrypted, though, by using your private key. So, only you can decode it, since only you possess the private key. (Even the sender cannot decrypt it!) A message can be "signed" by encrypted with my private key. It can then be decoded only by using my public key. This proves that only I could have sent it, since only I possess my private key. Finally, a message can be both signed and made private, by encrypting using both my public key (signing) and your private key (encrypting/making private).

PGP might be a solution for you, but, frankly, I don't think it's the best solution for you. It sounds like you have a process of passing documents back and forth for editing or approvals. Why not implement a simple CMS on your web server? Have users access the CMS via SSL (e.g. secure pages). Why complicate things by using email? When a user downloads a document, the system notes that, when they upload it notes that again, and when you log in you can get a list of documents waiting for you.

BTW, PKI public keys are too complicated to be spoken over the phone. But there is no need to do so. Since there is no concern over disclosure of a public key, it can just be sent over an insecure channel, such as regular email. When you connect to an SSL web server, the public key is sent to your browser at the start of the session. Same thing happens with SSH and VPNs.

Thanks for the info on PGP, I think you are right its not what I want.

Why not implement a simple CMS on your web server?

Long term I proabably will, I just needed somethingquick and deployable in an afternoon.

I do client list matching with solution providers to determine where we have existing common ground for market development. I just need some controls to ensure its secure in transit just for peace of mind and to be seen to have folowed due diligence and professional practice when sharing business data. A decision can be made on the phone with anew company and then data needs to follow asap. Email allows that.

SSL certs provide origin company authentication , guarantees that what is received is the same as what was sent and provides secrecy while its in transit. I also need user authentication, two way facility and fast deployment to new users. Client certs are no fast to deploy to new users.

VPN provides similar to SSL, but deployment is even slower and has way too many dependencies.

Really I just want to be able to use email with medium strength key that I provide via phone, and no deployment hassle.

The obvious solution is of course to use Word/Excel password features, the only problem with that is the various commercial software available for cracking them :)

There's no need for client certificates. There is an alternative to client certificates - passwords. In most cases, in fact, this is how people do user authentication. As you correctly state, client certificates are a hassle, and as a result they have not been popular. Fortunately, a user ID/password system operating behind an encrypted channel (e.g. SSL) is just as secure and accomplishes the same thing.