Breaking New Ground in S/MIME Decryption at Scale

How one organisation turned a compliance nightmare into a cloud transformation catalyst.

Executive Summary

When a global cybersecurity and technology enterprise approached the end-of-life of its Exchange 2019 email platform, the IT leadership confronted a critical question, how to decrypt hundreds of millions of S/MIME–encrypted emails and move them to the cloud without breaking compliance or disrupting the business. 

No marketplace solution could meet the challenge. Our team engineered a custom S/MIME decryption and migration approach, a first-of-its-kind project that preserved compliance, guaranteed Microsoft Purview eDiscovery readiness and delivered a seamless move to Exchange Online Archives (EXO OA). 

This case study details the business drivers, the technical hurdles and the engineering innovations that made it possible.

The Business Imperative

Retiring Exchange 2019 was non-negotiable. But simply moving mailboxes to the cloud was not enough, hundreds of millions of emails were encrypted using S/MIME, and regulatory obligations required that every message remain readable, discoverable and defensible in the event of audits or legal discovery. 

IT leadership defined four non-negotiable outcomes: 

• Reliably decrypt S/MIME content at scale – millions of messages, many years old, needed to be processed without loss or corruption
• Ingest decrypted messages into Exchange Online Archives with full chain of custody – every message had to be traceable from source to destination
• Validate discoverability in Microsoft Purview eDiscovery – decrypted messages must be immediately searchable and usable in regulatory or legal scenarios
• Ensure zero disruption for end users – employees should notice no change in their daily email experience 

The future retirement of on-premises infrastructure and the company’s broader cloud strategy depended on achieving these objectives without compromise.

Obstacles on the Path 

This was not a typical migration. Multiple challenges had to be solved before the first mailbox could be moved. 

1. S/MIME Key Acquisition and Custody 

The greatest technical hurdle lay in the S/MIME private keys, which were scattered across thousands of user devices and stored in personal certificate stores. Without these keys, decryption was impossible. 
The IT team designed a secure, centralised process to collect these keys, safeguard them in a controlled environment and ensure that once the migration finished, all keys were securely removed. This careful key management became the foundation of trust for the entire program. 

2. High-Volume Throughput 

Tens of terabytes of encrypted data had to be processed quickly enough to meet business deadlines. Yet Exchange Online enforces throttling and service protections, making brute-force approaches unworkable. The team needed a way to parallelise the migration, scaling throughput while staying within Microsoft’s service limits and maintaining data integrity. 

3. End-to-End Auditability 

Regulators and internal governance teams required a complete chain of evidence. Every single message needed a verifiable trail from the on-premises source mailbox to the cloud archive. This demanded item-level logging and reconciliation far beyond what standard migration tools provide.

Engineering the Breakthrough

With no off-the-shelf product capable of addressing these needs, the team extended an internal migration framework to include custom S/MIME decryption. 

This innovation centred on in-transit decryption, messages were decrypted while moving from Exchange 2019 to EXO OA, never stored unencrypted on disk. This approach eliminated the risks of decrypted data at rest and aligned with the company’s strict compliance requirements. 

Key technical elements included: 

• Controlled Key Management: S/MIME keys were centrally installed in the migration servers’ certificate store only for the duration of each migration wave and removed immediately after completion.
• Lean but Scalable Architecture: A single SQL server and four application servers processed mailboxes in parallel, sustaining a rate of 400,000 messages per hour. By adding application servers as required, the team achieved stable high-throughput performance while staying within Exchange Online’s throttling limits.
• Comprehensive Logging: Every message was tracked with detailed metadata—source mailbox, message ID, subject, sent time, attachment state, message size, folder location, message type, status code and any error type. These logs provided the evidence base for reconciliation, compliance and future audits 

This engineering effort turned a theoretical challenge into an operational reality, proving that S/MIME decryption at scale can be achieved securely and efficiently.

The Five-Phase Execution Plan

The migration unfolded through a carefully orchestrated five-phase program Establish, Gather, Validate, Migrate and Assurance designed to control risk, protect compliance and keep the business running without interruption. 

1. Establish 

The team began by setting the governance framework and success criteria that would guide every decision. 

• Security policies for S/MIME key handling were documented and approved by information security leadership
• Acceptance metrics were defined, including ≥99.9% decryption success and demonstrable chain of custody for every message
• A controlled test environment was built to vet the custom migration tool and to stress-test Exchange Online throttling limits 

This phase ensured that both the business and compliance teams had a clear picture of what “success” would look like before any production work began. 

2. Gather 

Next came the most sensitive task securely acquiring S/MIME private keys scattered across thousands of user workstations. 

• The IT team created automated collection mechanisms and strict custody procedures to retrieve keys without exposing them to unauthorised access
• Keys were placed in a certificate store on the migration servers, accessible only during the migration waves

By the end of this phase, every key required for decryption was accounted for and held under auditable security controls. 

3. Validate 

Before touching the live environment, the team executed a pilot migration wave to confirm that the approach worked at scale. 

• Decryption quality, throughput and Exchange Online performance were measured against the benchmarks set in the Establish phase
• Messages were reconciled end-to-end to prove that each decrypted message was discoverable in Microsoft Purview eDiscovery
• Any tuning for parallelism or throttling limits was completed here

This phase gave executives confidence that the custom tooling and processes would perform reliably when rolled out to the entire enterprise. 

4. Migrate 

Armed with validated processes, the program moved into production migration waves over an eight-month schedule. 

• Each user cohort received proactive notifications and clear timelines to ensure transparency and avoid disruption
• Messages were decrypted in transit as they flowed from Exchange 2019 to Exchange Online Archives (EXO OA) never stored unencrypted on disk
• The environment ran on a lean but powerful footprint: one SQL server and four application servers, sustaining 400,000 messages per hour. Scaling application servers became the key lever for stable, high-throughput performance 

Throughout this phase, security and compliance were embedded in every action. 

5. Assurance 

Once migration completed, the team focused on verification and secure cleanup. 

• Item-level logs captured every detail like source mailbox, message ID, subject, sent time, attachment state, message size, folder location, message type, status code and error type,  providing the evidence base for reconciliation and audit readiness
• After confirming that decrypted messages were fully searchable in Microsoft Purview eDiscovery, a two-phase deletion strategy was executed: first, items were soft deleted to the Recoverable Items folder with a defined retention window; then a controlled hard delete ensured final and compliant removal of source data

The Assurance phase closed the project with a defensible chain of custody and a cloud archive that met the organisation’s stringent regulatory requirements—allowing the business to retire Exchange 2019 with confidence and prepare for future cloud transformation. 

Measurable Results

Metric	Outcome
Scale	~5,000 mailboxes and ~50 TB of S/MIME-encrypted data
Throughput	Sustained rate of 400,000 messages per hour
Migration Timeline	Eligible items migrated in roughly one month within an eight-month overall program
Accuracy	≥99.9% success rate per mailbox and per migration wave
Compliance	Decrypted content confirmed searchable and reviewable in Microsoft Purview eDiscovery
User Impact	None. Thanks to proactive wave communications and transparent scheduling

The project enabled the retirement of Exchange 2019 dependencies, paving the way for future mailbox moves to Exchange Online while keeping the organisation fully compliant and its users unaffected.

Why It Worked

Several factors combined to make this ambitious migration a success: 

• Scalable, Flexible Architecture 
  Concurrency tuning and carefully managed parallelism allowed high throughput while respecting Microsoft’s throttling and service protections
• Evidence-Driven Governance 
  Item-level logs and clearly defined success metrics gave compliance teams and auditors full visibility into every stage of the migration
• Proactive User Communication 
  Regular updates and clear wave schedules kept employees informed and confident, ensuring that no one experienced an interruption to their daily email usage
• Compliance and Discoverability Assurance 
  Every decrypted item was validated in Microsoft Purview eDiscovery, guaranteeing that legal and regulatory obligations were met 

Looking Ahead

This project proves that large-scale S/MIME decryption and migration can be achieved securely even when no commercial product exists. 

For many organisations, the challenge of retiring legacy email platforms while meeting regulatory requirements is only growing. Encrypted historical data is often considered too complex or risky to move creating hidden costs, operational constraints and potential compliance exposure.

Our experience demonstrates a clear alternative: 

• Innovation over limitation – when the marketplace lacks a solution, a well-engineered custom approach can close the gap
• Compliance without compromise – security, chain of custody and eDiscovery readiness can be preserved even at massive scale
• Future-ready infrastructure – retiring Exchange 2019 not only removed technical debt but also prepared the organisation for cloud-first strategies and future mailbox moves to Exchange Online 

For executives evaluating cloud transformation, this migration provides a repeatable blueprint, it shows that encrypted archives can be brought into modern platforms safely, efficiently and without disrupting the business.

The path forward is clear encrypted data does not have to be a barrier to innovation. With the right strategy and technical expertise, even the most complex S/MIME environments can move confidently into the cloud era.

If your organisation faces the complex task of decrypting and migrating S/MIME-encrypted email at scale, our proven methodology and custom-built tooling can help. Contact us today to discuss your requirements and learn how we can deliver a secure, compliant migration tailored to your environment.