Upon request, customers can rotate their portal SendSafely Master key. Rotating a master key requires assistance from our technical support team. The process involves:

• Generating a new portal master GPG key pair as outlined in this article.

• Having an authorized SendSafely portal admin send the public key to our support staff using their SendSafely account (note, per our SLA, that our support team will rotate your portal master key within 48 hours of receiving this public key).

Once a master key has been rotated, the new key becomes “Active” and the historic key is transitioned to “Retired” state. All keys, active and retired are displayed on the Enterprise Console.

From this point forward, all client secrets are encrypted with the new active key only. The new active private key should be distributed to authorized admins, who then load the private key into their browsers local storage by clicking the “Load” button on the respective key row as shown above. 

Note: Historic client secrets remain encrypted with the retired key, SendSafely does not re-key historic client secrets. As a result, it is imperative that authorized admins retain the retired private key(s) in order to decrypt client secrets from that time period. If a new authorized admin joins the team, they should be provided both the active key and and retired private keys for comprehensive, historical access to client secrets.