SendSafely enterprise customers can leverage our enterprise master key feature to recover decryption keys for any inbound or outbound item that is transferred through their SendSafely enterprise portal. This feature is especially useful for cases where:
- Users are unable to recover access to items on their own, usually as a result of losing access to all of their trusted browsers
- An organization requires the ability to decrypt any item transferred through the SendSafely portal for archival or compliance purposes
This article will provide an overview of how the enterprise master key feature works and how to use the key to recover decryption keys for specific items.
How it Works
The SendSafely enterprise master key is a public/private key pair that is compliant with the OpenPGP (RFC4880) standard. Unlike regular encryption keys, where the same key is used to encrypt and decrypt information, public/private keys each only perform one of those functions (not both). So anything that gets encrypted with the public key, for example, can only be decrypted with the private key. As the name implies, the private key is secret and only known by the browser (SendSafely never has access to that key).
The master public key is not secret and is provided to SendSafely and stored within the portal. The master private key is secret and is not provided to SendSafely. The master private key is only available to trusted company administrators and can be securely stored in their browser for use as needed.
Every time someone sends an item through the SendSafely portal, the sender’s machine will automatically receive a copy of the enterprise master public keys in order to encrypt and upload a copy of the Client Secret. (For more information on Client Secrets and the role they play in our security model, consult our Security Overview page.) Since only the master private key can be used to decrypt the Client Secret, you can be assured that SendSafely still won’t have the ability to decrypt these secrets.
SendSafely enterprise admins have the ability to request the encrypted Client Secret for any package within their SendSafely portal. In addition to being an administrator, the user must also be in possession of the enterprise master private key, otherwise they will not be able to decrypt the obtained value.
NOTE: This feature allows any administrator with a copy of the private key to be able to re-generate the secure link needed to directly access the item. The administrator would not be able to access and download the item unless they were to also add themselves as a valid package recipient, which would be captured in the access logs for the package.
Enabling an Enterprise Master Key
Enabling a new master key requires assistance from our technical support team. The process involves:
- Generating the enterprise master GPG key pair
- Having an authorized SendSafely enterprise admin send the public key to our support staff using their SendSafely account.
The following steps can be used to generate a designated public/private key pair that will be used as the master key. Only the public key is provided to SendSafely, the private key is managed by your organization and is never provided to SendSafely.
We recommend that you use our Secure Package Export Utility to generate your master key (refer to the Generating an Enterprise Private Key section of the article).
Alternatively, the enterprise master key can be generated manually using GPG from the command line as outlined below.
1. Generate a new key pair
Make sure you choose RSA/RSA as the type, and 2048 as the key size
Do not password protect the key and do not set a key expiration date. If prompted for a password, leave blank and press ok (if warned, choose ok)
2. Export the public key
gpg --export -a "Name"
Name is the name associated with the key from Step 1. If you don't know the name, use gpg --list-keys to list them all
3. Export the private key
gpg --export-secret-key -a "Name"
Using the Enterprise Master Key
In order to use the master key, you must be a SendSafely enterprise administrator and have a copy of the master enterprise private key.
The first step in using the enterprise master key is to import a copy of the private key into the web browser you want to use for accessing items. The enterprise key is separate from any of your trusted browser keys and can co-exist within any of your existing trusted browsers without causing any conflict. Each admin that requires use of the enterprise master key must be provided with a copy of the private key and must import the private key into each browser they wish to use for accessing items that do not belong to them.
In order to import the key into your browser, go to the Enterprise Console and look for the "Load Admin Key" button under the "Site Configuration Options" section of the page.
NOTE: This button is only visible once your organization provides the enterprise master public key to our support team. Once the key is loaded, the same button that was used to load the key will be replaced with one labeled "Clear Admin Key" that can clear the key from local storage should you choose to de-authorize the device.
Once the key is loaded into your browser as an enterprise admin, you can pull up the "Status" screen for any item and press the "Show Secure Link" button to recover the full link (including keycode) that is needed to decrypt the item. The ability to recover keycode links without accessing the item is useful for cases where an enterprise user is unable to access an item that they need access to.
NOTE: Only items sent AFTER the enterprise key is loaded into the portal will be accessible using this key. Also note that you can rotate the key at any time by contacting our support team, but historical items will not be re-keyed. Items sent before the key was rotated will no longer be accessible to admins using the new key.
If you wish to use the keycode link to view the unencrypted contents of the package, you must be an authorized recipient listed on the package. Enterprise administrators have the ability to add themselves as recipients to any package using the "Add Recipient" option at the bottom of the "Status" screen. Keep in mind that as an administrator, if you choose to add yourself as a recipient and access the un-encrypted item you will permanently show up in the list of recipients for that item and will generate log entries for every item they view. The owner (sender) of the item will also be able to view the full list of recipients and all successful downloads.