SendSafely Enterprise and Business customers can leverage our portal master key feature to recover decryption keys for items in their SendSafely portal, including file transfers, Dropzone uploads and Workspaces. This feature is especially useful for cases where:
- Users are unable to recover access to items on their own, usually as a result of losing access to all of their trusted browsers
- An organization requires the ability to decrypt any item transferred through the SendSafely portal for archival or compliance purposes
Please note the following regarding use of a master key:
- A master key can only decrypt packages sent and received AFTER the key is successfully configured in your SendSafely portal. It cannot provide access to historical packages sent/received prior to this setup date.
- A master key cannot provide access to packages that have been deleted. Organization expiration and deletion settings should be reviewed as part of master key setup.
This article will provide an overview of how the portal master key feature works and how to use the key to recover decryption keys for specific items.
How it Works
The SendSafely portal master key is a public/private key pair that is compliant with the OpenPGP (RFC4880) standard. Unlike regular encryption keys, where the same key is used to encrypt and decrypt information, public/private keys each only perform one of those functions (not both). So anything that gets encrypted with the public key, for example, can only be decrypted with the private key. As the name implies, the private key is secret and only known by the browser (SendSafely never has access to that key).
The master public key is not secret and is provided to SendSafely and stored within the portal. The master private key is secret and is not provided to SendSafely. The master private key is only available to trusted company administrators and can be securely stored in their browser for use as needed.
Every time someone sends an item through the SendSafely portal, the sender’s machine will automatically receive a copy of the portal master public keys in order to encrypt and upload a copy of the Client Secret. (For more information on Client Secrets and the role they play in our security model, consult our Security Overview page.) Since only the master private key can be used to decrypt the Client Secret, you can be assured that SendSafely still won’t have the ability to decrypt these secrets.
SendSafely portal admins have the ability to request the encrypted Client Secret for any package within their SendSafely portal. In addition to being an administrator, the user must also be in possession of the portal master private key, otherwise they will not be able to decrypt the obtained value.
NOTE: This feature allows any administrator with a copy of the private key to be able to re-generate the secure link needed to directly access the item. The administrator would not be able to access and download the item unless they were to also add themselves as a valid package recipient, which would be captured in the access logs for the package.
Enabling a Portal Master Key
Enabling a new master key requires assistance from our technical support team. The process involves:
- Generating the portal master GPG key pair
- Having an authorized SendSafely portal admin send the public key to our support staff using their SendSafely account.
The following steps can be used to generate a designated public/private key pair that will be used as the master key. Only the public key is provided to SendSafely, the private key is managed by your organization and is never provided to SendSafely.
- For Windows users, we recommend that you use our Secure Package Export Utility to generate your master key (refer to the Generating a Portal Master Key section of the article).
- For MAC users, the portal master key can be generated using a GPG utility (we recommend GPG Keychain from https://gpgtools.org), or can be generated manually using GPG from the command line (see below).
If using GPG Tools make sure you choose RSA/RSA as the key type, and 2048 as the key length.
Do not password protect the key and do not set a key expiration date. If prompted for a password, leave blank and press ok (if warned, choose ok).
1. Generate a new key pair
Make sure you choose RSA/RSA as the type, and 2048 as the key size
Do not password protect the key and do not set a key expiration date. If prompted for a password, leave blank and press ok (if warned, choose ok)
2. Export the public key
gpg --export -a "Name"
Name is the name associated with the key from Step 1. If you don't know the name, use gpg --list-keys to list them all
3. Export the private key
gpg --export-secret-key -a "Name"
Using the Portal Master Key
In order to use the master key, you must be a SendSafely portal administrator and have a copy of the portal master private key.
The first step in using the portal master key is to import a copy of the private key into the web browser you want to use for accessing items. The portal master key is separate from any of your trusted browser keys and can co-exist within any of your existing trusted browsers without causing any conflict. Each admin that requires use of the portal master key must be provided with a copy of the private key and must import the private key into each browser they wish to use for accessing items that do not belong to them.
In order to import the key into your browser, go to the Enterprise Console and look for the "Load Admin Key" button under the "Site Configuration Options" section of the page.
NOTE: This button is only visible once your organization provides the portal master public key to our support team. Once the key is loaded, the same button that was used to load the key will be replaced with one labeled "Clear Admin Key" that can clear the key from local storage should you choose to de-authorize the device.
NOTE: Only items sent or created AFTER the portal master key is loaded into the portal will be accessible using this key. Also note that you can rotate the key at any time by contacting our support team, but historical items will not be re-keyed. Items sent before the key was rotated will no longer be accessible to admins using the new key.
Accessing Secure Links
Once the key is loaded into your browser, as an admin you can view secure links by taking the following steps:
1) For sent or received items, locate the package in question using the Activity Search feature on the Enterprise Console. From the search results, click on the View Details button to pull up the "Status" screen for the item. Next, press the "Show Secure Link" button to recover the full link (including keycode) that is needed to decrypt the item.
2) For Workspaces, locate the user who owns the Workspace in the Enterprise Console Active User listing. Click the View button on the user row, then choose Activity from the Dropdown. Next navigate to the Workspaces tab, and then open the Workspace you are interested in. The secure link will be displayed at the bottom of the screen.
The ability to recover keycode links without accessing the item is useful for cases where a portal user is unable to access an item that they need access to.
Decrypting Secure Content
If you wish to use the keycode link obtained above to view the unencrypted contents of the package, you must be an authorized recipient on the sent or received item or a Collaborator on the Workspace.
1) For sent or received items, portal administrators have the ability to add themselves as a recipient to any package using the "Add Recipient" option at the bottom of the "Status" screen. Keep in mind that as an administrator, if you choose to add yourself as a recipient and access the un-encrypted item you will permanently show up in the list of recipients for that item and will generate log entries for every item viewed. The owner (sender) of the item will also be able to view the full list of recipients and all successful downloads.
2) For Workspaces, portal administrators with a master key have the ability to add themselves as a collaborator from the Workspace Collaborators tab. Keep in mind that all collaborator adds, and file views/downloads are permanently logged in the Workspace Activity log and are viewable by Workspace Owners and Managers.