SendSafely Enterprise and Business customers can leverage our portal master key feature to recover decryption keys for items in their SendSafely portal, including file transfers, Dropzone uploads and Workspaces. This feature is especially useful for cases where:

• Users are unable to recover access to items on their own, usually as a result of losing access to all of their trusted browsers
• An organization requires the ability to decrypt any item transferred through the SendSafely portal for archival or compliance purposes

Please note the following regarding use of a master key:

• A master key can only decrypt transfer packages sent and received AFTER the key is successfully configured in your SendSafely portal. It cannot provide access to historical transfer packages sent/received prior to this setup date.
• A master key can decrypt Workspace packages created both before and after the key is successfully configured in your SendSafely portal. In order for it to grant access to historical Workspaces, a registered user who is a Collaborator on that Workspace must log into your SendSafely portal from a Trusted Device. This login will trigger a 24-hour synchronization process that keys the Workspace to the master key.
• A master key cannot provide access to packages that have been deleted. Organization expiration and deletion settings should be reviewed as part of master key setup.
• A master key will not bypass a password manually added to a public (un-authenticated) item. Senders create public items by opting not to specify recipients on the Send Items page and optionally adding a password. Admins can disable public items from the Configuration tab of the Enterprise Console.

This article will provide an overview of how the portal master key feature works and how to use the key to recover decryption keys for specific items. Throughout your master key creation process, please also refer to the following article: Long Term Data Storage & Auditability for Compliance.

How it Works

The SendSafely portal master key is a public/private key pair that is compliant with the OpenPGP (RFC4880) standard. Unlike regular encryption keys, where the same key is used to encrypt and decrypt information, public/private keys each only perform one of those functions (not both). So anything that gets encrypted with the public key, for example, can only be decrypted with the private key.  As the name implies, the private key is secret and only known by the browser (SendSafely never has access to that key).  

The master public key is not secret and is provided to SendSafely and stored within the portal. The master private key is secret and is not provided to SendSafely. The master private key is only available to trusted company administrators and can be securely stored in their browser for use as needed.

 

Every time someone sends an item through the SendSafely portal, the sender’s machine will automatically receive a copy of the portal master public keys in order to encrypt and upload a copy of the Client Secret. (For more information on Client Secrets and the role they play in our security model, consult our Security Overview page.) Since only the master private key can be used to decrypt the Client Secret, you can be assured that SendSafely still won’t have the ability to decrypt these secrets. 

 

SendSafely portal admins have the ability to request the encrypted Client Secret for any package within their SendSafely portal. In addition to being an administrator, the user must also be in possession of the portal master private key, otherwise they will not be able to decrypt the obtained value.

 

NOTE: This feature allows any administrator with a copy of the private key to be able to re-generate the secure link needed to directly access the item. The administrator would not be able to access and download the item unless they were to also add themselves as a valid package recipient, which would be captured in the access logs for the package. 

Enabling a Portal Master Key

Enabling a new master key requires assistance from our technical support team. The process involves:

• Generating the portal master GPG key pair
• Having an authorized SendSafely portal admin send the public key to our support staff using their SendSafely account (note, per our SLA, that our support team will enable your portal master key within 48 hours of receiving this public key)

The following steps can be used to generate a designated public/private key pair that will be used as the master key. Only the public key is provided to SendSafely, the private key is managed by your organization and is never provided to SendSafely. 

• For Windows users, we recommend that you use our Secure Package Export Utility to generate your master key (refer to the Generating a Portal Master Key section of the article). 
• For MAC users, the portal master key can be generated using a GPG utility (we recommend GPG Keychain from https://gpgtools.org), or can be generated manually using GPG from the command line (see below).

GPGTools

If using GPG Tools make sure you choose RSA/RSA as the key type, and 2048 as the key length.
Do not password protect the key and do not set a key expiration date. If prompted for a password, leave blank and press ok (if warned, choose ok). 

 

Command Line:

Ensure you have gpg version 2.1.17 or above installed before proceeding.

1. Generate a new key pair

gpg --full-generate-key

Make sure you choose RSA/RSA as the type, and 2048 as the key size

Do not password protect the key and do not set a key expiration date. If prompted for a password, leave blank and press ok (if warned, choose ok)

2. Export the public key

gpg --export -a "Name"

Name is the name associated with the key from Step 1. If you don't know the name, use gpg --list-keys to list them all

3. Export the private key

gpg --export-secret-key -a "Name"

Using the Portal Master Key 

In order to use the master key, you must be a SendSafely portal administrator and have a copy of the portal master private key.  

The first step in using the portal master key is to import a copy of the private key into the web browser you want to use for accessing items. The portal master key is separate from any of your trusted browser keys and can co-exist within any of your existing trusted browsers without causing any conflict. Each admin that requires use of the portal master key must be provided with a copy of the private key and must import the private key into each browser they wish to use for accessing items that do not belong to them. 

In order to import the key into your browser, go to the Enterprise Console, choose the Configuration option from the left hand menu,  then look for the Enterprise Master Key section of the page. This section lists the master key(s) configured for your organization. If no key is configured, you will see the message “You have not configured an Enterprise Master Key. Please contact support@sendsafely.com to enable this feature”. If a key is configured, you will be able to import a copy of the private key by clicking the load button. Once the key is loaded, the same button that was used to load the key will be replaced with one labeled "Clear" that can clear the key from local storage should you choose to de-authorize the device.

NOTE: Only transfer packages created AFTER the portal master key is configured will be accessible using this key. Also note that you can rotate the key at any time by contacting our support team, but historical transfer packages will not be re-keyed. For more information on Master Key rotation, please see article here.

Accessing Secure Links

Once the key is loaded into your browser, as an admin you can view secure links by taking the following steps:

1) For sent or received items, locate the package in question using the Activity Search feature on the Enterprise Console. From the search results, click on the View Details button to pull up the "Status" screen for the item. Next, press the "Show Secure Link" button to recover the full link (including keycode) that is needed to decrypt the item.

2) For Workspaces, locate the user who owns the Workspace in the Enterprise Console Active User listing. Click the View button on the user row, then choose Activity from the Dropdown. Next navigate to the Workspaces tab, and then open the Workspace you are interested in. The secure link will be displayed at the bottom of the screen.

The ability to recover keycode links without accessing the item is useful for cases where a portal user is unable to access an item that they need access to.  

Decrypting Secure Content

If you wish to use the keycode link obtained above to view the unencrypted contents of the package, you must be an authorized recipient on the sent or received item or a Collaborator on the Workspace.

1) For sent or received items, portal administrators have the ability to add themselves as a recipient to any package using the "Add Recipient" option at the bottom of the "Status" screen. Keep in mind that as an administrator, if you choose to add yourself as a recipient and access the un-encrypted item you will permanently show up in the list of recipients for that item and will generate log entries for every item viewed. The owner (sender) of the item will also be able to view the full list of recipients and all successful downloads.  

2) For Workspaces, portal administrators with a master key have the ability to add themselves as a collaborator from the Workspace Collaborators tab. Keep in mind that all collaborator adds, and file views/downloads are permanently logged in the Workspace Activity log and are viewable by Workspace Owners and Managers.