Storing keys on your device

PreviousAdvanced Features NextLoading a key from your device

Last updated 1 month ago

Storing keys on your device

ℹ️ This guide shows you how to switch to a to store your private decryption key on a device of your choosing. Advanced users may opt for this approach over using a to meet advanced security requirements or to facilitate the offline viewing of protected content.

⚠️ It is strongly recommended to NOT store device-stored keys on a device that also contains Confidencial-protected messages and files. If keys and the data protected with those keys are stored on the same device, an attacker who gains access to that device would theoretically be able to view your protected data. Instead, it is recommended that device-stored keys be stored on a device, , that is dedicated to storing cryptographic keys.

Open the or go to and if you haven’t done so already
Click Key Management under the Advanced section of the left sidebar menu
Information about your current encryption key is displayed. By default, your private encryption key is a cloud-stored key, which means it is split (sharded), with the parts stored across multiple, isolated cloud locations. To switch to a device-stored key - a key you store on a device of your choosing - click Replace Current Encryption Key.
Select Local File Storage then click Replace Current Key
Your new private encryption key is downloaded to your device (as indicated by the green highlight box in the lower left of the screen below)
Click the menu next to the downloaded key file to save it in a reliable, secure location. Most browsers will store files in your Downloads folder, so you will need to open that folder and transfer the key file (the name will be something like c11_key_165bd1c523605d77.key) to a safe location/device.
⚠️ Since device-stored keys are generated on your device, this is the only time you will be able to retrieve the key through the Confidencial app. If you fail to save the key during this step, or later lose the key, you will need to generate a new key by repeating the steps above. All documents encrypted with the lost key will not be decryptable unless you are part of an that uses .

PreviousAdvanced Features NextLoading a key from your device

Last updated 1 month ago

Open the or go to and if you haven’t done so already
Click Key Management under the Advanced section of the left sidebar menu
Information about your current encryption key is displayed. By default, your private encryption key is a cloud-stored key, which means it is split (sharded), with the parts stored across multiple, isolated cloud locations. To switch to a device-stored key - a key you store on a device of your choosing - click Replace Current Encryption Key.
Select Local File Storage then click Replace Current Key
Your new private encryption key is downloaded to your device (as indicated by the green highlight box in the lower left of the screen below)
Click the menu next to the downloaded key file to save it in a reliable, secure location. Most browsers will store files in your Downloads folder, so you will need to open that folder and transfer the key file (the name will be something like c11_key_165bd1c523605d77.key) to a safe location/device.
⚠️ Since device-stored keys are generated on your device, this is the only time you will be able to retrieve the key through the Confidencial app. If you fail to save the key during this step, or later lose the key, you will need to generate a new key by repeating the steps above. All documents encrypted with the lost key will not be decryptable unless you are part of an that uses .

✅ This completes how to store keys on your device. All messages and files encrypted for you will now use this key. You will have to whenever you want to decrypt a message or document.