Confidencial Documentation
HomepageLog In
  • Getting Started
    • Sending secure PDFs with Confidencial
    • Viewing secure PDFs with Confidencial
    • Sending secure Word docs with Confidencial
    • Viewing secure Word docs with Confidencial
    • Sending secure Excel workbooks with Confidencial
    • Viewing secure Excel workbooks with Confidencial
    • Sending secure images with Confidencial
    • Viewing secure images with Confidencial
    • Sending secure messages with Confidencial
    • Viewing secure messages with Confidencial
    • Protecting content with Confidencial
    • Re-encrypting and changing who can see protected content
  • General
    • How Confidencial Works
      • What is End-to-End Protection
      • In-doc encryption
      • The Confidencial Public Key Registry
      • The Confidencial Private Key Server
      • The Confidencial Log Server
    • Account types
      • Individual
      • Organization
      • Organization administrator
    • File types
    • Key types
      • Cloud-stored keys
      • Device-stored keys
      • Temporary keys
      • Enterprise keys
      • Recovery keys
    • Logging in to the desktop or web app
    • Logging in to Confidencial
    • Encryption policies
    • Selecting encryption recipients
    • Inviting other users to Confidencial
    • Accepting an invite to Confidencial
    • Creating a Confidencial individual account
    • Re-encrypting and changing who can see protected content
    • Confidencial organizations
  • Web App
    • Encrypting a message
    • Decrypting a message
    • Encrypting files and folders
    • Decrypting a .c11 file or .c11.zip file bundle
    • Re-encrypting a Confidencial-protected file or file bundle and changing who can see them
  • Desktop App
    • Installing the desktop app
    • Encrypting files and folders
    • Decrypting a .c11 file or .c11.zip file bundle
  • Microsoft Office Add-ins
    • Installing the Microsoft Office add-ins
    • Opening the task pane
    • Logging in from an Office application
    • Encrypting an entire Word document
    • Encrypting parts of a Word document
    • Decrypting a Word document
    • Re-encrypting a Word document and changing who can see protected content
    • Installing Microsoft Add-ins via the Admin Center
  • Advanced Features
    • Storing keys on your device
    • Loading a key from your device
    • Creating a machine token
    • Obtaining public-private key pairs for use with the Confidencial SDK
  • How to Use Secure Document Request (SDR)
  • Secure Document Send
    • Sending Documents with Secure Document Send
    • Viewing Historical Document Sends
    • Creating a Persistent Share Link
    • Receiving a Persistent Share Link
  • Cloud Protector
    • Connecting AWS S3
    • Connecting Box
    • Connecting Dropbox
    • Connecting Google Cloud
    • Connecting Google Drive
    • Connecting Microsoft Azure Blob
    • Connecting Microsoft OneDrive
    • Connecting Microsoft SharePoint
    • Connecting Server Message Block
    • Connecting Wasabi
    • Connecting On-Premises Storage
  • Enterprise Deployment
    • Connecting your identity provider to Confidencial
    • Creating an S3 bucket for document requests
    • Creating a Cognito user pool to enable S3 bucket access via IDP credentials
    • Deploying the Confidencial Key Server in your environment
      • Configuring an AWS Elastic Container Service (ESC) instance
    • Running a database migration
    • Pushing a container image to your AWS container registry
    • Connecting your identity provider to the Confidencial Key Server
    • Deploying the Confidencial Desktop App to your enterprise users
    • Deploying the Confidencial Office Add-ins to your enterprise users
    • Setting up Microsoft Entra to use an Exchange account to send email notifications
  • Organization Administration
    • Adding members to an organization
    • Pre-loading members into your organization
    • Designating a member as an administrator
    • Creating a recovery key for an organization
    • Monitoring Confidencial usage within an organization
    • Organization-level policies
    • Administrator permissions
  • Command-Line Interface (CLI)
  • Software Development Kit (SDK)
  • Contact Us
  • System Requirements
  • Legal/Licensing
  • How to Access Confidencial Documents for First Time Recipients
Powered by GitBook
On this page
Export as PDF
  1. Advanced Features

Storing keys on your device

PreviousAdvanced FeaturesNextLoading a key from your device

Last updated 2 months ago

ℹ️ This guide shows you how to switch to a to store your private decryption key on a device of your choosing. Advanced users may opt for this approach over using a to meet advanced security requirements or to facilitate the offline viewing of protected content.

⚠️ It is strongly recommended to NOT store device-stored keys on a device that also contains Confidencial-protected messages and files. If keys and the data protected with those keys are stored on the same device, an attacker who gains access to that device would theoretically be able to view your protected data. Instead, it is recommended that device-stored keys be stored on a device, , that is dedicated to storing cryptographic keys.

  1. Open the or go to and if you haven’t done so already

  2. Click Key Management under the Advanced section of the left sidebar menu

  3. Information about your current encryption key is displayed. By default, your private encryption key is a cloud-stored key, which means it is split (sharded), with the parts stored across multiple, isolated cloud locations. To switch to a device-stored key - a key you store on a device of your choosing - click Replace Current Encryption Key.

  4. Select Local File Storage then click Replace Current Key

  5. Your new private encryption key is downloaded to your device (as indicated by the green highlight box in the lower left of the screen below)

  6. Click the menu next to the downloaded key file to save it in a reliable, secure location. Most browsers will store files in your Downloads folder, so you will need to open that folder and transfer the key file (the name will be something like c11_key_165bd1c523605d77.key) to a safe location/device.

    ⚠️ Since device-stored keys are generated on your device, this is the only time you will be able to retrieve the key through the Confidencial app. If you fail to save the key during this step, or later lose the key, you will need to generate a new key by repeating the steps above. All documents encrypted with the lost key will not be decryptable unless you are part of an that uses .

✅ This completes how to store keys on your device. All messages and files encrypted for you will now use this key. You will have to whenever you want to decrypt a message or document.

load this key from your device manually
device-stored key
cloud-stored key
such as an HSM
desktop app
my.confidencial.io
log in
organization
recovery keys