Storing keys on your device
It is strongly recommended to NOT store device-stored keys on a device that also contains Confidencial-protected messages and files. If keys and the data protected with those keys are stored on the same device, an attacker who gains access to that device would theoretically be able to view your protected data. Instead, it is recommended that device-stored keys be stored on a device, such as an HSM, that is dedicated to storing cryptographic keys.
- Click Key Management under the Advanced section of the left sidebar menu
- Information about your current encryption key is displayed. By default, your private encryption key is a cloud-stored key, which means it is split (sharded), with the parts stored across multiple, isolated cloud locations. To switch to a device-stored key - a key you store on a device of your choosing - click Replace Current Encryption Key.
- Select Local File Storage then click Replace Current Key
- Your new private encryption key is downloaded to your device (as indicated by the green highlight box in the lower left of the screen below)
- Click the menu next to the downloaded key file to save it in a reliable, secure location. Most browsers will store files in your Downloads folder, so you will need to open that folder and transfer the key file (the name will be something like
c11_key_165bd1c523605d77.key) to a safe location/device.
Since device-stored keys are generated on your device, this is the only time you will be able to retrieve the key through the Confidencial app. If you fail to save the key during this step, or later lose the key, you will need to generate a new key by repeating the steps above. All documents encrypted with the lost key will not be decryptable unless you are part of an organization that uses recovery keys.
This completes how to store keys on your device. All messages and files encrypted for you will now use this key. You will have to load this key from your device manually whenever you want to decrypt a message or document.