Storing keys on your device

ℹ️
This guide shows you how to switch to a device-stored key to store your private decryption key on a device of your choosing. Advanced users may opt for this approach over using a cloud-stored key to meet advanced security requirements or to facilitate the offline viewing of protected content.
⚠️
It is strongly recommended to NOT store device-stored keys on a device that also contains Confidencial-protected messages and files. If keys and the data protected with those keys are stored on the same device, an attacker who gains access to that device would theoretically be able to view your protected data. Instead, it is recommended that device-stored keys be stored on a device, such as an HSM, that is dedicated to storing cryptographic keys.
  1. Open the desktop app or go to my.confidencial.io and log in if you haven’t done so already
  1. Click Key Management under the Advanced section of the left sidebar menu
    1. notion image
  1. Information about your current encryption key is displayed. By default, your private encryption key is a cloud-stored key, which means it is split (sharded), with the parts stored across multiple, isolated cloud locations. To switch to a device-stored key - a key you store on a device of your choosing - click Replace Current Encryption Key.
    1. notion image
  1. Select Local File Storage then click Replace Current Key
    1. notion image
  1. Your new private encryption key is downloaded to your device (as indicated by the green highlight box in the lower left of the screen below)
    1. notion image
  1. Click the menu next to the downloaded key file to save it in a reliable, secure location. Most browsers will store files in your Downloads folder, so you will need to open that folder and transfer the key file (the name will be something like c11_key_165bd1c523605d77.key) to a safe location/device.
    1. notion image
      ⚠️
      Since device-stored keys are generated on your device, this is the only time you will be able to retrieve the key through the Confidencial app. If you fail to save the key during this step, or later lose the key, you will need to generate a new key by repeating the steps above. All documents encrypted with the lost key will not be decryptable unless you are part of an organization that uses recovery keys.
This completes how to store keys on your device. All messages and files encrypted for you will now use this key. You will have to load this key from your device manually whenever you want to decrypt a message or document.