Confidencial Documentation
HomepageLog In
  • Getting Started
    • Sending secure PDFs with Confidencial
    • Viewing secure PDFs with Confidencial
    • Sending secure Word docs with Confidencial
    • Viewing secure Word docs with Confidencial
    • Sending secure Excel workbooks with Confidencial
    • Viewing secure Excel workbooks with Confidencial
    • Sending secure images with Confidencial
    • Viewing secure images with Confidencial
    • Sending secure messages with Confidencial
    • Viewing secure messages with Confidencial
    • Protecting content with Confidencial
    • Re-encrypting and changing who can see protected content
  • General
    • How Confidencial Works
      • What is End-to-End Protection
      • In-doc encryption
      • The Confidencial Public Key Registry
      • The Confidencial Private Key Server
      • The Confidencial Log Server
    • Account types
      • Individual
      • Organization
      • Organization administrator
    • File types
    • Key types
      • Cloud-stored keys
      • Device-stored keys
      • Temporary keys
      • Enterprise keys
      • Recovery keys
    • Logging in to the desktop or web app
    • Logging in to Confidencial
    • Encryption policies
    • Selecting encryption recipients
    • Inviting other users to Confidencial
    • Accepting an invite to Confidencial
    • Creating a Confidencial individual account
    • Re-encrypting and changing who can see protected content
    • Confidencial organizations
  • Web App
    • Encrypting a message
    • Decrypting a message
    • Encrypting files and folders
    • Decrypting a .c11 file or .c11.zip file bundle
    • Re-encrypting a Confidencial-protected file or file bundle and changing who can see them
  • Desktop App
    • Installing the desktop app
    • Encrypting files and folders
    • Decrypting a .c11 file or .c11.zip file bundle
  • Microsoft Office Add-ins
    • Installing the Microsoft Office add-ins
    • Opening the task pane
    • Logging in from an Office application
    • Encrypting an entire Word document
    • Encrypting parts of a Word document
    • Decrypting a Word document
    • Re-encrypting a Word document and changing who can see protected content
    • Installing Microsoft Add-ins via the Admin Center
  • Advanced Features
    • Storing keys on your device
    • Loading a key from your device
    • Creating a machine token
    • Obtaining public-private key pairs for use with the Confidencial SDK
  • How to Use Secure Document Request (SDR)
  • Secure Document Send
    • Sending Documents with Secure Document Send
    • Viewing Historical Document Sends
    • Creating a Persistent Share Link
    • Receiving a Persistent Share Link
  • Cloud Protector
    • Connecting AWS S3
    • Connecting Box
    • Connecting Dropbox
    • Connecting Google Cloud
    • Connecting Google Drive
    • Connecting Microsoft Azure Blob
    • Connecting Microsoft OneDrive
    • Connecting Microsoft SharePoint
    • Connecting Server Message Block
    • Connecting Wasabi
    • Connecting On-Premises Storage
  • Enterprise Deployment
    • Connecting your identity provider to Confidencial
    • Creating an S3 bucket for document requests
    • Creating a Cognito user pool to enable S3 bucket access via IDP credentials
    • Deploying the Confidencial Key Server in your environment
      • Configuring an AWS Elastic Container Service (ESC) instance
    • Running a database migration
    • Pushing a container image to your AWS container registry
    • Connecting your identity provider to the Confidencial Key Server
    • Deploying the Confidencial Desktop App to your enterprise users
    • Deploying the Confidencial Office Add-ins to your enterprise users
    • Setting up Microsoft Entra to use an Exchange account to send email notifications
  • Organization Administration
    • Adding members to an organization
    • Pre-loading members into your organization
    • Designating a member as an administrator
    • Creating a recovery key for an organization
    • Monitoring Confidencial usage within an organization
    • Organization-level policies
    • Administrator permissions
  • Command-Line Interface (CLI)
  • Software Development Kit (SDK)
  • Contact Us
  • System Requirements
  • Legal/Licensing
  • How to Access Confidencial Documents for First Time Recipients
Powered by GitBook
On this page
  • Instantiating a database (DB) for the CKS
  • Pulling the CKS image from Confidencial’s container registry
  • Pushing the CKS to your container registry
  • Configuring your container hosting environment to allow access to the CKS
  • Connecting your identity provider to the CKS
  • Completing the process with Confidencial
Export as PDF
  1. Enterprise Deployment

Deploying the Confidencial Key Server in your environment

PreviousCreating a Cognito user pool to enable S3 bucket access via IDP credentialsNextConfiguring an AWS Elastic Container Service (ESC) instance

Last updated 2 months ago

ℹ️ These instructions cover how to provision the Confidencial Key Server (CKS) in your server hosting environment and include the following primary steps:

Instantiating a database (DB) for the CKS

  1. Instantiate a MySQL database to serve as the CKS DB. There are multiple options to host the CKS DB, including:

    • An existing MySQL server

    • A MySQL server running in a Docker container

    • A MySQL server running in an AWS Relational Database Service (RDS) instance

    ℹ️ The CKS DB instance must be accessible from the CKS web server, which you will configure in the subsequent sections of this document.

  2. Once your CKS DB instance is running, create a database within the server. Do this by logging in to your MySQL DB server and executing the command below.

    CREATE DATABASE dbname;

    Replace dbname in the command above with the name you wish to use for the CKS DB

  3. After the DB has been created, make sure you create a DB account that has full access to the database (the ability to create and alter tables and the ability to read data from and write data to tables). This can be done by executing the MySQL command below.

    GRANT ALL PRIVILEGES ON dbname.* TO 'username'@'%';

    Replace dbname with the DB name you assigned and replace username with the user name of the DB account to which you want to grant full access

Pulling the CKS image from Confidencial’s container registry

  1. Obtain a token to access Confidencial’s container registry using the ID and secret provided by Confidencial. Replace <your key ID> and <your secret> in the shell commands below with the Confidencial-provided ID and secret, respectively. Execute the commands below.

    export AWS_ACCESS_KEY_ID=<your key ID>
    export AWS_SECRET_ACCESS_KEY=<your secret>
    ECR_REPOSITORY_NAME=c11-opkss-private
    AWS_ACCOUNT_URL=192115554401.dkr.ecr.us-west-1.amazonaws.com
    REPOSITORY_URL=$AWS_ACCOUNT_URL/$ECR_REPOSITORY_NAME
    aws ecr get-login-password --region us-west-1 | docker login --username AWS --password-stdin $AWS_ACCOUNT_URL
    docker pull $REPOSITORY_URL:latest

➡️ Executing the commands above will result in the CKS docker image being pulled into your current directory. You will now proceed to push this image to your preferred container hosting environment (described in the next section).

Pushing the CKS to your container registry

  1. Push the CKS container image to your container hosting environment. There are multiple options for hosting docker images, including:

    • A Kubernetes cluster

    • AWS’s Elastic Container Service (ECS)

    • Within an AWS Elastic Compute Cloud (EC2) instance

  2. PORT=8000
    
    JWT_AUDIENCE=<get from your IDP>       ; e.g. api://confidencial.io/opkss
    JWT_ISSUER=<get from your IDP>         ; e.g. https://dev-02584710.okta.com/oauth2/default
    JWKS_URI=<get from your IDP>           ; e.g. https://dev-02584710.okta.com/oauth2/default/v1/keys
    JWT_TOKEN_ENDPOINT=<get from your IDP> ; e.g https://dev-02584710.okta.com/oauth2/default/v1/token
    ENABLE_TOKEN_PROXY = <see comment>     ; For Okta, set to true; for Entra, set to false
    
    KNEX_CLIENT = mysql2
    KNEX_VERSION = 8.0
    KNEX_HOST = <your DB URI> 
    KNEX_PORT = <your DB port>
    KNEX_USER = '<your DB username>'
    KNEX_PASSWORD = '<your DB password>'
    KNEX_DB_NAME = '<your DB name>'
    KNEX_CHARSET = utf8mb4

    ⚠️ Note that values for `KNEX_USER`, `KNEX_PASSWORD`, and `KNEX_DB_NAME` are wrapped in single quotes. This is done to ensure that special characters and spaces are handled properly.

  3. Launch the CKS container.

Configuring your container hosting environment to allow access to the CKS

⚠️ While users in your enterprise need to be able to reach the CKS web server (port 443) from their client machines, users do not need direct access the the CKS DB. The CKS DB need only be accessible from the CKS web server.

⚠️ You may choose to make the CKS web server available outside your enterprise’s firewall. This permits users to use Confidencial from external networks without the use of a VPN. However, doing so increases the exposure of the CKS, making it more susceptible to attack.

  1. Configure your container hosting environment to route inbound requests from port 443 (TLS) of an enterprise-accessible URI to port 8000 of the CKS web server container.

✅ This completes your portion of CKS set up. Confidencial will ask you to provide the URI of the CKS web server to complete the deployment.

Connecting your identity provider to the CKS

ℹ️ The CKS requires users to authenticate using credentials provided by your enterprise identity provider (IDP). Follow the link below to register the CKS as an application within your IDP.

Completing the process with Confidencial

✅ This completes your portion of CKS set up. Confidencial will ask you to provide the URI of the CKS web server to complete the deployment.

➡️ Next, Confidencial will provide you with a script to create the necessary tables and relationships in the database. This is referred to as a database migration. See

If not already installed, download the

ℹ️ If you are hosting your own AWS container registry (AWS ECR), see for how to push the pulled key server image to your registry

Set the following environment variables for the CKS container. Replace <your DB URI>, <your DB port>, <your DB username>, <your DB password>, and <your DB name> with the values necessary to connect to the database instantiated .

Running a database migration
AWS command line tools
Pushing a container image to your AWS container registry
above
Connecting your identity provider to the Confidencial Key Server
Configuring an AWS Elastic Container Service (ESC) instance
above
Instantiating a database (DB) for the CKS
Pulling the CKS image from Confidencial’s container registry
Pushing the CKS to your container registry
Configuring your container hosting environment to allow access to the CKS
Connecting your identity provider to the CKS
Completing the process with Confidencial