Confidencial Documentation
HomepageLog In
  • Getting Started
    • Sending secure PDFs with Confidencial
    • Viewing secure PDFs with Confidencial
    • Sending secure Word docs with Confidencial
    • Viewing secure Word docs with Confidencial
    • Sending secure Excel workbooks with Confidencial
    • Viewing secure Excel workbooks with Confidencial
    • Sending secure images with Confidencial
    • Viewing secure images with Confidencial
    • Sending secure messages with Confidencial
    • Viewing secure messages with Confidencial
    • Protecting content with Confidencial
    • Re-encrypting and changing who can see protected content
  • General
    • How Confidencial Works
      • What is End-to-End Protection
      • In-doc encryption
      • The Confidencial Public Key Registry
      • The Confidencial Private Key Server
      • The Confidencial Log Server
    • Account types
      • Individual
      • Organization
      • Organization administrator
    • File types
    • Key types
      • Cloud-stored keys
      • Device-stored keys
      • Temporary keys
      • Enterprise keys
      • Recovery keys
    • Logging in to the desktop or web app
    • Logging in to Confidencial
    • Encryption policies
    • Selecting encryption recipients
    • Inviting other users to Confidencial
    • Accepting an invite to Confidencial
    • Creating a Confidencial individual account
    • Re-encrypting and changing who can see protected content
    • Confidencial organizations
  • Web App
    • Encrypting a message
    • Decrypting a message
    • Encrypting files and folders
    • Decrypting a .c11 file or .c11.zip file bundle
    • Re-encrypting a Confidencial-protected file or file bundle and changing who can see them
  • Desktop App
    • Installing the desktop app
    • Encrypting files and folders
    • Decrypting a .c11 file or .c11.zip file bundle
  • Microsoft Office Add-ins
    • Installing the Microsoft Office add-ins
    • Opening the task pane
    • Logging in from an Office application
    • Encrypting an entire Word document
    • Encrypting parts of a Word document
    • Decrypting a Word document
    • Re-encrypting a Word document and changing who can see protected content
    • Installing Microsoft Add-ins via the Admin Center
  • Advanced Features
    • Storing keys on your device
    • Loading a key from your device
    • Creating a machine token
    • Obtaining public-private key pairs for use with the Confidencial SDK
  • How to Use Secure Document Request (SDR)
  • Secure Document Send
    • Sending Documents with Secure Document Send
    • Viewing Historical Document Sends
    • Creating a Persistent Share Link
    • Receiving a Persistent Share Link
  • Cloud Protector
    • Connecting AWS S3
    • Connecting Box
    • Connecting Dropbox
    • Connecting Google Cloud
    • Connecting Google Drive
    • Connecting Microsoft Azure Blob
    • Connecting Microsoft OneDrive
    • Connecting Microsoft SharePoint
    • Connecting Server Message Block
    • Connecting Wasabi
    • Connecting On-Premises Storage
  • Enterprise Deployment
    • Connecting your identity provider to Confidencial
    • Creating an S3 bucket for document requests
    • Creating a Cognito user pool to enable S3 bucket access via IDP credentials
    • Deploying the Confidencial Key Server in your environment
      • Configuring an AWS Elastic Container Service (ESC) instance
    • Running a database migration
    • Pushing a container image to your AWS container registry
    • Connecting your identity provider to the Confidencial Key Server
    • Deploying the Confidencial Desktop App to your enterprise users
    • Deploying the Confidencial Office Add-ins to your enterprise users
    • Setting up Microsoft Entra to use an Exchange account to send email notifications
  • Organization Administration
    • Adding members to an organization
    • Pre-loading members into your organization
    • Designating a member as an administrator
    • Creating a recovery key for an organization
    • Monitoring Confidencial usage within an organization
    • Organization-level policies
    • Administrator permissions
  • Command-Line Interface (CLI)
  • Software Development Kit (SDK)
  • Contact Us
  • System Requirements
  • Legal/Licensing
  • How to Access Confidencial Documents for First Time Recipients
Powered by GitBook
On this page
  • How Confidencial protects your data at rest
  • Encrypting the document
  • Decrypting the document
  • How Confidencial protects your data in transit
Export as PDF
  1. General
  2. How Confidencial Works

What is End-to-End Protection

PreviousHow Confidencial WorksNextIn-doc encryption

Last updated 1 month ago

💡 Confidencial takes an end-to-end approach to securing your messages and files. What does this mean? In short, it means that in most* cases, Confidencial does not see or store the private keys that are required to decrypt messages and files and in all cases we do not ever see (let alone store) your messages and files, even in their encrypted form. Read on for more information about our approach to keeping your data safe.

*️⃣ In most cases, Confidencial does not store your private decryption keys in a form that would enable an attacker to access your protected documents should Confidencial’s backend infrastructure be compromised. Besides the fact that Confidencial does not see or store your messages and documents, Confidencial does not store whole private keys in its infrastructure (with the exception of ). Instead, keys are either , , or .

Confidencial’s implementation is a true end-to-end secure solution to protecting your most sensitive data. This approach is perhaps best described by example; let’s review a couple of these.

How Confidencial protects your data at rest

Let’s say you have a Word document that you would like to protect. You might store this Word doc on your PC, on your company’s internal network, or in the cloud. Wherever you store it, Confidencial’s protection will follow it, because . If this is a working document that you are creating on your own, you will probably just encrypt it for yourself. You can to .

Encrypting the document

When you click Encrypt Document, here is what happens:

  1. Confidencial takes all the content in your document and encrypts it using your public key*

    *️⃣ Technically, we encrypt the content of your document with a symmetric (AES) key. That symmetric key is then encrypted using your public key.

  2. The encrypted data is then inserted into your document as metadata

    ℹ️ Metadata is auxiliary information - it’s data about your data. Other examples of metadata in a Word document include the document author’s name, the title of the document, and the name of the template upon which the document is based.

  3. When you save the document, its contents are now protected at rest

Decrypting the document

  1. Confidencial retrieves your private decryption key

  2. The encrypted document data is extracted from the metadata of the document

  3. Your private key is used to decrypt the data

  4. The decrypted data is re-inserted into your document for viewing and editing

  5. When you are done viewing and editing the document, clicking Re-encrypt Before Saving protects the data by executing the steps described in the “Encrypting the document” section above

🔒 At no point during this entire encrypt-decrypt process did your document’s contents get sent to Confidencial. All encryption and decryption is done locally on your machine. It is an end-to-end secure process.

How Confidencial protects your data in transit

💬 With the release of Confidencial 2.2, you will be able to send messages and files directly from the Confidencial web or desktop app using Slack, Outlook, or Gmail! Check back here after the release of V2.2 for a description of how Confidencial implements an end-to-end solution for data sharing using your favorite messaging apps.

Confidencial fetches your public encryption key from its (or the local cache of public keys on your machine)

Your original document data is now replaced with a banner that informs viewers of the document that it is protected with Confidencial. A hyperlink is included within the banner that directs users to .

When you later open this document and , here is what happens:

🔑 Depending on , this will be done by either requesting it from , assembling it from , or by asking you to load it from your chosen

Public Key Registry
viewing instructions
click View Encrypted Contents in the Confidencial taskpane
how your private key is stored
your company’s private key server
key shards stored in the cloud
private key storage device
Temporary keys
stored in a key server hosted by your organization
“sharded” and stored across multiple, independent locations in the cloud
stored on a device of your choosing
it’s built into the document itself
open Confidencial’s add-in for Word
do this
Simply click this button in the Confidencial taskpane to protect your Word document