1 of 100

Confidencial Documentation

Getting Started

Tutorials

ℹ️ Guides that walk you through common scenarios

Instructions

ℹ️ Step-by-step instructions for using specific features

Sending secure PDFs with Confidencial

ℹ️ Let’s say you’re George Jetson and you work at Example Company. You just finished a proposal and want to send the final product to your two subcontractors, Spacely Sprockets and Cogswell Cogs. However, there’s a problem - you can’t let them see what the other is doing in your proposal (they’re both very secretive about the work they do and the prices they charge).

In the old days, you’d have to create a separate PDF file for each subcontractor and redact the information they aren’t allowed to see. In this example, that’d mean creating three different versions of your proposal and sending a separate email for each person to get their copy. Make sure you send the right copy to the right person!

Fortunately, you don’t have to do this anymore. With Confidencial, you can do all this with a single PDF file and a single message. You don’t have multiple, unprotected copies of your proposal floating around and you don’t have to worry about getting multiple emails set up with the right attachment and sent off to the right people. Let’s see the modern way to securely share a PDF file…

Click PDF Protector
Click Open PDF File
Select your PDF file (our proposal in this example)
You can now see your proposal (PDF) in Confidencial’s PDF Protector
Select a part of the proposal that you only want Cosmo Spacely to be able to see
You and Cosmo are now in the recipients list
To encrypt the content you selected for Cosmo, click the “gear” button and choose Encrypt Selection from the menu, then click the blue Encrypt Selection button.
The selected content is now protected. Only you and Cosmo will be able to view it.
Repeat Steps 6-9 for the other parts of the proposal that you want to protect
💡 Pro tip: You can remove someone from your recipients list by clicking the X next to their name.
With all parts protected, click the download button in the toolbar to save your PDF
💡 Pro tip: When you download (save) the PDF file, you can overwrite the original version of the PDF. Doing so will replace the original, unprotected PDF with a protected, Confidencial PDF.
Now that you’ve saved your Confidencial PDF file, send it to Cosmo and Mr. Cogswell (we use Slack in this example). Remember, since access control is built directly into this PDF, you send the same version to everyone. No more sending multiple versions to multiple people with multiple messages!

✅ Your subcontractors are now ready to view the proposal.

Viewing secure PDFs with Confidencial

ℹ️ You’ve received a PDF that’s been protected with Confidencial…now what? This tutorial walks you through what to do.

Let’s say you’re Cosmo Spacely, an employee at Spacely Sprockets. A collaborator of yours at another company, George Jetson at Example Company, has sent you a Confidencial PDF in Slack (but it just as easily could have been Teams, Outlook, Google Drive, or any other way you two exchange files). As you can see below, there are some parts of the document that are encrypted. Let’s walk through how to view those encrypted parts…

Click PDF Protector in the sidebar menu
Click Open PDF File and select the PDF file you downloaded from Slack (or whatever messaging app George used to give you the PDF)
You can now see the PDF with the protected parts blocked off
Click View Encrypted Content in the right taskpane
The protected parts that George has allowed you to see are now visible

✅ Congrats! You now know how to view protected PDFs with Confidencial.

Sending secure Word docs with Confidencial

ℹ️ Let’s say you are Alice, an employee at an organization that is using Confidencial, and you want to send a protected Word document to your coworker, Bob, who is not using Confidencial. This tutorial walks you through how to do that.

In Word, open or create the Word document that you want to protect
Since Bob is not an existing user, click Send Invite to… to invite him to Confidencial
Now that Bob has been invited, select his email to add him as a recipient of the document
You (Alice) and Bob now appear in the recipients list
ℹ️ The recipients list determines who can view protected content. You are automatically added as a recipient of any message or file you encrypt, so you will always be able to decrypt any message or file you protect.
Click Encrypt Document
The document is now protected. Save the document in Word.
Use the messaging tool of your choice (Outlook, Teams, Slack, etc.) to send the document to your coworker, Bob. In this example, we will use Slack.
ℹ️ Note that even though the document has been encrypted with Confidencial, it remains a valid .docx file (Example.docx) and can thus still be opened in Word - no special viewer is required

✅ Bob now has the Confidencial protected Word document.

Viewing secure Word docs with Confidencial

ℹ️ You’ve received a Word doc that’s been secured with Confidencial…now what? This tutorial walks you through what to do. We’re going to pretend you are Bob, you’ve never used Confidencial before, and your coworker, Alice, has sent you a Confidencial Word doc.

Open the document that you received from Alice in Word
With the add-in installed, you can now click Confidencial on the right side of the Home toolbar
Once you are logged in, click View Encrypted Content in the Confidencial task pane

✅ You can now see the content that Alice protected for you.

Sending secure Excel workbooks with Confidencial

ℹ️ Let’s say you are Alice, an employee at an organization that is using Confidencial, and you want to send a protected Excel workbook to your coworker, Bob, who is not using Confidencial. This tutorial walks you through how to do that.

In Excel, open or create the Excel workbook that you want to protect
Since Bob is not an existing user, click Send Invite to… to invite him to Confidencial
Now that Bob has been invited, select his email to add him as a recipient of the workbook
You (Alice) and Bob now appear in the recipients list
ℹ️ The recipients list determines who can view protected content. You are automatically added as a recipient of any message or file you encrypt, so you will always be able to decrypt any message or file you protect.
Click Encrypt Workbook
The workbook is now protected. Save the workbook in Excel.
💡 By default, Confidencial encrypts the entire workbook. If you want to encrypt only certain parts of the workbook, click the “gear” menu and choose Encrypt Selection.
💡 Pro tip: Even after you’ve protected a workbook by clicking Encrypt Workbook, you can add additional content to your workbook - this content will remain visible to anyone who has access to the workbook. The protected content that you encrypted in the previous step will still only be visible to the people you designate in the recipients list.
Use the messaging tool of your choice (Outlook, Teams, Slack, etc.) to send the workbook to your coworker, Bob. In this example, we will use Slack.
ℹ️ Note that even though the workbook has been encrypted with Confidencial, it remains a valid .xlsx file (Example.xlsx) and can thus still be opened in Excel - no special viewer is required

✅ Bob now has the Confidencial protected Excel workbook.

Viewing secure Excel workbooks with Confidencial

Open the workbook that you received from Alice in Excel
With the add-in installed, you can now click Confidencial on the right side of the Home toolbar
Once you are logged in, click View Encrypted Content in the Confidencial task pane

✅ You can now see the content that Alice protected for you.

Sending secure images with Confidencial

Fortunately, you don’t have to do this anymore. With Confidencial, you can add a layer of protection to your image that ensures it will be “end-to-end encrypted.” That is, the whole time the image is on your machine, the whole time it’s on your recipient’s machine, and at all times in between, the image can stay protected.

Let’s see the modern way to securely share a photo…

Drag your passport photo on to the encryption box of the Encryption Tools page
💡 If Bob has never used Confidencial before, you will be asked to invite him after you enter his email address. Simply click the green invite button. Bob will be able to view your protected photo as soon as he verifies his email address with Confidencial.
You and Bob are now in the recipients list
ℹ️ The recipients list determines who can view protected content. You are automatically added as a recipient of any message or file you encrypt, so you will always be able to decrypt any message or file you protect.
Select a sensitive part of the photo by clicking and dragging a box over it
Click Encrypt Selection in the right taskpane
The selected portion is now protected. Repeat Steps 5 and 6 for each portion you’d like to protect.
Click the download (save) button to save the protected image to your disk
💡 Pro tip: When you download (save) the image, you can overwrite the original version of the image. Doing so will replace the original, unprotected image with a protected, Confidencial image.
Now that you’ve saved your Confidencial image, send it to Bob however you like. You can use email, iMessage, Slack, Teams…any method you prefer. Since access control is built directly into this image, Confidencial’s protection stays with it no matter where it goes or how it gets there.

✅ You’ve now sent your passport the safe way - the Confidencial way! If any unauthorized user intercepts your message or otherwise gets their hands on your image, below is all they will see. Only your designated encryption recipients (Bob in this example) will be able to see the protected content using Confidencial.

Viewing secure images with Confidencial

ℹ️ You’ve received an image that’s been protected with Confidencial…now what? This tutorial walks you through what to do. We’re going to pretend you are Bob who works at The Example Hotel, you’ve never used Confidencial before, and one of your international guests, Happy Traveler, has sent you a photo of her passport.

If you open the image that you received from Happy in your default image viewer, you will see an image like that above. You will be able to see all the parts of the image that Happy chose not to protect. To see the protected parts, continue to the steps below.
Once you are logged in, drag the protected Confidencial image file on to the encryption box of the Encryption Tools page
The protected image is now displayed in the Confidencial Image Protector
Click View Encrypted Content in the right taskpane

✅ You can now see the content that Happy protected for you.

Sending secure messages with Confidencial

In the text input on the Encryption Tools page, enter the password you want to send to Bob
Enter Bob’s email address in the recipient adder
Since Bob isn’t an existing Confidencial user, invite him to join by clicking Send Invite to…
Now that you’ve invited Bob to join, click on his email in the recipient adder to add him to your protected message
Bob now appears, along with you, in the list of recipients for the message
ℹ️ The recipients list determines who can view protected content. You are automatically added as a recipient of any message or file you encrypt, so you will always be able to decrypt any message or file you protect.
Click Encrypt
This produces an encrypted message that you can now send to Bob. Click Copy to Clipboard.
You can now paste the encrypted message into your preferred messaging tool. In this example, we will use Slack.

Re-encrypting and changing who can see protected content

General

How Confidencial Works

What is End-to-End Protection

💡 Confidencial takes an end-to-end approach to securing your messages and files. What does this mean? In short, it means that in most* cases, Confidencial does not see or store the private keys that are required to decrypt messages and files and in all cases we do not ever see (let alone store) your messages and files, even in their encrypted form. Read on for more information about our approach to keeping your data safe.

Confidencial’s implementation is a true end-to-end secure solution to protecting your most sensitive data. This approach is perhaps best described by example; let’s review a couple of these.

How Confidencial protects your data at rest

Encrypting the document

When you click Encrypt Document, here is what happens:

Confidencial takes all the content in your document and encrypts it using your public key*
*️⃣ Technically, we encrypt the content of your document with a symmetric (AES) key. That symmetric key is then encrypted using your public key.
The encrypted data is then inserted into your document as metadata
ℹ️ Metadata is auxiliary information - it’s data about your data. Other examples of metadata in a Word document include the document author’s name, the title of the document, and the name of the template upon which the document is based.
When you save the document, its contents are now protected at rest

Decrypting the document

Confidencial retrieves your private decryption key
The encrypted document data is extracted from the metadata of the document
Your private key is used to decrypt the data
The decrypted data is re-inserted into your document for viewing and editing
When you are done viewing and editing the document, clicking Re-encrypt Before Saving protects the data by executing the steps described in the “Encrypting the document” section above

🔒 At no point during this entire encrypt-decrypt process did your document’s contents get sent to Confidencial. All encryption and decryption is done locally on your machine. It is an end-to-end secure process.

How Confidencial protects your data in transit

💬 With the release of Confidencial 2.2, you will be able to send messages and files directly from the Confidencial web or desktop app using Slack, Outlook, or Gmail! Check back here after the release of V2.2 for a description of how Confidencial implements an end-to-end solution for data sharing using your favorite messaging apps.

How to Use Secure Document Request (SDR)

Secure Document Request Overview

Creating A Secure Document Request

Click on the “New Document Request” button in the top-right corner of this screen. This will allow you to choose from the existing templates to quickly create a new secure document request.

Choosing an Existing Template

On the resulting screen you will see a list of existing templates that can be used for requests. Your organization may have lots of templates pre-configured for you to use. Choose the “Organization Templates” tab and click on the arrow on the right hand side of the template name in order to begin your request.

Customizing your Request

Fill in the following details: (* are required fields)

Document Request Details:

*Request name or ID: This allows you to set a unique name for your request. If you have a lot of requests it can be important to come up with a naming scheme so that you can easily search or scroll to find a particular request later.

Project Name: Filling in project name make it easy for you to categorize and search for historical requests. This also allows you to dictate where requested information will reside in backend storage.

Recipient Information:

*Recipient full name: This name will appear in the email sent to the recipient of the request. It’s important to set the properly to reduce confusion by the recipient of the request.

Require Fields: Leave checked any fields from the template that you want to include and clear any that are not needed in this particular request. Note that you cannot change the required status of the field (that’s done in the template configuration); if you include a required field it will be required for the user to complete the form.

Additional Options

Require one time password: This is an email verification feature that sends a code to the recipient and this code will be required prior to them opening the request.

Skip Encryption: If for any reason you do not want the information to be encrypted once received, meaning anyone can view the information this option is available.

Once you have completed the configuration of your request hit the Next button at the bottom of the page to proceed to set your encryption policies.

Encryption Policies

Encryption policies allow you to add other users or groups that can access the information once it has been submitted. Users and groups included in the encryption policy will be able to see the request in their list as well as see the status and, once completed, access the information submitted by the recipient.

Add users to the policy in the same way you would throughout the Confidencial.io interface, previous encryption policies that you have used are accessed using the left-right arrows at the top right corner of the policy interface.

Once your policy is complete you are ready to review and send the request to the recipient. Click the send request button at the bottom of the page and an email will be sent to the recipient, initiating the SDR process.

The Review fields are as follows:

Title: Shown to the recipient, this is the title of the form that the user will fill out to respond to the request. Use a short but descriptive title that describes the type of information for which you are asking.
Subtitle: Shown to the recipient. Provide additional details about the request or provide additional instructions.
Description: Not shown to the recipient. This is used internally to help users choose the correct template.
Name - Not shown to the recipient. Used internally to name the template helping for searching or scrolling when looking for the template.
isPrivate: Not shown to the recipient. This field indicates whether or not this template is shared with your organization or is only private to you.

Viewing Secure Document Requests

The list of document requests to which you have access is displayed as soon as you navigate to “Document Requests” on the left hand navigation menu. On this page you have multiple options to search, sort and view requests that you have created as well as those shared with you.

Request Status

Each document request has several attributes that you can view. On the left-hand list of document requests you can see the name of the request, to whom it was sent, as well as it’s age. Additionally you have a status “pill” which will show you the state of the request. The following states apply to document requests:

Not Started: The request has been sent but the recipient of the request has not yet submitted any of the related information.

Pending: The recipient has started fulfilling the request but has not yet completed all of the mandatory fields and documents.

Complete: The request has been fulfilled and the recipient has completed all of the mandatory fields and files and submitted the response. This is ready for you to view the data.

Viewing Requested Data

You can search for a specific request using the Search button. Search by:

Request Name
Request Uniqe ID (UUID)
Project Name
Date Range

Select the desired request.

Text viewing options:

Show Encrypted Text: If you have been added to the policy to view the data for this request the fields will change from **** to text that was uploaded.
Download all: Will download text and forms combined in a zip file
Download Text Only: Will download text in JSON.txt file

Form viewing options:

View: View in Confidencial PDF viewer
Download Encrypted: Form will be downloaded locally in encrypted form
Download Unencrypted: Form will be dowloaded locally in unencrypted form

You are able to create your own secure document templates used to create requests. You can even share them with your organization to avoid duplicate efforts and ensure consistent requests.

Creating a new Template

To Create and SDR template choose Document Request > Send New Document Request > + New Template

Template Details

Fill out template name (this name is applied to the template itself and will show up in the list of templates)
Fill out Document request title (this will appear in the blue bar at the top of the request for the recipients to see as they are filling out the requests.)
Fill out Notification email subject line (this will appear as the subject of the email sent to the recipients

Document request title: Title that will appear in the list of document requests

Document request subtitle: Subtitle that will appear under the title in the list of document requests

Notification email subject line: Email subject line that will appear in the inbox of the recipient

Header image URL: Provide a custom image URL that will appear on the header of each page of the form sent the the recipient.

Background image URL: Provide a custom image URL that will appear as the background image of the form sent to the recipient.

Require one time password: This is an email verification feature that sends a separate code to the recipient which will be required prior to them opening the request.

Use template-defined access policies: This will remove the option for you to define a custom access policy for this request and use the one that was defined on the template during template creation.

Adding Sections

You can create multiple sections for a document request. Section types include:

Custom Form: Choose when looking to request information to be filled out or uploaded in fields.

W9 Form: Choose if looking to request recipients fill out W9 form

Terms: Choose if you want to add a terms section within your request. Ex: Terms and Conditions

Success Message: Choose if you want to add a custom success message at the end of the request.

*Note Confidencial automatically shows a successful upload message and sends a success email once recipients complete the request.

The Custom Form> Section type allows you to create a section with one or multiple field types to be filled out by a recipient.

Adding Custom Form Fields

To add a Field Type such as a file upload box to your section, choose Custom Form > section type, File > field type

Add a Field Name
Select allowed file types to be uploaded by recipients
Select add field to add additional File upload boxes
Select add field

*if adding addition file upload boxes select “Make Field Optional” this will ensure they can still submit the request if only one file/folder is uploaded.

To another Field Type to this sections such as a Text area select the Textarea > field type

Add a Field Name
Select Min and Max Length if desired
Select add field

This process can be repeated with as many fields your form required.

When you have added all the appropriate fields select Add Section.

Once you have completed your template select Preview to view what is will look like when sent to the recipients.

Example Instructions Section:

Example Custom Form Section:

Once you have previewed the template and have no additional edits select Done to save the template.

The template will now appear in your template list, and you can use it by clicking the arrow on the right of the desired template in your list.

💡 File upload requests: When requesting file uploads you are able to combine them with other information requests like shown in the Client Intake Form above. you can also create templates for file request only. Confidencial can support any file types and file sizes up to terabytes.

Additional Form Section Examples

Copying/Editing Templates

To edit a template you must copy it from the original and then you can edit the copied version.

It is recommended you re-name your copied template.

Once you have copied the template you can edit any section of the template by clicking on the three dots > Edit.

Once you have complete the changes click on save changes.

Creating an S3 bucket for document requests

🔒 While this document recommends specific values for configuration options, administrators that are comfortable with AWS S3 may opt to choose different configuration options. Please consult with an AWS security expert and/or Confidencial technical staff If deviating from the options prescribed below.

Creating the S3 bucket

Log in to your enterprise’s AWS web console and open S3
Click Create bucket
Enter new bucket settings
1. Enter a bucket name and select a region
  🗒️ Make note of the bucket name and region that you use, as these will need to be communicated to your Confidencial technical contact to complete the set up process
2. Other settings can be adjusted in accordance with your enterprise’s security policies, though depending on the mode in which you configure Confidencial software to connect to your bucket, an access key with PUT and in some cases GET permissions may be required (see subsequent steps in this guide)
Click Create bucket
Click on the bucket you just created and under Permissions / Cross-origin resource sharing (CORS), click Edit

Paste in the JSON below and click Save changes

[
    {
        "AllowedHeaders": ["*"],
        "AllowedMethods": [
            "GET",
            "PUT",
            "POST",
            "DELETE",
            "HEAD"
        ],
        "AllowedOrigins": [
            "https://my.confidencial.io"
        ],
        "ExposeHeaders": ["ETag"]
    }
]

⚠️ The value for `AllowedOrigins` in the JSON above will be different for sandbox deployments. Your Confidencial technical contact will provide the correct value in these cases.

➡️ Choose the next section to follow based on whether your enterprise users will download objects from your enterprise’s S3 bucket using

Their enterprise IDP credentials (continue to next section); or
An access key stored with Confidencial (skip next two sections)

Setting up Confidencial bucket upload-only access via access key (no download access via key)

⚠️ Only follow the steps in this section if your enterprise users will download objects from your enterprise S3 bucket using credentials from your enterprise IDP

Create a new policy for bucket access. From IAM, click Policies on the left sidebar menu, then click Create policy.

Click JSON, then paste in the JSON below, replacing *<bucket-name>* with the name of the bucket you created in the previous section, then click Next

{
	"Version": "2012-10-17",
	"Statement": [
		{
			"Sid": "ConfidencialBucketAccess",
			"Effect": "Allow",
			"Action": [
				"s3:putObject"
			],
			"Resource": [
**				"arn:aws:s3:::*<bucket-name>*",
				"arn:aws:s3:::*<bucket-name>*/*"
			]
		}
	]
}

⚠️ NOTE: Replace `aws` with `aws-us-gov` in the above policy if creating the bucket in GovCloud

For Policy name, enter confidecial-bucket-put-access, then click Create policy

➡️ Continue to *Setting up Confidencial user bucket download access through your enterprise IDP*

Setting up Confidencial user bucket download access through your enterprise IDP

⚠️ Only follow the steps in this section if your enterprise users will download objects from your enterprise S3 bucket using credentials from your enterprise IDP

Open the role that was created in the previous step in AWS IAM. From IAM in the AWS Web Console, select Roles from the left sidebar menu, search for the role, and then click on it. If the instructions in the link in Step 1 above were followed, the role will be called confidencial-users.
Under Permissions policies, **select Add permissions > Create inline policy
Under Policy editor, select JSON

Paste the policy below into the Policy editor, replacing *<bucket-name>* with the name of the bucket you created in the first section

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Sid": "VisualEditor0",
            "Effect": "Allow",
            "Action": [
              "s3:getObject",
              "s3:listBucket"
            ],
            "Resource": [
              "arn:aws:s3:::*<bucket-name>*",
              "arn:aws:s3:::*<bucket-name>*/*"
            ]
        }
    ]
}

⚠️ NOTE: Replace `aws` with `aws-us-gov` in the 
above policy if creating the bucket in GovCloud

Click Next
For Policy name, enter confidecial-bucket-get-access, then click Create policy

➡️ Continue to Creating an access key for Confidencial bucket access

Setting up Confidencial bucket upload and download access via access key

⚠️ Only follow the steps in this section if your enterprise users will download objects from your enterprise S3 bucket using an access key stored on Confidencial’s server

Create a new policy for bucket access. From IAM, click Policies on the left sidebar menu, then click Create policy.

Click JSON, then paste in the JSON below, replacing <bucket-name> with the name of the bucket you created in the previous section, then click Next

{
	"Version": "2012-10-17",
	"Statement": [
		{
			"Sid": "ConfidencialBucketAccess",
			"Effect": "Allow",
			"Action": [
             "s3:getObject",
             "s3:listBucket",
             "s3:putObject"
			],
			"Resource": [
             "arn:aws:s3:::*<bucket-name>*",
             "arn:aws:s3:::*<bucket-name>*/*"
			]
		}
	]
}

⚠️ NOTE: Replace `aws` with `aws-us-gov` in the 
above policy if creating the bucket in GovCloud

For Policy name, enter confidecial-bucket-get-and-put-access, then click Create policy

➡️ Continue to Creating an access key for Confidencial bucket access

Creating an access key for Confidencial bucket access

Create a new user for bucket access. From IAM, click Users on the left sidebar menu, then click Create user.
For User name, enter confidencial-bucket-access, then click Next
Under Permissions options, choose Attach policies directly, then click the checkbox next to the policy you created earlier (confidencial-bucket-...-access)
1. If Confidencial will upload and download via this access key, attach the confidecial-bucket-get-and-put-access policy
2. If Confidencial will only upload via this access key, attach the confidecial-bucket-put-access policy
Click Next
Click Create user
Select the user you just created (confidencial-bucket-access) and under Security credentials / Access keys, click Create access key
For Use case, select Application running outside AWS, then click Next
For Description tag value, enter Confidencial bucket access, then click Create access key
🗒️ Make note of the Access key and Secret access key. This is the only time that you will be able to see the secret key. Make sure that the secret key is stored in a secure location; this information will need to be securely transmitted to your Confidencial technical contact to complete the set up process.
Click Done
✅ This completes your portion of document request S3 bucket configuration. You will now need to securely transmit the following information to your Confidencial technical contact: bucket name, bucket region, access key, and secret access key.

Deploying the Confidencial Key Server in your environment

ℹ️ These instructions cover how to provision the Confidencial Key Server (CKS) in your server hosting environment and include the following primary steps:

Instantiating a database (DB) for the CKS

Instantiate a MySQL database to serve as the CKS DB. There are multiple options to host the CKS DB, including:
- An existing MySQL server
- A MySQL server running in a Docker container
- A MySQL server running in an AWS Relational Database Service (RDS) instance
ℹ️ The CKS DB instance must be accessible from the CKS web server, which you will configure in the subsequent sections of this document.
Once your CKS DB instance is running, create a database within the server. Do this by logging in to your MySQL DB server and executing the command below.
```
CREATE DATABASE dbname;
```
Replace dbname in the command above with the name you wish to use for the CKS DB
After the DB has been created, make sure you create a DB account that has full access to the database (the ability to create and alter tables and the ability to read data from and write data to tables). This can be done by executing the MySQL command below.
```
GRANT ALL PRIVILEGES ON dbname.* TO 'username'@'%';
```

Pulling the CKS image from Confidencial’s container registry

Obtain a token to access Confidencial’s container registry using the ID and secret provided by Confidencial. Replace <your key ID> and <your secret> in the shell commands below with the Confidencial-provided ID and secret, respectively. Execute the commands below.

export AWS_ACCESS_KEY_ID=<your key ID>
export AWS_SECRET_ACCESS_KEY=<your secret>
ECR_REPOSITORY_NAME=c11-opkss-private
AWS_ACCOUNT_URL=192115554401.dkr.ecr.us-west-1.amazonaws.com
REPOSITORY_URL=$AWS_ACCOUNT_URL/$ECR_REPOSITORY_NAME
aws ecr get-login-password --region us-west-1 | docker login --username AWS --password-stdin $AWS_ACCOUNT_URL
docker pull $REPOSITORY_URL:latest

➡️ Executing the commands above will result in the CKS docker image being pulled into your current directory. You will now proceed to push this image to your preferred container hosting environment (described in the next section).

Pushing the CKS to your container registry

Push the CKS container image to your container hosting environment. There are multiple options for hosting docker images, including:
- A Kubernetes cluster
- AWS’s Elastic Container Service (ECS)
- Within an AWS Elastic Compute Cloud (EC2) instance

PORT=8000

JWT_AUDIENCE=<get from your IDP>       ; e.g. api://confidencial.io/opkss
JWT_ISSUER=<get from your IDP>         ; e.g. https://dev-02584710.okta.com/oauth2/default
JWKS_URI=<get from your IDP>           ; e.g. https://dev-02584710.okta.com/oauth2/default/v1/keys
JWT_TOKEN_ENDPOINT=<get from your IDP> ; e.g https://dev-02584710.okta.com/oauth2/default/v1/token
ENABLE_TOKEN_PROXY = <see comment>     ; For Okta, set to true; for Entra, set to false

KNEX_CLIENT = mysql2
KNEX_VERSION = 8.0
KNEX_HOST = <your DB URI> 
KNEX_PORT = <your DB port>
KNEX_USER = '<your DB username>'
KNEX_PASSWORD = '<your DB password>'
KNEX_DB_NAME = '<your DB name>'
KNEX_CHARSET = utf8mb4

⚠️ Note that values for `KNEX_USER`, `KNEX_PASSWORD`, and `KNEX_DB_NAME` are wrapped in single quotes. This is done to ensure that special characters and spaces are handled properly.

Launch the CKS container.

Configuring your container hosting environment to allow access to the CKS

⚠️ While users in your enterprise need to be able to reach the CKS web server (port 443) from their client machines, users do not need direct access the the CKS DB. The CKS DB need only be accessible from the CKS web server.

⚠️ You may choose to make the CKS web server available outside your enterprise’s firewall. This permits users to use Confidencial from external networks without the use of a VPN. However, doing so increases the exposure of the CKS, making it more susceptible to attack.

Configure your container hosting environment to route inbound requests from port 443 (TLS) of an enterprise-accessible URI to port 8000 of the CKS web server container.

✅ This completes your portion of CKS set up. Confidencial will ask you to provide the URI of the CKS web server to complete the deployment.

Connecting your identity provider to the CKS

ℹ️ The CKS requires users to authenticate using credentials provided by your enterprise identity provider (IDP). Follow the link below to register the CKS as an application within your IDP.

Completing the process with Confidencial

✅ This completes your portion of CKS set up. Confidencial will ask you to provide the URI of the CKS web server to complete the deployment.

Creating a Cognito user pool to enable S3 bucket access via IDP credentials

🔒 While this document recommends specific values for configuration options, administrators that are comfortable with AWS Cognito may opt to choose different configuration options. Please consult with an AWS security expert and/or Confidencial technical staff If deviating from the options prescribed below.

Creating the user pool

Open Cognito in the AWS Web Console
Click Create user pool
Under Provider types, check the Federated identity providers option
Under Cognito user pool sign-in options, check the User name option
Under Federated sign-in options, check the OpenID Connect (OIDC) option
Click Next
Under the Configure security requirements page, configure the following options:
1. Password policy: Leave default values (this will not be used since your users will be using their enterprise credentials, and not Cognito-managed credentials, to authenticate)
2. Multi-factor authentication: No MFA (Cognito-based MFA is not recommended as you may enforce MFA through your IDP instead)
3. Enable self-service account recovery: Uncheck (Cognito account recovery is not needed because account recovery will be managed through your IDP)
Click Next
Under the Configure sign-up experience page, configure the following options:
1. Enable self-registration: Uncheck (new account creation will be managed through your IDP)
2. Allow Cognito to automatically send messages to verify and confirm: Uncheck (new account creation will be managed through your IDP)
Click Next
Under the Configure message delivery page, select Send email with Cognito (note that these settings are not relevant since Cognito will not need to send emails to your enterprise users)
Click Next
Under the Set up OpenID Connect federation with this user pool section, enter the following values that can be obtained from the Confidencial application configuration in your IDP:
1. Provider name: Enter a name to refer to your IDP instance (e.g. Entra ID - Production or Okta - Sandbox)
2. Client ID: Enter the client ID from your IDP’s Confidencial application
3. Client Secret: Enter the client secret from your IDP’s Confidencial application
4. Authorized scopes: openid profile email offline_access
5. Attribute request method: GET
6. Retrieve OIDC endpoints / Setup method: Auto fill through issuer URL
7. Issuer URL: Enter the issuer URL from your IDP’s Confidencial application
8. User pool attribute / email: email
Click Next
Under the Integrate your app page, enter the following values:
1. User pool name: confidencial
2. Domain type: Use a Cognito domain
3. Cognito domain: Enter a globally-unique name for your domain (e.g. confidencial-yourenterprisename)
4. App type: Public client
5. App client name: confidencial
6. Client secret: Don't generate a client secret
7. Allowed callback URLs: https://my.confidencial.io/auth?ref=cognito
  ⚠️ NOTE: This URL will be different if you are operating in a sandbox environment. Please contact your Confidencial technical support representative if you are using a sandbox environment.
Under Advanced app client settings / Identity providers, click the “X” to remove the Cognito user pool option, leaving only the identity provider you named earlier
Under Advanced app client settings / OpenID Connect scopes, click the “X” to remove the Phone option, leaving only the OpenID and Email options
Click Next
Review that your configuration is correct and click Create user pool

Creating the identity pool

Open Cognito in the AWS Web Console
Click Identity pools in the left sidebar menu
Click Create identity pool
For User access, select Authenticated access
For Authenticated identity sources, select Amazon Cognito user pool
Click Next
For IAM role, select Create a new IAM role
For IAM role name, enter confidencial-users
Click Next
Under the Connect identity providers page, enter the following values:
1. User pool ID: Select the ID of the user pool that you created in the previous section
2. App client ID: Select the ID of the application you created in the previous section
3. Role selection: Use default authenticated role
4. Claim mapping: Inactive
Click Next
Under the Configure properties page, enter the following values:
1. Name: confidencial-users
Click Next
Review that your configuration is correct and click Create identity pool

Connecting your identity provider to the Confidencial Key Server

Microsoft Entra ID (formerly Azure Active Directory)

Click Microsoft Entra ID
Click App registrations from the side menu
Click New Registration from the top toolbar
Ensure the following settings are entered:
1. Name: Confidencial-OPKSS
2. Supported account types: Select either “Accounts in this organizational directory only,” “Accounts in any organizational directory,” or Accounts in any organization directory and personal Microsoft accounts,” depending on who you want to be able to join your Confidencial organization
3. Redirect URI: Choose “single-page application (SPA)” in the Select a platform drop down menu and enter https://my.confidencial.io/auth-management in the input box
Click Register
Click Manifest (under Manage), then
1. Change the value of acceptMappedClaims (Line 3) from null to true
2. Click Save
Return to the main Entra page and click Enterprise applications from the side menu
Click Confidencial-OPKSS in the list of applications
Click Single sign-on (under Manage)
Click the Edit button for Attributes and Claims
Click Add new claim
1. Input a Name of https://confidencial.io/email, Source will be Attribute and Source attribute will be user.mail.
2. Click Save
Click Add new claim
1. Input a Name of org_id, Source will be Transformation, and data will be entered like the following values:
  1. Transformation: RegexReplace()
  2. Parameter 1: Attribute
  3. Attribute name: user.city
  4. Regex pattern: ^.*$
  5. Replacement pattern: This value will be provided by your Confidencial support representative
2. Click Add to add the transformation
3. Click Save
Return to the main page for the enterprise application Confidencial-OPKSS
Click Properties (under Manage) from the side menu
If you want to specify the users that can log in to Confidencial, set Assignment required to “Yes,” otherwise, all users* will be able to log in to Confidencial
ℹ️ All users with a supported account type specified in Step 5.b above

ℹ️ This completes creation of the Entra ID application and generates a *Client ID* that must be securely transmitted to Confidencial during account set up (along with the *Entra Domain*). Optionally, you may continue to the next section to configure automatic user and group provisioning via SCIM.

Configuring user and group synchronization with SCIM in Entra ID

Click Enterprise applications from the Entra ID main menu
Click New application
Click Create your own application
For the name of the application, enter Confidencial-OPKSS-SCIM
Select Integrate any…(Non-gallery) from the list of options and click Create
Select Users and groups (under Manage) from the side menu
Associate users and groups to this new application. These are the users and groups that will be automatically synchronized with Confidencial.
Click Provisioning (under Manage) from the side menu. You may have to select Provisioning (under Manage) a second time to display the Provisioning Mode setting.
Set Provisioning Mode to Automatic
Under Admin Credentials, enter the following settings:
1. Tenant URL: https://opkss.confidencial.io/{orgId}/scim/v2/?aadOptscim062020, where {orgID} is your organization’s ID, which is provided by your Confidencial support representative
ℹ️ The Entra ID implementation requires the `?aadOptscim062020` parameter to achieve full SCIM compliance.
Test your connection settings — If there are any issues here please reach out to a Confidencial support representative for further assistance.
Click Save
Click Overview
Click Start provisioning

ℹ️ By default, the provisioning interval is set to 40 minutes; this, as well as the ability to send an email notification when a failure occurs, can be adjusted by clicking the Settings dropdown menu.

Connecting your identity provider to Confidencial

ℹ️ This document shows you how to connect to your identity provider, allowing your enterprise’s users to log in to Confidencial using their existing accounts.

⚠️ Please contact your Confidencial support representative before beginning this process to ensure you have the proper components to proceed

The details of how to connect to your identity provider (IDP) vary depending on the IDP being connected, but in most cases, the process amounts to creating an application within your IDP and then assigning users to that application. See the links below for how to connect to your IDP.

Creating an application in Okta

Log in to your Okta instance’s admin portal
Click Applications under the Applications item in the side menu
Click the Create App Integration button
Select OIDC - OpenID Connect and Web Application for Sign-in method and Application type, respectively; click Next
Ensure the following settings are entered:
1. App integration name: Confidencial
2. Grant type: Authorization Code (the only option that should be selected)
3. Sign-in redirect URIs: https://auth.confidencial.io/login/callback
4. Sign-out redirect URIs: https://my.confidencial.io
⚠️ Redirect URIs will be different than those listed above for sandbox deployments. Your Confidencial technical contact will provide these URIs in these cases.
For Controlled access, select either “Allow everyone in your organization to access” or “Limit access to selected groups,” depending on who you want to be able to log in to Confidencial.
1. If you selected “Allow everyone…,” leave “Enable immediate access with Federation Broker Mode” selected if you want everyone in your organization to be able to access Confidencial. Deselect “Enable immediate access with Federation Broker Mode” if you want to specify the users and groups that can access Confidencial.
2. If you selected “Limit access…,” enter the group(s) you’d like to access Confidencial under Selected group(s).
Click Save

ℹ️ This completes creation of the Okta application and generates a Client Secret that must be securely transmitted to Confidencial during account set up (along with the Okta Domain and Client ID).

➡️ Proceed to the next section, *Creating Confidencial roles for Okta users*

Creating Confidencial roles for Okta users

For each role you would like to define in Confidencial:

Click Groups under the Directory item in the side menu
Click Add Group
In the Name field, enter a name for the role (Okta group). In this example, we create a role called C11-Admins.
In the Description field, enter the Confidencial permissions you would like to grant to members of this role
- crud:config-org: Allows an administrator to create, read, and delete admin config settings for an organization
- crud:invitations-org: Allows an administrator to create, read, and delete invitations for an organization
- crud:signature-keys-org: Allows an administrator to create and update (replace) electronic signature keys from all members in an organization
- crud:groups-org: Allows an administrator to create, read, update, and delete groups within an organization
Click Save
With the Okta group created, take note of the Okta group ID; this will be needed in the next section, Create the Okta authorization server for Confidencial
1. To get the group ID of the group you created, go to the group in Okta and note the last part of the URL
2. In the example above, the group ID is 00g9372cmsozlGYI25d7
Add the users to the group to which you would like to assign these permissions

🔁 Repeat Steps 1-7 above for each role you would like to define in the Confidencial system. You can create up to 100 roles for Confidencial users, roles can contain any combination of permissions, and users can belong to any combination of roles.

➡️ Proceed to the next section, Creating the Okta authorization server for Confidencial

Creating the Okta authorization server for Confidencial

Click API under the Security item in the side menu
Click Add Authorization Server
For Name, enter Confidencial and for Audience enter api://confidencial.io
Click the Scopes tab, then click Add Scope
Enter the following values:
1. Name: groups
2. Display phrase: groups
3. Description: Allows group membership to be passed in token
4. Use default values for the other fields, as shown below
Click Access Policies, then click Add New Access Policy
Enter the following values:
1. Name: Default
2. Description: Default
3. Assign to: Add the Okta application you created in the previous section, Creating an application in Okta
Add a rule to govern access to this authorization server, ensuring that “authorization code” is permitted; set access token and refresh token lifetimes as desired
Click the Claims tab, then click Add Claim
Enter the following values:
1. Name: permissions
2. Value: Arrays.flatten(getFilteredGroups({"group-id-1", "group-id-2", ... , "group-id-n"}, "Arrays.flatten(group.description)", 100))
  1. Replace "group-id-1", "group-id-2", ... , "group-id-n" in the above statement with the list of group IDs you created in the section above, Creating Confidencial roles for Okta users
  2. Group IDs should be wrapped in double quotes (”) and separated by commas (,), with the entire list of group IDs wrapped in curly braces ({ })
3. Use default values for the other fields, as shown below
Click Create

➡️ Proceed to the next section, Assigning users to an application in Okta

Assigning users to an application in Okta

ℹ️ These steps are not necessary if you left “Enable immediate access with Federation Broker Mode” selected in Step 6 of Creating an application in Okta above.

Click Applications under the Applications item in the side menu
Click Confidencial in the list of applications
Click the Assignments tab
Click Assign to add users and groups that can log in to Confidencial

✅ This completes the setup of Okta for use with Confidencial. You will now work with the Confidencial team to securely transmit application details.

Creating an application in Microsoft Entra ID (formerly Azure Active Directory)

Click Microsoft Entra ID
Click App registrations from the side menu
Click New Registration from the top toolbar
Ensure the following settings are entered:
1. Name: Confidencial
2. Supported account types: Select either “Accounts in this organizational directory only,” “Accounts in any organizational directory,” or Accounts in any organization directory and personal Microsoft accounts,” depending on who you want to be able to join your Confidencial organization
3. Redirect URI: Choose “Web” in the Select a platform drop down menu and enter https://auth.confidencial.io/login/callback in the input box
Click Register
Click App registrations from the side menu
Click Confidencial in the list of applications (you may need to select the All applications tab to view it)
Click Token configuration (under Manage) from the side menu
Click Add optional claim
Select ID, then select email, and then click Add
Check the box to enable email permission, then click Add
Return to the main Entra menu
Click Enterprise applications from the side menu
Click Confidencial in the list of applications
Click Properties (under Manage) from the side menu
If you want to specify the users that can log in to Confidencial, set Assignment required to “Yes,” otherwise, all users* will be able to log in to Confidencial
Click App registrations from the side menu
Click Confidencial in the list of applications (you may need to select the All applications tab to view it)
Click Certificates & secrets (under Manage) from the side menu
Click Add new client secret
1. Description: Confidencial IDP integration
2. Expires: 730 days (24 months)
Click Add

⚠️ Make note of Value, as this client secret will need to be securely transmitted to Confidencial and is only viewable during initial creation

ℹ️ This completes creation of the Entra ID application and generates a client secret that must be securely transmitted to Confidencial during account set up (along with the Entra Domain and Client ID).

➡️ Proceed to the next section, Assigning users to an application in Entra ID

Assigning users to an application in Entra ID

ℹ️ These steps are only necessary if you selected “Yes” for Assignment required in Step 10 above.

From the Microsoft Entra ID home screen, click Enterprise applications from the side menu
Click Confidencial in the list of applications
Click Users and groups (under Manage) from the side menu
Click Add user/group to add users and groups that can log in to Confidencial

✅ This completes the setup of Entra ID for use with Confidencial. You will now work with the Confidencial team to securely transmit application details.

Setting elevated permissions for users in Entra ID

Generating a CSV users file(s) in Entra ID

Click Users from the side menu
Apply any filters wanted when narrowing down the list of users that will have a set of permissions OR permission in general
ℹ️ Admins may want to exclude the Guest user type here potentially as an example
Click Download users
Input a name for the file and click Start download
Click File is ready! Click here to download once file is complete
Open the CSV file as comma delimited starting at row 1
Add a new column to the end of the table called permissions
Add comma separated permissions as a single string for each user that should have the related permissions in Confidencial - example: crud:members-org, crud:groups-org

ℹ️ Users with their permissions field empty will have no admin permissions when script is run later

Save your changes once complete.
Complete steps 2-7 for as many other csv files you might want to create.

Assigning user permissions in Entra ID via PowerShell scripts

Click App registrations from the side menu
Click Confidencial in the list of applications (you may need to select the All applications tab to view it)
Click API Permissions (under Manage) from the side menu
Click Add a permission
Select Microsoft Graph from the list of options, then click Application permissions
In the Select permissions search box, search for permission Directory.ReadWrite.All
Expand Directory by clicking the “>” symbol
Select the checkbox for Directory.ReadWrite.All and click Add permissions
Click Grant Admin Consent for Confidencial and then Yes to confirm this action
Run createExtProp.ps1 using PowerShell to create the permissions extension property
ℹ️ Contact your Confidencial support representative to obtain the PowerShell scripts
1. You will need to supply the tenant ID, client ID, app ID, and client secret corresponding to your app registration for Confidencial as command-line arguments to the script
  1. If you do not know your client secret, you will need to create a new one for the app registration; be sure to keep your original secret that was created during the initial set up of the app registration
2. Copy the extension property ID once created and save for a later step
  1. This will be under name and will take the form extension_*<hexidecimal code>*_permissions
Click Token Configuration (under Manage) from the side menu
Click Add optional claim
Select the ID radio button then select the extn.permissions option in the list
Click Add button
Run setExtPropValues.ps1 using PowerShell to set the permissions extension properties values
1. Execute this script for each CSV file created for permissions assignment

✅ This completes adding permissions to your users for when they log into Confidencial

Setting up Microsoft Entra to use an Exchange account to send email notifications

Registering the Confidencial app in Microsoft Entra

Create a new or select an existing M365 account from which you want Confidencial to send email notifications
Expand the Identity menu > expand Applications> select App registrations > New registration
Enter the following values:
1. Name: Confidencial
2. Supported account types: Accounts in this organizational directory only
3. Redirect URI (optional): Leave blank
Click Register
Select Certificates & secrets > Certificates > Upload certificate
Upload the certificate that is provided by Confidencial
Click Add
Click Overview and make note of the application’s (client) ID. This ID will be used later when restricting application permissions.

Creating a mail-enabled security group

ℹ️ These instructions are derived from Microsoft documentation found here

Click Add a group, select Mail-enabled security, and click Next
Enter the following values:
1. Name: Confidencial notifications
2. Description: Mailboxes used to send notifications on behalf of the Confidencial app
Click Next
Assign owners to the group - these are users that have the ability to manage group settings
Click Next
Add the member that owns the mailbox to be used for Confidencial notifications
Click Next
For Group email address, enter confidencial (@yourdomain.com)
1. Leave the Communication checkbox unchecked
2. Check the Approval checkbox to limit membership to the group
Click Next
Click Create group, then click Close

Restricting Confidencial app access to a single mailbox

Create an application access policy by executing the command below in Exchange Online PowerShell. Replace app-id with the application (client) ID noted in the first section above. Replace yourdomain.com with your domain. 1.
```
New-ApplicationAccessPolicy -AppId app-id -PolicyScopeGroupId confidencial@yourdomain.com -AccessRight RestrictAccess -Description "Restrict this app to members of distribution group confidencial@yourdomain.com"
```
Test the access policy with the command below. Replace yourmailbox@yourdomain.com with the email address of the mailbox to be used for Confidencial notifications (note that this is different from the group email address you specified in the previous step). Replace *app-id* with the application (client) ID noted in the first section above. Repeat this command using an email address that is NOT the one to be used to send Confidencial notifications.
```
Test-ApplicationAccessPolicy -Identity yourmailbox@yourdomain.com -AppId app-id
```
If the access policy is correct, the output of the above command should include AccessCheckResult : Granted. If you run the above command with an email address that is NOT in the security group, you should see AccessCheckResult : Denied.
⚠️ NOTE: Changes to application access policies can take longer than one hour to take effect in Microsoft Graph REST API calls, even when `Test-ApplicationAccessPolicy` shows positive results. If there is concern about exposing unnecessary access to Graph API calls, it is recommended to wait at least one hour before proceeding to the next section.

Setting Confidencial app permissions in Entra

Expand the Identity menu > expand Applications > select App registrations
Select the Confidencial app registration that you created in the first section. You may need to click the All applications tab for this application to appear in the list.
Under Manage, click API permissions, then click Add a permission
Click Microsoft Graph
Select Application permissions
In the Select Permissions search box, enter Mail.Send
Expand the Mail result that appears, click the checkbox next to Mail.Send, then click Add Permissions
Click Grant admin consent for… and click Yes on the resulting confirmation dialog

Sender email address (email address from which notifications are sent)
Entra tenant ID
Entra Confidencial client (app) ID

Confidencial Documentation

Getting Started

Tutorials

Instructions

Sending secure PDFs with Confidencial

Viewing secure PDFs with Confidencial

Sending secure Word docs with Confidencial

Viewing secure Word docs with Confidencial

Sending secure Excel workbooks with Confidencial

Viewing secure Excel workbooks with Confidencial

Sending secure images with Confidencial

Viewing secure images with Confidencial

Sending secure messages with Confidencial

Re-encrypting and changing who can see protected content

General

How Confidencial Works

What is End-to-End Protection

How Confidencial protects your data at rest

Encrypting the document

Decrypting the document

How Confidencial protects your data in transit

Viewing secure Word docs with Confidencial

Sending secure PDFs with Confidencial

Viewing secure Excel workbooks with Confidencial

Viewing secure PDFs with Confidencial

Sending secure messages with Confidencial

Sending secure Word docs with Confidencial

Sending secure images with Confidencial

Sending secure Excel workbooks with Confidencial

Viewing secure images with Confidencial

Getting Started

Tutorials

Instructions

What is End-to-End Protection

How Confidencial protects your data at rest

Encrypting the document

Decrypting the document

How Confidencial protects your data in transit

How Confidencial Works

General

Re-encrypting and changing who can see protected content

In-doc encryption

What is it?

What does it mean for me?

What file formats are supported?

What about formats that aren’t supported?

Viewing secure messages with Confidencial

The Confidencial Private Key Server

Protecting content with Confidencial

Protecting content in Microsoft Office

Protecting content with the Confidencial web app

Protecting content with the Confidencial desktop app

The Confidencial Log Server

Organization

Account types

Individual

The Confidencial Public Key Registry

Organization administrator

File types

Natively-protected files

Microsoft Word and Excel

PDF files

Images (JPEG and PNG)

.C11-protected files and file bundles

Device-stored keys

Key types

Logging in to the desktop or web app

Recovery keys

Cloud-stored keys

Temporary keys

Encryption policies

Selecting encryption recipients

Logging in to Confidencial

Accepting an invite to Confidencial

Enterprise keys

Confidencial organizations

Web App

Re-encrypting and changing who can see protected content

Inviting other users to Confidencial

Inviting users via the Invites page in the web or desktop app