Client Configuration Overview

Prerequisites
You’re familiar with the Enterprise Server services.

FlowCrypt allows enterprises to customize the behavior of the FlowCrypt client with Client Configuration options, applied per email domain. All client configurations are optional.

How to set a Client Configuration

Enterprise customers who use a Shared Tenant service can skip this section. Instead, they simply inform us which Client Configuration rules they’d like us to set for them.
Enterprise customers who run their own Enterprise Server or External Service can set the Client Configuration for their domains through the Enterprise Admin Panel, when setting a Domain Configuration section.

A typical Client Configuration is set in a JSON format and might look like this sample:

{
  "flags": [
    "NO_PRV_CREATE",
    "NO_PRV_BACKUP",
    "PRV_AUTOIMPORT_OR_AUTOGEN",
    "PASS_PHRASE_QUIET_AUTOGEN",
    "NO_ATTESTER_SUBMIT",
    "FORBID_STORING_PASS_PHRASE"
  ],
  "disallow_attester_search_for_domains": ["test.example.dev", "example.com"],
  "key_manager_url": "https://ekm.example.com",
  "enforce_keygen_algo": "curve25519"
}

The detailed list of the supported rules can be found below, with additional guidance in the User Setup guide.

Client Configuration rules

The Client Configuration rules are defined by the group of properties and flags described in the next two sections.

If you’re planning to do a large deployment and will apply a Client Configuration that isn’t on the list, we may consider adding it. Email us at human@flowcrypt.com.

Client Configuration properties

The table below illustrates the Client Configuration properties and their descriptions:

Client Configuration property name	Description
`custom_keyserver_url`	`string`: A URL pointing to an internal public key server with an SKS-like interface, such as the Hockeypuck.
`key_manager_url`	`string`: A URL pointing to an internal EKM. The presence of this rule will forbid the user from all manual private key actions such as import, edit, remove, or export as with this setting, the private key lifecycle is handled by the EKM.
`prv_backup_to_designated_mailbox`	`string`: A public key. The system will use the mailbox of its primary UID (email address) as a private key backup store. This property will be ignored when set with `key_manager_url`. For more informaion, please refer to the Backup to Designated Mailbox guide.
`allow_attester_search_only_for_domains`	`string[]`: Restrict the recipient domains for which you’d like to allow a public key lookup on FlowCrypt Attester. If it’s set together with the `disallow_attester_search_for_domains` property, the `disallow_attester_search_for_domains` will be ignored and only the `allow_attester_search_only_for_domains` will be used. You may set its value to an empty array (`[]`) to disable searching for public keys on FlowCrypt Attester for all domains.
`disallow_attester_search_for_domains`	`string[]`: Don’t search for public keys of emails on these domains on FlowCrypt Attester. Use `"disallow_attester_search_for_domains": ['*']` to disable the search for all domains. Useful when you expect these public keys to be available on an internal key server or the WKD server.
`allow_keys_openpgp_org_search_only_for_domains`	`string[]`: Restrict the recipient domains for which you’d like to allow a public key lookup at `keys.openpgp.org`. If it’s set together with the `disallow_keys_openpgp_org_search_for_domains` property, the `disallow_keys_openpgp_org_search_for_domains` will be ignored and only `allow_keys_openpgp_org_search_only_for_domains` will be used. You may set the value to an empty array (`[]`) to disable searching for public keys for all domains from `keys.openpgp.org`.
`disallow_keys_openpgp_org_search_for_domains`	`string[]`: Don’t search for public keys of emails on these domains at `keys.openpgp.org`.
`enforce_keygen_algo`	One of `curve25519` (ECC), `rsa4096`, `rsa3072`, or `rsa2048` algorithms. Which key algorithm to use for a new private key generation, in case private keys are generated on the client app. Doesn’t impact the keys generated in the EKM.
`enforce_keygen_expire_months`	Set an expiration date for keys within a certain amount of time, commonly 12 or 24 months.
`in_memory_pass_phrase_session_length`	`number`: The duration of the passphrase session in seconds. It only applies when the client app stores the passphrase in-memory and doesn’t impact which method of passphrase storage is used. If the passphrase is stored in persistent storage, it will have no effect. If this client configuration isn’t specified, the in-memory passphrase session is 4 hours (14400 seconds).

Client Configuration flags

In addition to the abovementioned properties, the Client Configuration has one more property called flags, which allows you to set different flags for your configuration. You can see an example of its usage in the first section. This property itself is an array, where you can add the desired flags from the table below:

Client Configuration flag name	Description
`NO_PRV_CREATE`	Forbid creating new key pairs. The user is expected to import the key. It can be done manually from a file or by auto-import from the EKM service.
`NO_PRV_BACKUP`	Don’t allow automatic or user-generated key backup except to an internal EKM if available. Manual export of password-protected private keys is still allowed.
`PRV_AUTOIMPORT_OR_AUTOGEN`	If the key is available on the EKM, import it automatically during the setup process. Otherwise, generate one and store it in the EKM automatically. In this flow, users choose their passphrase for local use in the client app, unless `PASS_PHRASE_QUIET_AUTOGEN` is also used.
`PASS_PHRASE_QUIET_AUTOGEN`	Auto-generate the passphrase during the setup process and store it locally. This is used in combination with `PRV_AUTOIMPORT_OR_AUTOGEN` to achieve a user experience that doesn’t involve passphrases.
`ENFORCE_ATTESTER_SUBMIT`	A public key must be successfully submitted to FlowCrypt Attester during the setup process.
`NO_ATTESTER_SUBMIT`	A public key can never be submitted to the Attester server.
`FORBID_STORING_PASS_PHRASE`	A passphrase can only be kept in-memory in the client apps. A user has to re-enter the passphrase for each session.
`DEFAULT_REMEMBER_PASS_PHRASE`	Sets the passphrase should be stored as the default choice in the setup UI.
`HIDE_ARMOR_META`	Removes OpenPGP Armor headers (version and comment) from outgoing messages.
`RESTRICT_ANDROID_ATTACHMENT_HANDLING`	Affects only the Android app. Enabling this flag will allow previewing and opening downloaded attachments only in the `Content` app. Without this flag, attachments can be opened using any supported app.
`SETUP_ENSURE_IMPORTED_PRV_MATCH_LDAP_PUB`	During the setup process, the browser extension will perform a public key lookup on the corporate LDAP server (relayed through `flowcrypt.com/attester/ldap-relay`). The default LDAP domain used for the lookup is `keys.{corporate-domain}`. If the lookup returns a result, the browser extension will then check that at least one primary fingerprint of the private keys matches the primary fingerprint of the received public keys. Only the FlowCrypt browser extension looks up the public key on an LDAP server and supports `SETUP_ENSURE_IMPORTED_PRV_MATCH_LDAP_PUB`. When this server is unreachable or when there are zero results, the user will face an error. Not supported on mobile apps.

We’re progressively working to support the Client Configuration across our supported platforms, please see the Feature Availability page for more details.