Enterprise Email User Setup Options

Prerequisites
You’re an Enterprise Customer who runs their own Email Key Manager.
You’re familiar with the Client Configuration options and how to set them.

Below is an overview of possible enterprise configurations such as passphrase management, and user setup flow.

To understand what Client Configuration options you have, please refer to the prerequisite Client Configuration guide.

User key pair setup

There are two options for onboarding users depending on their key pairs:

Key pairs generated automatically upon first use
Pre-set key pairs by admin

Further, you’ll find more details about each option.

Key pairs generated automatically upon first use

Users will be auto-registered, and keys will be auto-generated for users during the first use of the browser extension (users need to set up the browser extension before they set up mobile apps). If you expect all of your Google users to use encryption, and you have no prior key pairs to migrate to EKM, then use this option.

Side effect: Until a particular user goes through the setup procedure, the user’s account will appear as not set up for encryption when other users try emailing that user.

How to configure:

Set the enforce_keygen_algo, enforce_keygen_expire_months, and PRV_AUTOIMPORT_OR_AUTOGEN Client Configuration rules.
Set the api.accept.client.keypairs=true property for EKM in the properties file of the Enterprise Server or Email Key Manager.

Pre-set key pairs by admin

User needs to be registered into the system by the admin from EAP, and their keys need to be pre-generated or pre-imported. A particular user can only set up the extension if the admin already created (or imported) the keys for them.

Side effect: Admins need to take this step for each user or need to have an automated mechanism to do this for all relevant users. All users will appear to support encryption from the beginning since they were set up by the admin, even if some of the users haven’t installed the FlowCrypt client app yet.

How to configure:

Set the PRV_AUTOIMPORT_OR_AUTOGEN, and NO_PRV_CREATE Client Configuration rules.
Set the api.accept.client.keypairs=false property for EKM in the properties file of the Enterprise Server or Email Key Manager.

Combined / transition

You can combine these two options. Pre-generate or pre-import keys for everyone that needs them (with a system configured for pre-set) initially. Once you have your initial user population set up, you may later change the configuration to auto-generate key pairs as more users join the organization.

End-user passphrases

There are two options to handle user passphrases based on your requirements.

No user passphrases
Passphrases set by users during setup

Further, you’ll find more details about each option.

No user passphrases

During the setup process, the client app auto-generates a passphrase and stores it along with the key. From the user’s perspective, they won’t be asked to create, remember or enter any passphrase, making it similar to a regular email experience.

Passphrases set by users during setup

Users are expected to create their own passphrase during the setup of each client app. The passphrase will be saved in memory for 4 hours after each entry until the app is closed in the case of the mobile app, and until the browser is closed in the case of a browser extension. If the user needs to open or send an encrypted email after the passphrase has expired, they’ll be asked to re-enter it. Users won’t be asked for a passphrase for regular non-encrypted email usage.

If a user loses the passphrase, it can be recovered by going through the setup process of the app again with a new passphrase.