Docs Menu

Enterprise Email User Setup Options

Prerequisites
You’re an Enterprise Customer who runs their own Email Key Manager.
You’re familiar with the Client Configuration options and how to set them.

Below is an overview of possible enterprise configurations such as passphrase management, and user setup flow.

User key pair setup

There are two options for onboarding users depending on their key pairs:

Further, you’ll find more details about each option.

Key pairs generated automatically upon first use

Users will be auto-registered, and keys will be auto-generated for users during the first use of the browser extension (users need to set up the browser extension before they set up mobile apps). If you expect all of your Google users to use encryption, and you have no prior key pairs to migrate to the Email Key Manager, then use this option.

How to configure:

  • Set the enforce_keygen_algo, enforce_keygen_expire_months, and PRV_AUTOIMPORT_OR_AUTOGEN Client Configuration rules.
  • Set the api.accept.client.keypairs=true property in the properties file of the Enterprise Server when running as a single service, or in the properties file of the Email Key Manager when running the Enterprise Server as separate modules.

Pre-set key pairs by admin

User needs to be registered into the system by the admin from the Enterprise Admin Panel, and their keys needa to be pre-generated or pre-imported. A particular user can only set up the extension if the admin already created (or imported) the keys for them.

How to configure:

  • Set the PRV_AUTOIMPORT_OR_AUTOGEN, and NO_PRV_CREATE Client Configuration rules.
  • Set the api.accept.client.keypairs=false property in the properties file of the Enterprise Server when running as a single service, or in the properties file of the Email Key Manager when running the Enterprise Server as separate modules.

Combined / transition

You can combine these two options. Pre-generate or pre-import keys for everyone that needs them (with a system configured for pre-set) initially. Once you have your initial user population set up, you may later change the configuration to auto-generate key pairs as more users join the organization.

End-user passphrases

There are two options to handle user passphrases based on your requirements. Each option requires different Client Configuration flags. For the complete list, see the Client Configuration guide.

No user passphrases

During the setup process, the client app auto-generates a passphrase and stores it along with the key. From the user’s perspective, they won’t be asked to create, remember or enter any passphrase, making it similar to a regular email experience.

How to configure:

  • Add the PASS_PHRASE_QUIET_AUTOGEN flag in your Client Configuration.
  • Combine it with PRV_AUTOIMPORT_OR_AUTOGEN.

Passphrases set by users during setup

Users are expected to create their own passphrase during the setup of each client app. The passphrase will be saved in memory for 4 hours after each entry until the app is closed in the case of the mobile app, and until the browser is closed in the case of a browser extension. If the user needs to open or send an encrypted email after the passphrase has expired, they’ll be asked to re-enter it. Users won’t be asked for a passphrase for regular non-encrypted email usage.

If a user loses the passphrase, it can be recovered by going through the setup process of the app again with a new passphrase.

How to configure:

  • Use PRV_AUTOIMPORT_OR_AUTOGEN.
  • Do not include PASS_PHRASE_QUIET_AUTOGEN.
  • Optionally, add FORBID_STORING_PASS_PHRASE and adjust in_memory_pass_phrase_session_length (in seconds) to control memory duration (default: 14,400 seconds or 4 hours).
Content © FlowCrypt a.s.
Layout from Cockroach Labs,CC Attr 4.0, edited