Backup to Designated Mailbox

Our customers aren’t always required to run any Enterprise Server or an Email Key Manager service. They can have a very simple setup with our Shared-Tenant service, where FlowCrypt runs everything for them. It helps customers to avoid maintaining their own infrastructure. However, it has a limitation: this option doesn’t support private key management for security reasons. To address this, we offer the “Backup to Designated Mailbox” option, allowing our customers to have an automatic backup option. It allows our users to configure a private key backup process using a regular email inbox and avoid running an Email Key Manager service.

Client Configuration options

If the customer is using the Shared-Tenant service and intends to enable this functionality, we need to add the prv_backup_to_designated_mailbox property in their Client Configuration:

"prv_backup_to_designated_mailbox": "-----BEGIN PGP PUBLIC KEY BLOCK-----\nVersion: ...... fkw\n-----END PGP PUBLIC KEY BLOCK-----"

This property is subject to rules you must be aware of before its usage:

• The prv_backup_to_designated_mailbox property will be ignored when key_manager_url is set, and the system will use Email Key Manager (EKM) to backup keys.
• If the prv_backup_to_designated_mailbox property is set, then NO_PRV_BACKUP will be ignored.
• The propeties prv_backup_to_designated_mailbox and PRV_AUTOIMPORT_OR_AUTOGEN can’t be used simultaneously, as it will result in an error on the client side.

It’s crucial to adhere to these rules to ensure seamless functionality and avoid any potential conflicts.

The backup process

When generating a new key, after the user sets the passphrase (the regular backup step), the system will automatically backup the private key to the designated mailbox, without asking the user anything regarding which backup option to use.

This is the typical backup process that will be performed:

1. The armored private key will be backed up in a decrypted state, so it doesn’t require any passphrase.

2. The composed email will have the following structure:

   Section	Text
   to	The primary UID of the prv_backup_to_designated_mailbox public key.
   subject	FlowCrypt OpenPGP Private Key backup for the user ${userEmail} with ID ${primaryFingerprint}.
   body	Please keep this email and attachment in the mailbox for safekeeping. It will be needed if the user ever needs to set up FlowCrypt again or forgets their passphrase. Without this, the user won’t be able to read their emails.

3. The backup email will be encrypted with the public key assigned to the prv_backup_to_designated_mailbox property.
4. This email will be sent to the primary UID email address contained in the public key assigned to the prv_backup_to_designated_mailbox property.

Below, we describe how users can setup their account when this option is enabled.

Account setup configuration

The account setup process with this option is very similar to the process for setting up a regular account.

1. When a user finishes signing in with a Google account, a window will appear notifying that the private key will be backed up to the Key Manager Administrator mailbox:

2. If the user chooses to create a new key, the system will display the regular passphrase setup page. Here, users choose whether they want to back up an encrypted private key in their inbox or not. Regardless of whether this checkbox is checked or not, the system will automatically back up the private key to the specified mailbox maintained by the administrator:

3. After the user sets a passphrase and clicks the CREATE AND SAVE button, the administrator will receive a similar email containing the user’s private key:

At this point, the FlowCrypt account is set up and can be used to send and receive encrypted emails.

Account recovery

This is the typical procedure that will be followed to recover the user’s account in cases where they forget their passphrase:

1. The help desk downloads the decrypted (unprotected) private key. This can be possible only from the device that has FlowCrypt (or any other OpenPGP software) installed. Otherwise, admins will need to install FlowCrypt first, to decrypt the message and download the unprotected private key.

2. The help desk uses FlowCrypt to send an email, while ignoring the previous public key of the user. Assuming user@example.com needs the key, they send it to user+key@example.com. FlowCrypt will then suggest sending the email password-protected. We recommend using a strong password with a minimum length of 16 characters.

   Since users don’t have access to their encrypted inbox in such cases, sending an encrypted email to them is not possible. Google offers a feature that allows us to append a plus (“+”) sign followed by a combination of words or numbers to the email address. This enables sending emails to this modified address, while the emails are actually delivered to the original address. Therefore, when an email is sent to user+key@example.com, it will be delivered to user@example.com. This approach allows administrators to send users a password-protected email containing the private key as an attachment that users can decrypt with a password and have access to its data.
3. The help desk texts the user an SMS with the password required to read the password-protected email.
4. The user receives the email containing the link, which redirects them to the Web Portal. They then enter the password to download the private key.
5. The user reinstalls the browser extension.
6. During the setup process, the user imports the private key received from admins and chooses a new passphrase when prompted.

Feel free to contact us at human@flowcrypt.com if you have any questions.