If your organization already keeps track of your employees’ public keys and their contacts, FlowCrypt can integrate with your key server to offer a smooth and secure experience.
Public Keys of users on your domain
FlowCrypt Attester can be configured to trust your internal keyserver for users on your domain. We can integrate with your LDAP keyserver, internal SKS keyserver, or other similar solutions. When looking for a public key for an email address on your domain, Attester will always check your own keyserver and not consider public keys from other sources. This way you’re in direct control of your users’ public keys.
When setting up the FlowCrypt email client, you have the option to enforce that any imported private keys match the records on your own public key server for a particular email address.
Public keys of your correspondents
If your keyserver is also keeping track of users on domains that you don’t control (e.g. keys of recipients outside of your organization), you can configure the FlowCrypt email client to always check your own keyserver first.
As a result, you can not only control the distribution of your users’ public keys but also the public keys of your users’ correspondents.
Key expiration, rotation, and periodic updates
FlowCrypt Attester, as well as FlowCrypt email clients, will periodically check for newer versions of the same key, and update if necessary. This feature is useful for handling periodic key expiration, updates, etc.
After loading a public key from your keyserver into Attester for the first time, we’ll start checking for updates periodically. Attester pulls and updates public keys by longid from your keyserver every 30 days. If our copy of the public key is known to expire soon or has recently expired, the update can be performed daily.
If more than one key is available on your keyserver for a specific email address, we’ll prioritize keys that were created more recently.
If a key has been deleted from your keyserver or has been replaced with a completely different key for a particular email address, Attester won’t re-assign email-pubkey associations on our end by default. However, it can be configured to do it automatically if you wish.
Other forms of integration
Please write us at human@flowcrypt.com if you’d like to discuss any functionality or need something that hasn’t been mentioned above.