Open martgil opened 1 month ago
martgil
commented
1 month ago Hello @sosnovsky, cc: @tomholub. We've received an interesting feature suggestion that I'd like to discuss with you. Your thoughts on this would be greatly appreciated. Thanks!
tomholub
commented
1 month ago It's not the first time we hear of ability to decrypt in Google Vault. I suppose no changes would be needed on EKM, as long as the browser extension user can authenticate as admin with the IdP and then send appropriate ID token to EKM. The browser extension would need to be calling Admin EKM APIs to retrieve end user private key and decrypt with that. It sounds pretty complicated:
But doable. I think it would be worthwhile to implement for a potential customer that can bring revenue of at least 25k EUR in the first year to be worth the dev costs. After that, we could offer it to all paying customers.
I'd say this should be considered after #5311 as these two issues are related in both using a separate IdP, and that one is already underway. Having #5311 done should help in implementing this issue too.
Description
Some organizations may need to review encrypted emails within Google Vault. We've received inquiries about whether the extension could possibly include this as an extended feature, especially for organizations with implemented email retention policies.
As an insight, Virtru offers a similar feature, although they use AES 256 encryption instead of PGP public key encryption. Here's their architecture: https://www.virtru.com/saas-platform-architecture. However, we haven't tested it yet.
The interest lies in the ability to seamlessly view decrypted versions of encrypted emails on Google Vault, ideally with a single click, such as "view decrypted message." In an ideal workflow, the admin, having a higher role, would be included in all correspondence emails (in To, CC, BCC), and a similar decryption process would occur within https://vault.google.com.
Reference: https://mail.google.com/mail/u/human@flowcrypt.com/#inbox/FMfcgzGxStnFlblWvDcmgVqbJdqBVgCS