Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

[Feature Suggestion] Extend support to Google Vault for orgs with email retention policies/reviews for legal reasons #5705

Open
martgil opened this issue May 7, 2024 · 2 comments
Open

[Feature Suggestion] Extend support to Google Vault for orgs with email retention policies/reviews for legal reasons #5705

martgil opened this issue May 7, 2024 · 2 comments

Comments

@martgil
Copy link
Collaborator

martgil commented May 7, 2024

Description

Some organizations may need to review encrypted emails within Google Vault. We've received inquiries about whether the extension could possibly include this as an extended feature, especially for organizations with implemented email retention policies.

As an insight, Virtru offers a similar feature, although they use AES 256 encryption instead of PGP public key encryption. Here's their architecture: https://www.virtru.com/saas-platform-architecture. However, we haven't tested it yet.

The interest lies in the ability to seamlessly view decrypted versions of encrypted emails on Google Vault, ideally with a single click, such as "view decrypted message." In an ideal workflow, the admin, having a higher role, would be included in all correspondence emails (in To, CC, BCC), and a similar decryption process would occur within https://vault.google.com.

Reference: https://mail.google.com/mail/u/human@flowcrypt.com/#inbox/FMfcgzGxStnFlblWvDcmgVqbJdqBVgCS
@martgil
Copy link
Collaborator Author

martgil commented May 7, 2024

Hello @sosnovsky, cc: @tomholub. We've received an interesting feature suggestion that I'd like to discuss with you. Your thoughts on this would be greatly appreciated. Thanks!

@tomholub
Copy link
Collaborator

It's not the first time we hear of ability to decrypt in Google Vault. I suppose no changes would be needed on EKM, as long as the browser extension user can authenticate as admin with the IdP and then send appropriate ID token to EKM. The browser extension would need to be calling Admin EKM APIs to retrieve end user private key and decrypt with that. It sounds pretty complicated:

  • need to add client configuration for admin auth through browser extension
  • browser extension needs to use this auth to authenticate the user, but only for Google Vault
  • add content script for recognition of these messages and decryption

But doable. I think it would be worthwhile to implement for a potential customer that can bring revenue of at least 25k EUR in the first year to be worth the dev costs. After that, we could offer it to all paying customers.

I'd say this should be considered after #5311 as these two issues are related in both using a separate IdP, and that one is already underway. Having #5311 done should help in implementing this issue too.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@tomholub @martgil