Security summary
Service access: The service is a web app, requiring no new software installation or operating system-level access. TLS1.3 is used for client-client comms and secures all traffic on top of content encryption.
Registration: When a user creates their DekkoSecure account (via invite only), an ECC-384 encryption key pair (public and private key) is generated on the client (the web app). The public key and a secured version of the private key (encrypted using the user’s password) are stored on DekkoSecure’s sovereign cloud (or the customer's Entra ID).
Authentication: Users are identified uniquely by their registered email address. Successful authentication requires a registered email, the correct password, and optionally, two-factor authentication or successful Entra ID authentication. Successful authentication retrieves and decrypts the user’s private key on the client, which is kept in the user’s browser storage until they log out.
Upload: Files uploaded to DekkoSecure are signed and encrypted using the uploader’s private key. An additional encryption layer is added using a unique key generated at the time of upload (AES-256).
Storage: Files are stored with zero knowledge, meaning DekkoSecure cannot access user’s files. DekkoSecure does not have access to the private keys used to encrypt files; even with physical access to the cloud data centre, user files remain unreadable.
Sharing and messaging: Files and messages are secured using end-to-end encryption through an asymmetric key exchange (PKI). All files are explicitly shared in protected groups ("Hubs") with a unique permission.
eSignature workflow: Files sent with an eSignature request are shared in the same way as standard files. Every element (text, images, signature) added to the document by the signer is digitally signed using their private key. The hash of the signed file is stored for checking using the verification feature.
Video conferencing: Every video conference has a unique encryption key, which is shared with invitees through an asymmetric key exchange (PKI). If a user is removed from a conference by the host, a new conference key is generated and shared amongst the remaining participants.
Document collaboration: When an Office file is opened for editing, confidential compute architecture is used to host the [server-side] environment where it is manipulated by the user. File co-owners can also edit collaboratively in real-time.
Media playback: Similarly to document collaboration, video and audio files are rendered using confidential compute architecture which is streamed to the user.
Content Access: Content (files and message) recipients are notified via email and must log in to their DekkoSecure account to view or download shared files. The recipient’s private key is used to access the file, and the sender’s public key is used to verify content integrity.
FAQ
Does DekkoSecure use proprietary encryption?
No, DekkoSecure does not use proprietary encryption. The application's security model relies on industry-standard encryption mechanisms, protocols, and algorithms with a proven track record for robust security. It utilises widely-accepted standards such as AES-256 for symmetric encryption and follows established protocols for secure communication.
Data is secured and accessed by user’s keys (end-to-end encryption) rather than keys owned by DekkoSecure. This stands DekkoSecure apart from most collaboration offerings as one of the very few vendors that makes a guarantee that it cannot access customer data (along with many other security and privacy benefits!).
What is ECC-384 and AES-256?
ECC-384 is a variant of Elliptic Curve Cryptography (ECC), known for its strong security with shorter key lengths, making it preferable in resource-constrained environments.
AES-256, part of the Advanced Encryption Standard (AES) family, is a symmetric encryption algorithm widely adopted for its high-security level due to its 256-bit key length.
Where are users’ encryption keys generated?
Encryption keys are generated client-side by the DekkoSecure web application during account registration. Private keys are encrypted using users’ passwords before being stored by DekkoSecure, ensuring they are inaccessible on the server.
Where are users’ encryption keys stored?
Encryption keys only ever exist in a form that can be used by the DekkoSecure application on the user’s client device while a user is logged in. Keys are stored encrypted by DekkoSecure, and DekkoSecure as the vendor/key store has no information that can be used to decrypt user’s keys (i.e., user’s passwords).
Where does the key management take place?
All key management, including user key generation, key retrieval, content key generation, and sharing key exchange/PKI, occurs client-side within the DekkoSecure web application. Network layer (HSTS/TLS, “in transit”) and “at-rest” security (managed by Microsoft Azure for the cloud-based DekkoSecure service) are consistently enforced and complement application layer security. By way of comparison, most competing services only offer in transit and at rest security.
Does DekkoSecure use PGP?
No, DekkoSecure does not use PGP. While its security model shares similarities with PGP, DekkoSecure’s implementation is more comprehensive and offers greater security depth.
Does DekkoSecure allow BYO keys/certificates/hardware modules/etc.?
No, the DekkoSecure web application internally handles all key management processes, eliminating the need for external key and certificate systems. If you choose to host the DekkoSecure application (on-prem), your disk encryption will serve as the at rest encryption scheme.
Can encryption keys be rotated?
A user’s key can be rotated by recreating (deleting and re-registering) their account. Note: Deleting an account also erases all associated content (files, messages, etc.).
A file’s key can be rotated by deleting and re-uploading it.
Are there ‘master’ keys / can admins access or manage an organisation’s key(s)?
No. The security model of the DekkoSecure application does not utilise single keys for multiple users or files. All users have a public and private key, and every individual content item (files, messages, etc.) also have their own key. Administrators/privileged personnel cannot access content unless it is explicitly shared with them.
Can DekkoSecure encrypt my emails (sent by Outlook)?
No, DekkoSecure is not an email system and does not run in a mail client such as Outlook; DekkoSecure can be considered as a secure alternative to email. The Mail feature functions similarly to regular email, and supports attachments (with no size limit), revoke and read receipts.
Notifications from the DekkoSecure application are delivered via email (i.e., “John Smith has shared files with you on DekkoSecure”).
Example security flow
Below is a look in to how the DekkoSecure application secures a file sharing interaction:
1- Registration
When a DekkoSecure user creates their account, an encryption key pair (public and private key) is generated on the client (the web app). Public and private keys are generated using ECC with a 384-bit key length. The public key and a secured version of private key (encrypted using the user's password) are stored on DekkoSecure's sovereign cloud.
2 - Authentication
DekkoSecure users are identified uniquely by their registered email address. Successful authentication requires a registered email, the correct password and (optionally) two-factor authentication. A correct password will retrieve and decrypt the user's private key which is kept in the user's browser storage until they log out.
3 - File upload
4 - File storage
Files uploaded to DekkoSecure are signed and encrypted using the uploader's private key. An additional encryption layer is also added using a unique key that is generated at the time of upload (AES-256). TLS1.3 secures all traffic on top of file encryption.
Files are stored with zero knowledge, meaning there is no way DekkoSecure can access the user's files. This is made possible be the fact that we do not have access to the private key(s) which are used to encrypt them. Even if we walked in to our cloud data centre and took a hard drive out, we still couldn't read a user's files!
5 - File sharing
6 - File receipt
Files shared with existing DekkoSecure users are secured using end-to-end encryption by way of an asymmetric key exchange. File sharing with existing users is enforced by default, but customers are able to disable this policy. If files are shared with an unregistered address, the file key is stored securely and then passed to the user when they complete registration - after this point, all future interactions are end-to-end encrypted.
File sharing recipients are notified via email and must log in to their DekkoSecure account to view or download anything that is shared with them. The recipient's private key is used to access file and the sender's public key is used to verify the file's integrity.
7 - File deletion
When data (or accounts) are deleted, the keys for all data subject to deletion are erased. Following this, the encrypted data is overwritten with garbage data which is then deleted again.