Skip to main content

E2E Encryption Configuration

Overview

Configuration for the MindLink End-to-End Encryption (E2EE) system.

Management Center configuration

Management tool page

General
Encryption capabilities are backed by Security Contexts, so encryption key lifetimes are configured when setting these up. See the PowerShell New-MceSecurityContext cmdlet for details. Message encryption keys are created by chat participants in encrypted MCE groups. In the unlikely event that keys are compromised, the system requires that they be cycled periodically to limit exposure. While a smaller key lifetime will therefore represent a safer configuration, it comes at the cost of higher data-churn and time penalties for users. A sensible balance of concerns is recommended.

  • Enable Encryption: Enables or disables encryption capabilities.

  • Enable strict encryption policy: Whether to enable strict encryption policies. When enabled, Security Contexts can only be enabled for encryption if they have the backing PKI capabilities, and users will be required to enable encryption when creating MCE groups if the Security Contexts they've selected support it. Note: This is off by default.

  • Maximum encryption key lifetime: The maximum lifetime MCE administrators can select when configuring a Security Context for encryption.

  • Default encryption key lifetime: If administrators do not specify a key lifetime when configuring a Security Context for encryption a default value is automatically applied.

Certificate Repository

  • Server Address: The address of the certificate repository LDAP service.
  • Port: The port of the certificate repository LDAP service.
  • Certificate property name: The certificate property name that identifies the certificate data from the LDAP query response.
  • Client certificate: The client certificate for authorizing LDAP queries.

Decryption Service
Decryption services can be provided by an array of nodes. The MLA client will round-robin on this list to provide application-level load balancing.

  • Service URLs: The list of decryption service endpoints.

OCSP
Online Certificate Status Protocol services provide certificate revocation statuses in real-time. By enabling this feature, the client can make much faster determinations about the validity of certificate repository certificates.

  • Enable OCSP: Enables OCSP certificate revocation checks in the client.

  • Enable NONCE extension: The NONCE extension is an optional extension to the OCSP protocol that prevents certificate status replay attacks. For more information see: https://www.rfc-editor.org/rfc/rfc8954#section-3.

  • URL: The OCSP address.

  • Issuer Certificate Thumbprints: The list of CAs that issue certificate repository certificates. OCSP responses are digitally signed to guarantee their authenticity. By convention, MindLink expects the issuer CA to be configured in OCSP as the response signing certificate. The certificates configured in this list are sent to the client so that it can perform verification of OCSP responses.

    Note: Issuer CAs must be installed into the Intermediate Certificate Authorities store of the Local Machine.

Firefox configuration for E2EE

Firefox by default does not include certificates from the local windows store, nor does it treat Preflight HTTPS requests in the same way as Chrome or Edge. Therefore additional configuration is required, this is done by opening up a new tab in Firefox and entering about:config as the URL. You should be presented with a text box to search advanced config, where we will set:

  • security.enterprise_roots.enabled
    • Set as: true
    • Connects the local certificate store
  • network.cors_preflight.allow_client_cert
    • Set as: true
    • Causes Firefox to behave like Chrome and Edge

Advanced Configuration Custom Settings

Optional Configuration

Setting up E2EE first requires configuration of MCE: MCE Configuration.

KeyValueDescription
debug.connector.mce.multiplesecuritycontexts.enabledtrue[OPTIONAL] Whether to enable multi-CoI group creation. Note: This is off by default.
debug.connector.mce.enablebypasstrue[OPTIONAL] Whether to allow users to log in without being enabled in the MCE environment. Note: This is off by default.
debug.datalabelling.instantmessaging.disabledtrue[OPTIONAL] Whether to disable data labelling for instant messaging. Note: Data labelling is enabled by default.
debug.encryption.publickeyrepository.token.expirationtimeminutes30[OPTIONAL] The MLA client makes requests for COI public key certificates via the ML server. It obtains an a token to authorize this request. The token can be reused while it is valid to reduce the overhead of subsequent requests. Update this value to change the token expiration time. Note: This value defaults to 15 minutes.