Understanding "external PKI" mode
This mode is recommended for organizations that use a PKI solution to generate their encryption keys. SDS Encryption Portal can then use existing user keys.

"External PKI" mode has the following features:
-
Users log in to the portal via the Microsoft Entra ID solution,
-
You use the encryption keys generated by your PKI and already in use in the organization. Users import them into the portal to encrypt and decrypt documents for themselves or for other users of the same tenant.
-
Tenant users can share encrypted documents with external users, i.e. those outside their tenant, using keys generated on the fly.
-
Interoperability with the Stormshield Data Security solution is ensured by the use of the same encryption keys: documents encrypted via the portal, in .sdsx format, can be decrypted via the Stormshield Data Security agent, and vice versa,

-
You must have the Microsoft Entra ID identity management solution,
-
You must have a PKI solution within your organization.

Once the tenant has been created, users log on to SDS Encryption Portal via Microsoft Entra ID, using their usual login and password. When they log in for the first time, we recommend that they import their private key/certificate pair into the portal in .p12 format, so that they can use their existing keys. The private key is securely stored in the “IndexedDB” section of the Web browser, and the certificate is published in the tenant database.
Once the keys have been imported, they are used for encryption and decryption operations carried out on the portal by users of the same tenant. The same files can be encrypted or decrypted either from SDS Encryption Portal or from Stormshield Data Security.
Users can also encrypt for external recipients, i.e. those belonging to a tenant other than their own or to no tenant at all, thanks to a system of on-the-fly generation of specific public keys.
To use SDS Encryption Portal in “External PKI” mode, see to the following sections: