Account creation

After installing the Seald application on the user workstation, you need to create a user account.

There are three methods to create a Seald account with the desktop application:

• in GUI with validation by e-mail;
• via a command line interface with e-mail validation interface;
• via a command line interface with a validation token interface.

WARNING

If you have already performed these steps on another computer, please follow the device addition guide. If you repeat these steps, you may overwrite your account and lose access to your previously encrypted documents and emails.

Frequently Asked Questions

Questions often come up during a Seald deployment. Here are the answers to the most frequently asked questions.

Can I set up multiple Seald accounts on the same computer?

It is possible to configure one Seald account per user session. However, it is not possible to have multiple Seald accounts set up at the same time in the same user session.

What is the purpose of the email address associated with the Seald account?

A user account is an identity stored on Seald's servers. It is associated with one or more email addresses. One of them is called the primary email address, it is used by Seald to communicate with the user. In addition, all email addresses can be used by other Seald users to retrieve the associated Seald identity.

Can I associate an email address with multiple users?

It is not possible to associate an email address (e.g. mailing list address) to multiple user accounts with Seald. Recipients must be declared individually.

Is there a password for my user account?

No. A user does not have a password to access his Seald account. Only private identity keys are used to access a Seald account. Only user's registered devices and administrator recovery keys can access such keys.

Can I associate multiple devices with my user account?

Once a user account is created on a device, new devices can be added:

• from an already registered device;
• using the administrator recovery key (currently unavailable without intervention from Seald teams).

DANGER

If you force the re-creation of a user account with the same email address on a new computer, the account on the old computer will become inoperative, and the account on the new device will not have access to protected documents & emails from and to the old device.

In graphical interface

To create an account in the GUI, you need to :

1. Invite the user from the administration panel ;
2. Launch the application that was installed in previous step ;
3. Choose "Join a team" ;
4. Enter your full name, e.g. "Steve Jobs", then click "Next" ;
5. Enter your e-mail address, e.g. "steve@mycompany.com", accept the GTC and click "Next" ;
6. If a warning tells you that "This e-mail already exists. The old account will be revoked" is displayed, this means that you have already performed these operations on another computer, and that by continuing you will overwrite your old account, and the devices associated with it. If you want to use your existing account, please follow the device addition guide ;
7. Copy the validation code sent to you by e-mail ;
8. Select the team you want to join and accept ;

For more details on the different options when creating an account from the desktop application, a complete documentation is available here.

From the command line

It is possible to use command line interface to create a user account.

To do so, you need :

1. Invite the user from the administration panel ;
2. Retrieve the ID of your Team in the "Profile" -> "General" part of the administration board ;
3. Execute the following creation command:

cd %LOCALAPPDATA%\Programs\Seald
seald-cli create-account --display-name "Steve Jobs" --email steve@mycompany.com --accept-license --team-id 00000000-0000-0000-0000-0000-0000-0000-0000-0000-00000000000000 --accept-backup-keys

1. The command may ask you if you want to overwrite your account. This is most likely due to the fact that you have already performed these steps on another computer, please follow the device addition guide to use it. If you want to overwrite the old account, you can write "yes" and press the enter key;
2. You will then be asked to copy the confirmation code received by email, do so and press enter ;

TIP

For a detailed explanation of how to use the CLI on different operating systems, please refer to its user guide.

For a detailed explanation of this command, refer to its documentation: create-account.

From the command line with a validation token

To simplify installation and avoid having to manually invite each user and validate each email address individually, validation tokens can be used when creating accounts.

1. Have the desired domain validated by the Seald teams;
2. Retrieve the validation key from the administration dashboard ;
3. Generate a validation token for the desired e-mail address;
4. Execute the following command:

cd %LOCALAPPDATA%\Programs\Seald
seald-cli create-account --display-name "Steve Jobs" --accept-license --email steve@apple.com --email-validation 5f32fdb5-cb1d-4b1b-b981-d35f75e9376c:1b4e5537890f92cce85d86df22eergerg4 --accept-backup-keys

Generation of validation tokens

These tokens are generated using a validation key specific to the domain to be validated accessible in the administration dashboard. This menu is only available if the Seald team has validated that the corresponding domain belongs exclusively to your team.

Validation tokens can be manually generated on the administration dashboard. To do this, go to the "User" page, tab "Invitations in progress". Then, for the desired user, if his email address corresponds to one of the pre-validated domains, see the options and choose "Generate a pre-validation token".

It is also possible to generate these tokens programmatically. The tokens are generated by the following script, downloadable here.

const crypto = require('crypto')

const email = process.argv[2]
const domainValidationKeyId = process.argv[3]
const domainValidationKey = process.argv[4]

const random = (size = 1000) => crypto.randomBytes(size)

const scrypt = (buff, salt) => new Promise((resolve, reject) => {
  crypto.scrypt(
    buff,
    salt,
    64, // 64 bytes for a 256 bits key (there is also a signing key for HMAC)
    { N: 16384, r: 8, p: 1 },
    (err, key) => {
      if (err) reject(err)
      else resolve(key)
    }
  )
})

const generate = async (email, domainValidationKeyId, domainValidationKey) => {
  const nonce = random(32).toString('hex')
  const token = (await scrypt(
    Buffer.from(`${email}-${domainValidationKey}`, 'utf8'),
    Buffer.from(nonce, 'utf8')
  )).toString('hex')
  console.log(`TOKEN: ${domainValidationKeyId}:${nonce}:${token}`)
}

generate(email, domainValidationKeyId, domainValidationKey)

This script runs using NodeJS, and needs the following arguments:

node script.js <email> <domainValidationKeyId> <domainValidationKey>

domainValidationKeyId and domainValidationKey can be found on the dashboard, on the Domains page.