Overview

This Action programmatically copies the decrypted contents of a Dropzone submission into a designated SendSafely Workspace for long-term storage and organization.

To request the template for this Action example, please reach out to your SendSafely account rep.

Please note that this Action requires access to the contents of SendSafely packages, and thus must be configured with a Portal Master Key or Trusted Device Key.

Setup Instructions

1. Deploy the Lambda

To deploy the Lambda, you'll need the following permissions in AWS:

• Create a new Lambda Function
• Create a new AWS Secret (AWS Secrets Manager)
• Define a custom IAM Role for the Lambda function

Follow these steps:

1. In AWS, navigate to CloudFormation and click Create stack, then select "With new resources (standard)" from the dropdown.
2. Under Template source, select "Upload a template file," then click Choose file and select the YAML file provided by your SendSafely account rep.
3. Click Next. Name the stack, e.g., "CopyToWorkspace," then click Next.
4. Click the three checkboxes at the bottom of the page, then click Next.
5. Click Submit.
6. Wait for the Stack's status to change from "CREATE_IN_PROGRESS" to "CREATE_COMPLETE."

2. Configure Secure Message Export (Optional)

By default, only file attachments are copied to the Workspace. To also export a secure message from a Dropzone submission as a .txt file within the package folder, set the Lambda environment variable ENABLE_SECURE_MESSAGE_EXPORT to true.

3. Update Secrets Manager

We'll update the CopyToWorkspace_Copy_To_Workspace_Config Secret generated by this deployment. Click on this Secret in Secrets Manager, click Retrieve secret value, and click Edit. Provide the following secret values:

• ss-host
• ss-api-key
• ss-api-secret
• pk-<ss-public-key-id>. Note that you must update the Name of this secret to replace the text <ss-public-key-id> with the actual public key ID of your Master Key or Trusted Device Key. You must update the Value of this secret with the full text of the private key, including the opening and closing tags:

------BEGIN PGP PRIVATE KEY BLOCK-----
------END PGP PRIVATE KEY BLOCK-----

• workspacePackageId — the 8-character Package ID of the destination Workspace. To find this:
  1. Navigate to the destination Workspace in your SendSafely portal.
  2. Click the Cog icon.
  3. Copy the Workspace Package ID.

For now, leave the remaining secret value and click Save. We'll populate it in Step 7.

4. Create a new Workflow

As an admin logged into your SendSafely portal, click the circle containing your initials in the top-right corner of the screen and select SendSafely Actions. Here, click New Workflow.

5. Set up the trigger

1. Select "A package is finalized" as the trigger event. 
2. Click the plus button and select Add an Event Filter.
3. From the Criteria dropdown, select Package Type.
4. From the Operator dropdown, select equals.
5. In the Value input, select Dropzone.

This will cause the Workflow to fire each time a Dropzone submission is completed.

6. Decide whether this Workflow will apply to a specific Dropzone's packages (Optional)

This Workflow, by default, will apply to all packages portal-wide. To limit its scope to packages submitted to a particular Dropzone:

1. Click the plus button and select Add an Event Filter.
2. From the Criteria dropdown, select Package Owner Email.
3. From the Operator dropdown, select equals.
4. In the Value input, type the email of the Dropzone owner and click Save.

7. Add the Actions

Three Actions comprise this Workflow. We will add them one at a time.

Action 1.

First, we'll hold the package, temporarily preventing its deletion.

1. Click the plus button and select Add an Action.
2. From the Action dropdown, select Hold Package.
3. From the Notification dropdown, select Notify on Error or Timeout.

Action 2.

Next, we'll invoke the webhook of the Lambda, which will use the Master Key to decrypt the package's contents, copy them to the destination Workspace, and return a verdict.

1. Click the plus button and select Add another Action.
2. From the Action dropdown, select Invoke an External Webhook.
3. From the Notification dropdown, select Notify on False, or Timeout.
4. Retrieve the CopyToWorkspaceWebhookUrl from the Outputs tab of the relevant Stack in CloudFormation, then paste it into the input in SendSafely and click Save.
5. Click the text that says "Click here to view the action secret," then click Copy.
6. In AWS Secrets Manager, click into the CopyToWorkspace_Copy_To_Workspace_Config Secret.
7. Click Retrieve secret value, then click Edit.
8. Paste the action secret into the value for action-secret-id-<actionId-finalize-package>, then click Save.

Action 3.

Last, we'll release the package, rendering its contents available to its recipients.

1. Click the plus button and select Add another Action.
2. From the Action dropdown, select Release Package.
3. From the Notification dropdown, select Notify on Error or Timeout.

Add Action Filter.

We'll now add an Action Filter to this 3rd Action, so that it only runs if the 2nd Action succeeds. Packages successfully copied to the Workspace will be released, whereas packages whose copy failed will remain held.

1. Click Add Action Filter.
2. From the Criteria dropdown, select Action Step 2 Result.
3. From the Operator dropdown, select Equals.
4. From the Value dropdown, select True.

8. Activate the Workflow

At the top of the page, click the toggle next to the text "Disabled" to enable the Action. The text will change from "Disabled" to "Live."

9. Test the Workflow

Now that we've activated the Workflow, let's trigger it by making a Dropzone submission.

If the package is not successfully copied to the Workspace, it will remain held. If the package is successfully copied to the Workspace, it will be released and can be deleted.