PreVeil System Implementation Guide for IT Administrators

Open

Service Implementation Process for Individual and Enterprise Use

Closed Network & User Invitations

PreVeil operates as a closed system and PreVeil users can only communicate and share files with other PreVeil users. Current PreVeil users can auto-invite non-users by emailing them from PreVeil, triggering the PreVeil service to send the recipient an invitation to join PreVeil. There will always be a free version of PreVeil available for individual users. Note: for enterprises that implement PreVeil’s Trusted Community feature, auto-invites will be limited to email addresses and domains that have been white-listed by administrators.

Devices & User Access

Creating a PreVeil account requires the PreVeil software agent to be installed; the agent will generate the public/private key pair that will be associated with the account.

This key pair will be used to access the user’s PreVeil account, so it is important that the account be created on a device that is dedicated to that user. If the user account is created on a shared computer, the key pair will be exclusively accessible to the machine local user. Once an account is created, the private key can be securely copied (in a way that no third party can read it) onto each device from which the user desires to access their PreVeil account.

Individual Installation and Account Setup

For individual use, PreVeil can be installed by going to the PreVeil website https://www.preveil.com/download to download and install the software. The executables are digitally signed on both Windows (Extended Verification Certificate) and macOS. After installing, the user will be able to create a new PreVeil account or copy an existing PreVeil account.

The typical personal installation/setup process is as follows:

1. The user downloads and installs PreVeil;

2. The user chooses to copy an existing account onto the computer or create a new account;

3. If creating a new account, the user enters their email and name and then receives a verification email from PreVeil;

4. Upon clicking the link in the email, the PreVeil software creates the user’s key pair and sends the public key to the PreVeil server. The private key is kept on the user’s device.

Enterprise Installation and Account Setup – Organizations & Administrators

Enterprise deployments of PreVeil must be initiated by an initial user that will become an administrator of the enterprise’s PreVeil “Organization” that is then used to manage all of that enterprise’s users. The initial user/admin can easily add other administrators in the future.

The process to set up an Organization is as follows:

1. An Admin for the enterprise downloads PreVeil and creates an individual account (see above)

2. The admin creates an enterprise level PreVeil “Organization” following the process specified by the PreVeil Tech Support team during a live on-boarding call. In this process, the user by default becomes the first administrator of the Organization.

3. The admin can then add, remove, or promote users to admin status within the Organization as well as configure enterprise settings.

4. Users who are added by administrators will receive a standard (unencrypted) email from the PreVeil system. Once the users have installed PreVeil onto their system (either in advance via Active Directory or by installing PreVeil individually), clicking a link on this email will perform the account creation process on the machine. Note that administrators should ensure that users perform the installation/click the link on dedicated devices.

5. Administrators can also request to ‘subsume’ existing individual PreVeil accounts that have been created by users but are not yet associated with an Organization. The account must opt-in to the subsume request, after which the server associates the account with the Organization requesting to subsume the user. Users that are already in other Organizations cannot be subsumed.

Remote Installation & Distribution

PreVeil software is also available in a Microsoft Installer (MSI) file which supports enterprise deployment through remote software installation managers such as Active Directory. Once the MSI file is distributed and remotely installed, users only need to click a link in the invitation email to initialize the account creation process on their device. The MSI file may be found at https://www.preveil.com/download .

Mail Client Integration through Local IMAP and SMTP Servers

PreVeil can automatically integrate with Outlook (2016 and newer) and Apple Mail, and can also be manually configured to work with additional mail user agents that support IMAP/SMTP protocols (http://127.0.0.1:4003/settings/install-profile). PreVeil supports these by installing local IMAP and SMTP servers that then communicate to the PreVeil servers. Since the connection between the email applications and the IMAP/SMTP servers are local-only (and not exposed to the internet) the connection is not yet encrypted.

Auto-updating & Keeping PreVeil Software Up to Date

The standard PreVeil client installs an updater client that will check for a new version of the PreVeil software every 3 minutes. The updater looks at https://deploy.preveil.com. If a new upgrade is available, the package is downloaded from S3 at https://s3.amazonaws.com/pv-deploy-builds and the integrity is verified against a public key built inside the installer.

When performing the software update, the updater service will stop all existing PreVeil services, perform the upgrade by replacing existing files with newer versions, then restart all services. During an upgrade, a few minutes of client-side downtime are to be expected.

Architecture Behind the PreVeil Service

 High-Level System Architecture

Below is a diagram and description that illustrate the various aspects of the PreVeil system:

 Client Infrastructure contains user devices with PreVeil software

• S3 is the data storage service provided by AWS used by PreVeil Infrastructure

• PreVeil Infrastructure contains PreVeil’s servers running on AWS EC2

• Cloudflare is responsible for brokering web traffic to the PreVeil website

Open

Client-server Communication through HTTPS and WebSocket

PreVeil uses a client-server architecture, and all clients (computer and mobile) communicate with the PreVeil server over two different protocols – HTTP(s) and WebSocket.

HTTPS:

• Sending and fetching email

• User public key lookups

• Administrative functions

WebSocket

• Encrypted file upload, download, and other operations

• Updating wrapped keys for file sharing permissions

• Log fetching

PreVeil Server Endpoints

Below is a list of endpoints that are contacted by the clients when using PreVeil. These are the DNS entries that should be whitelisted if PreVeil is being deployed on an enterprise scale. Specific IP addresses for the endpoints below can be seen here: Appendix A – Information Flows Between PreVeil Services

Open

Appendix B – Firewall and IP Ranges Used by PreVeil (as of March 2024).

Technical Considerations Prior to Deployment

Anti-Virus Software Interaction

Because the PreVeil software installs a local-only webserver to act as a user interface and runs multiple background daemons, it is sometimes flagged by antivirus software as potentially malicious.

 While PreVeil is continuously working to whitelist its applications and simplify how it operates, whitelisting the PreVeil applications is still the best way to ensure uninterrupted service.

Use of Legacy (Non-Encrypted) Email in the PreVeil System

PreVeil uses standard non-encrypted emails to initially verify user identity. The below email address is currently used as of Q4 2021:

 verification.no-reply@preveil.com sent from Amazon Simple Email Service servers

 It is strongly recommended that all @preveil.com email addresses be whitelisted to facilitate any communication required outside of automated email addresses.

Supported Operating Systems for PreVeil

PreVeil is fully supported on the following platforms:

• Windows 10 or later. Note: Microsoft has announced end-of-life for Windows 10 on October 14, 2025. PreVeil will discontinue support for this operating system after that date.

• macOS 10.12 (Sierra) or later

• iOS 9.0 or later

• Android 5.0 (Lollipop / API level 21) or later

PreVeil is fully supported on the following browsers for desktop clients:

Google Chrome
Mozilla Firefox

Microsoft Edge

All connections to the PreVeil software will be made from the browser to a local server installed. The web server is only reachable at the following URL: http://127.0.0.1:4003 and not http://localhost:4003. It is a not secured (HTTPS) URL because the communication never leaves the computer.

Direct Connection to User Data in S3

In the absence of proxy settings, the PreVeil client will make direct connections to S3 using the default route provided by the system. The PreVeil server will issue pre-signed URLs to the clients so they can download the files faster without additional client-server roundtrip.

Install Location of PreVeil Software Agent

While the PreVeil mobile app is self-contained, the PreVeil desktop client installs multiple components from the installer executable.

On Windows:

• All the components are installed by default in C:\PreVeil

• Data files are stored in C:\PreVeilData

On macOS:

• All the components are installed by default in /Applications/PreVeil 

• Data files are stored in /var/preveil

Please note that if your system or drive mapping alters default paths, this location may or may not vary per your configuration. PreVeil ensures that the data directories are protected as they host the private keys. Do not store these data directories anywhere else other than your local hard drive, as doing so can compromise the security of your keys.

See Appendix C for a list of operating systems compatible with PreVeil.

Accessing PreVeil from the Browser & Detecting the Presence of PreVeil Software

PreVeil’s local-only interface can be accessed to by going to  https://www.preveil.com/app which will detect whether or not PreVeil is installed and either redirect the user to http://127.0.0.1:4003 or, if PreVeil is not installed, to the download page at https://www.preveil.com/download.

This check is performed securely and non-invasively by the PreVeil website making a request to  https://local-collections-proxy.preveil.com:5000/ping, domain whose DNS has been configured to resolve to 127.0.0.1. The request is only successful if the PreVeil agent process running on 127.0.0.1:5000 responds to the process. This architecture ensures that the chain of trust as established in the HTTPs certificates stays valid.

List of Services Installed by the PreVeil Software Agent

The PreVeil application needs to install and run multiple services. Below is a list of all services that PreVeil installs and runs at startup:

The information flows between these services is described below: Appendix A – Information Flows Between PreVeil Services.

Appendix A – Information Flows Between PreVeil Services

Open