Google Workspace Client-side Encryption Integration
KMES Series 3 Integration Guide
We also provide a Google Workspace CSE integration guide for VirtuCrypt Enterprise Key Management.
From the Google Workspace Admin Help website: “You can use your own encryption keys to encrypt your organization’s data, in addition to using the default encryption that Google Workspace provides. With Google Workspace Client-side encryption (CSE), content encryption is handled in the client’s browser before any data is transmitted or stored in Drive’s cloud-based storage. That way, Google servers can’t access your encryption keys and, therefore, can’t decrypt your data. To use CSE, you’ll need to connect Google Workspace to an external encryption key service and an identity provider (IdP).”
Google Workspace already uses the latest cryptographic standards to encrypt all data at rest and in transit between its facilities. With CSE, however, you have direct control of encryption keys and the identity provider used to access those keys to further strengthen the security of your data.
Your organization might need to use CSE for various reasons—for example:
First, you’ll set up an encryption key service through one of Google’s partner services (i.e., the Futurex KMES Series 3). This service controls the top-level encryption keys that protect your data.
Next, you’ll specify the location of your external key service, so Google Workspace can connect CSE for supported apps to it.
For this step, you’ll need to connect to either a third-party IdP or Google identity, using either the Admin console or a .well-known file hosted on your server. Your IdP verifies the identity of users before allowing them to encrypt content or access encrypted content. Learn more
Note: In this integration guide we demonstrate using VirtuCrypt as the identity provider.
You can turn on CSE for any organizational units or groups in your organization. Note, however, that you need to turn on CSE only for users that you want to create client-side encrypted content:
For details about turning on CSE for users, see Create client-side encryption policies.
To set up Google Workspace Client-side encryption for your organization, you need to be a Super Admin for Google Workspace.
After an administrator enables CSE for their organization, users for whom CSE is enabled can choose to create encrypted documents using the Google Workspace collaborative content creation tools, like Docs and Sheets, or encrypt files they upload to Google Drive, such as PDFs.
After the user encrypts a document or file:
For more details, see Encrypt and decrypt files.
Personal Keys on the KMES Series 3 are used for encrypting data for Google CSE, and an individual key is generated for each user. The first time a user creates an encrypted document or encrypts and uploads a file to Google Drive, the KMES generates a new Personal Key Group and Personal Key for that user. Personal Keys created for CSE are AES-256 Data Encryption Keys. Personal Keys can be viewed and managed in the KMES application interface under Key Management -> Personal Keys.
By default, newly-generated Personal Key Groups are assigned a Regenerative rotation policy with the Validity Period set to 1 month. At the time of writing, the default rotation policy cannot be modified, but this functionality will be added in a later release.
Note: Only one Personal Key can be active at a time for CSE users. After a key is rotated, it remains stored on the KMES and will be used for decrypting any documents that were encrypted using that key. Every document encrypted after a key is rotated will be encrypted using the new active key.
The Futurex Certification Process is a rigorous and standardized approach to testing and certifying integrations between third-party applications and Futurex’s HSMs and key management servers (i.e., KMES Series 3). The certification process is designed to ensure that third-party application integrations are fully tested and validated in a lab environment before they are deployed in a production environment. Futurex’s Integration Engineering team implements this process so that customers can have confidence that third-party applications will integrate seamlessly with Futurex’s HSMs and KMES Series 3 devices, and that all operations will result in the expected behavior. The certification process involves several steps, including research, testing, troubleshooting, and certification, and is fully documented in an integration guide for each integration. The full process is outlined below:
Overall, following these steps helps ensure that the integration between the third party application and the Futurex device is fully tested and validated, and that any errors or issues are resolved before the integration is certified as fully supported.
After you set up your external key service and connect it to Google Workspace, you need to connect Google Workspace to your identity provider (IdP). Any IdP that supports OAuth can be utilized. Your external key service uses the IdP to authenticate users before they can encrypt files or access encrypted files.
If you don’t already use a third-party identity provider (IdP) with Google Workspace, you can set up your IdP for use with your key service in either of two ways:
You can set up your IdP—either a third party IdP or Google identity—using either a .well-known file that you host on your organization’s website or the Admin console (which is your IdP fallback). There are several considerations for each method, as described in the table below.
|Considerations||.well-known setup||Admin console setup (IdP fallback)|
|Isolation from Google||IdP settings are stored on your own server.||IdP settings are stored on Google servers.|
|Admin responsibilities||An IdP admin can manage your setup instead of a Google Workspace Super Admin.||Only a Google Workspace Super Admin can manage your IdP setup.|
|CSE availability||CSE availability (uptime) depends on availability of the server that hosts your .well-known file.||CSE availability corresponds to the general availability of Google Workspace services.|
|Ease of setup||Requires changing DNS settings for your server, outside of the Admin console.||Configure settings in the Admin console.|
|Sharing outside your organization||Your collaborator’s external key service can easily access your IdP settings. This access can be automated and ensures your collaborator’s service has immediate access to any changes to your IdP settings.||Your collaborator’s external key service can’t access your IdP settings in the Admin console. You must provide your IdP settings directly to your collaborator before you share encrypted files for the first time, as well as any time you change your IdP settings.|
Please refer to the following Google Workspace knowledgebase article for further details on connecting Google Workspace to an identity provider (IdP):
Two different Identity Providers need to be created on the KMES Series 3. One will be configured with the Authentication JSON Web Token (JWT) issued by the identity partner (IdP) to attest a user’s identity, and the other will be configured with the Authorization JSON Web Token (JWT) issued by Google to verify that the caller is authorized to encrypt or decrypt a resource. In addition to creating the identity providers, a new Role needs to be made for Google CSE, and Identities need to be created for all users in your organization that will use Google CSE.
A JWT Identity Provider must be created to allow the identity partner (IdP) to attest a user’s identity. In this example, VirtuCrypt is serving as the IdP.
A JWT Identity Provider must be created to allow Google to verify that the caller is authorized to encrypt or decrypt a resource.
You need to turn on Google Workspace Client-side encryption (CSE) for all users who need to do any of the following:
Note: You don’t need to turn on CSE for users who only need to view or edit encrypted files or attend meetings. However, external users need to use an identity provider (IdP) allowlisted by your domain. For details, see “External user requirements” in About client-side encryption.
To turn on CSE for users, you need to turn on CSE for the organizational units or configuration groups the users belong to.
At any time, you can disable CSE for users by turning CSE off for the organizational units or configuration groups they belong to. If you disable CSE for users, any existing client-side encrypted content remains encrypted and accessible.
Please refer to this Google Workspace knowledge base article for instructions on how to perform the following steps for setting up IAM for CSE in Google Workspace:
Before outlining the configuration steps, a couple of terms should be defined. KACLS stands for Key Access Control List Service, and this is your external key service (i.e., KMES Series 3) that uses this API to control access to encryption keys stored in an external system. IdP’s were discussed extensively in the previous section, but to reiterate, IdP stands for Identity Provider, and it is the service that authenticates users before they can encrypt files or access encrypted files. This integration uses VirtuCrypt as the IdP for demonstration purposes, but any IdP that supports OAuth can be used.
To connect Google Workspace to your identity provider (IdP), you can use a .well-known file or the Admin console. After establishing the connection, you need to allowlist your IdP in the Admin console.
This section will walk through connecting Google Workspace to your IdP using the Admin console. However, this method is meant to serve as a fallback method for the .well-known file method. Please refer to the following Google Workspace documentation instructions on connecting Google Workspace to your IdP using a .wellknown file: Connect to your identity provider for client-side encryption – Google Workspace Admin Help
In this section, we will do the following:
As mentioned in the Overview section at the beginning of this guide, the first time that a Google CSE user creates an encrypted document or encrypts and uploads a file to Google Drive, a new Personal Key Group and Personal Key are generated on the KMES for that user. That Personal Key is then used for all CSE operations performed by that user in Google Workspace until an automatic key rotation occurs and a new Personal Key becomes active.
CSE users can view their Personal Keys by logging in to the application interface and navigating to the Key Management -> Personal Keys menu. An example is shown below:
In addition to individual CSE users being able to view their own Personal Keys, users with the Personal Keys Managed permission can manage the Personal Keys of all CSE users on the KMES.