Google Workspace Client-side Encryption Integration
VirtuCrypt Enterprise Key Management Guide
We also provide a Google Workspace CSE integration guide for the KMES Series 3.
From the Google Workspace Admin Help website: “You can use your own encryption keys to encrypt your organization’s data, in addition to using the default encryption that Google Workspace provides. With Google Workspace Client-side encryption (CSE), content encryption is handled in the client’s browser before any data is transmitted or stored in Drive’s cloud-based storage. That way, Google servers can’t access your encryption keys and, therefore, can’t decrypt your data. To use CSE, you’ll need to connect Google Workspace to an external encryption key service and an identity provider (IdP).”
The VirtuCrypt Hardened Enterprise Security Cloud service offers organizations cloud access to Futurex’s innovative data security solutions suite. VirtuCrypt was designed from the ground up to provide customization and flexibility while addressing compliance mandates and industry standards. All the critical elements of a secure cloud service such as privacy, data security, continuous monitoring, incident management, and endpoint security have been incorporated into a state of-the-art technology platform. VirtuCrypt’s Hardened Enterprise Security Cloud provides substantial benefits:
Google Workspace already uses the latest cryptographic standards to encrypt all data at rest and in transit between its facilities. With CSE, however, you have direct control of encryption keys and the identity provider used to access those keys to further strengthen the security of your data.
Your organization might need to use CSE for various reasons—for example:
First, you’ll set up an encryption key service through one of Google’s partner services (i.e., VirtuCrypt). This service controls the top-level encryption keys that protect your data.
Next, you’ll specify the location of your external key service, so Google Workspace can connect CSE for supported apps to it.
An Identity Provider (IdP) verifies the identity of users before allowing them to encrypt content or access encrypted content.
For this version of the Google Workspace CSE integration, in addition to using VirtuCrypt as the external key service, VirtuCrypt also serves as the identity provider.
Note: The KMES Series 3 version of the Google Workspace CSE integration supports the ability to connect Google Workspace to any third-party IdP or Google identity, using either the Admin console or a .well-known file hosted on your server. Learn more
You can turn on CSE for any organizational units or groups in your organization. Note, however, that you need to turn on CSE only for users that you want to create client-side encrypted content:
For details about turning on CSE for users, see Create client-side encryption policies.
To set up Google Workspace Client-side encryption for your organization, you need to be a Super Admin for Google Workspace.
After an administrator enables CSE for their organization, users for whom CSE is enabled can choose to create encrypted documents using the Google Workspace collaborative content creation tools, like Docs and Sheets, or encrypt files they upload to Google Drive, such as PDFs.
After the user encrypts a document or file:
For more details, see Encrypt and decrypt files.
Personal Keys in VirtuCrypt are used for encrypting data for Google CSE. The first time a user creates an encrypted document or encrypts and uploads a file to Google Drive, VirtuCrypt generates a Personal Key for that user. Personal Keys created for CSE are AES-256 Data Encryption Keys. VIP users can view their Personal Keys by selecting the Google Workspace CSE // Enterprise Key Management service in their VIP account and navigating to Personal Keys in the left-hand menu.
By default, newly-generated Personal Keys are assigned a Regenerative rotation policy with the Validity Period set to 1 month. At the time of writing, the default rotation policy cannot be modified, but this functionality will be added in a later release.
Note: Only one Personal Key can be active at a time for CSE users. After a key is rotated, it remains stored in VirtuCrypt and will be used for decrypting any documents that were encrypted using that key. Every document encrypted after a key is rotated will be encrypted using the new active key.
VIP Users with the Admin role have the ability to log in to the VIP web portal and add/modify/remove user accounts from their VIP account. Since VirtuCrypt serves as the identity provider (IdP) for this version of the integration, VIP admins can control access to Google CSE services within their VIP account by assigning the Google CSE Personal Key User role to users.
Perform the following steps to assign the Google CSE Personal Key role to a user in your VIP account:
In Google Workspace, you need to turn on Client-side encryption (CSE) for all users who need to do any of the following:
Note: You don’t need to turn on CSE for users who only need to view or edit encrypted files or attend meetings. However, external users need to use an identity provider (IdP) allowlisted by your domain. For details, see “External user requirements” in About client-side encryption.
To turn on CSE for users, you need to turn on CSE for the organizational units or configuration groups the users belong to.
At any time, you can disable CSE for users by turning CSE off for the organizational units or configuration groups they belong to. If you disable CSE for users, any existing client-side encrypted content remains encrypted and accessible.
Please refer to this Google Workspace knowledge base article for instructions on how to perform the following steps for setting up IAM for CSE in Google Workspace:
This section will describe the steps required to configure VirtuCrypt as the external key service and identity provider (IdP) for CSE in the Google Admin Console.
Before outlining the configuration steps, a couple of terms should be defined. KACLS stands for Key Access Control List Service, and this is your external key service (i.e., VirtuCrypt) that uses this API to control access to encryption keys stored in an external system. IdP stands for Identity Provider, and it is the service that authenticates users before they can encrypt files or access encrypted files. For the VirtuCrypt version of the Google Workspace CSE integration guide, VirtuCrypt serves as both the KACLS and the IdP.
To connect Google Workspace to the VirtuCrypt identity provider (IdP) you must configure the Client ID and Discovery URI in the Admin console. After establishing the connection, you need to allowlist your IdP in the Admin console.
In this section, we will do the following:
The first time that a Google CSE user creates an encrypted document or encrypts and uploads a file to Google Drive, a Personal Key is created in VirtuCrypt and associated with that user. The Personal Key is then used for all CSE operations performed by that user in Google Workspace.
VIP users can view their Personal Keys by selecting the Google Workspace CSE // Enterprise Key Management service in their VIP account and navigating to Personal Keys in the left-hand menu. You will see something similar to the following:
In addition to individual VIP users being able to manage their own keys, VIP Users with the Admin role can manage the Personal Keys of all Google CSE users within their VirtuCrypt account.
In the early stages of the Google CSE Beta, you may encounter unintuitive errors with no clear resolution guidance, such as the ones described below.
If during testing you are getting a 404 when your IdP redirects to this URL after login (for example when you’re uploading a new file), this can have one of the following causes:
This can manifest as an error saying “An error occurred with the identity provider service”, or “Can’t decrypt file (Something went wrong and your file wasn’t downloaded)”, or “An error occurred with identity provider service”. There are two possible causes:
You can see an “Upload failure” on drive.google.com when you are uploading an encrypted file and have not yet been authenticated on this browser. To resolve, click the exclamation mark in a red circle (!) shown with this error. This will force re-authentication.
Re-authenticating through the encrypted file upload workflow will fix other authentication issues around the Drive/Docs apps that don’t yet have their own robust auth error handling mechanism.